NIS2 compliance latest news: June 2026 update

The EU infringement machine moved from warnings to court referrals in July 2026. Ireland, Spain, France, and the Netherlands now face financial sanctions for missing the October 2024 NIS2 transposition deadline — daily penalties accruing until each country notifies complete transposition to the Commission.

At the same time, enforcement infrastructure is filling in. Germany's BSI is actively auditing registered entities. The Netherlands passed its national law one day before the referral landed. The NIS Cooperation Group published the most detailed Article 21 mapping document to date. And the Commission tied NIS2 explicitly to AI-assisted threat detection for the first time.

This article covers every material NIS2 development: what changed, which deadlines are live, and what your team needs to act on now. For the previous month's developments, see NIS2 latest news: May 2026.


Key takeaways

  • Court referrals filed against four member states. On July 8, 2026, the European Commission referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the EU for failing to fully transpose NIS2. Financial sanctions are requested for each country.
  • Netherlands' Cyberbeveiligingswet enters force August 15, 2026. The Dutch Senate approved the law on July 7. More than 8,000 organizations must register with the NCSC, implement risk-based security measures, and ensure board-level oversight by that date.
  • Germany's BSI is now auditing, not just registering. The active supervision phase began March 6, 2026. The BSI can request evidence of security measures without waiting for an incident. A secondary registration deadline of July 31 applies to the significant share of the 29,000 in-scope entities that missed March.
  • The NIS Cooperation Group published its Article 21 mapping document. Released in June 2026, it maps NIS2 obligations and Implementing Regulation 2024/2690 to ISO 27001, NIST CSF 2.0, IEC 62443, and national frameworks — the most concrete EU-level compliance guidance published to date.
  • Ireland's NCSC published board-level cyber governance guidance. Released July 7, 2026, the document targets CEOs, CIOs, and CISOs in NIS2-regulated organizations and is built around the NIST-based CyFun framework.
  • ENISA elevated the space sector to high criticality. The NIS360 2026 report places space alongside banking, electricity, and aviation. Seven sectors remain in the risk zone, where maturity falls below criticality demands.
  • The EU Action Plan on Cybersecurity and AI was published July 7, 2026. It is the first EU-level document to formally link NIS2 compliance with AI-assisted threat detection as an expected operational practice.
  • The UK's Cyber Security and Resilience Bill passed the Commons on June 16. It entered the Lords on June 17 and is scheduled for a second reading on July 14. Managed service providers and data centre operators come into scope for the first time.

EU Commission takes Ireland, Spain, France, and the Netherlands to court over NIS2 delays

EU Commission takes Ireland, Spain, France, and the Netherlands to court over NIS2 delays

On July 8, 2026, the European Commission referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the EU for failing to notify full transposition of the NIS2 Directive. The referrals include a request for financial sanctions: a lump sum plus daily penalties accruing until each country notifies complete transposition.

The transposition deadline was October 17, 2024. The Commission sent formal notices to non-compliant member states in November 2024 and reasoned opinions in May 2025. Court referral is the third and final stage of the EU infringement procedure.

The timing is notable for the Netherlands. The Dutch Senate approved the Cyberbeveiligingswet on July 7 — one day before the referral was filed (more on this below). The law enters into force on August 15, 2026, but formal notification of transposition to the Commission had not yet been submitted at the time of the referral. Daily penalties will stop accruing once notification is complete.

For Spain, France, and Ireland, no equivalent national law has passed. Spain's transposition is expected in late 2026. France and Ireland have not announced firm timelines.

The infringement cases carry individual case numbers:

The referrals reinforce a point compliance teams in these countries should already know: the NIS2 Directive's requirements are binding regardless of national transposition status. Court proceedings do not suspend the underlying obligations — they add financial pressure on governments to close the gap faster.

Source: European Commision, 2026


Netherlands: Cyberbeveiligingswet approved, enters force August 15

Netherlands — Cyberbeveiligingswet approved, enters force August 15

On July 7, 2026, the Dutch Senate approved both the Cyberbeveiligingswet (the Dutch transposition of NIS2) and the Critical Entities Resilience Act (Wwke), which implements the EU's Critical Entities Resilience (CER) Directive. Both laws enter into force on August 15, 2026.

More than 8,000 organizations fall in scope: ministries, municipalities, water authorities, provinces, independent administrative bodies, and inter-municipal partnerships. From August 15, they must:

  1. Register with the National Cyber Security Centre (NCSC) via the Entities Register.
  2. Implement appropriate technical, operational, and organizational measures based on a risk assessment — including supply chain dependencies.
  3. Report major cybersecurity incidents to the relevant CSIRT and competent supervisory authority within statutory deadlines.
  4. Ensure board-level oversight: governing body members must have sufficient cybersecurity knowledge and complete appropriate training.

Enforcement sits with designated supervisory authorities, including the Dutch Authority for Digital Infrastructure. The Cyberbeveiligingswet introduces director liability: supervisors can issue binding instructions, conduct inspections, and suspend directors where necessary.

For public sector organizations, compliance with the Baseline Information Security Government (BIO) 2 standard counts toward meeting the Cbw's security requirements.

The August 15 entry-into-force date is a hard deadline. Registration with the NCSC should begin before that date — the NCSC itself recommends preparing in advance to avoid bottlenecks in the registration process.

Source: NL Digital Government, 2026


EU-wide: New security measures reference document released

EU-wide: New security measures reference document released

Published on June, 2026, the NIS Cooperation Group's reference document on security measures gives organizations the most concrete EU-level guidance on NIS2 Article 21 compliance to date. The document establishes a common European framework for cybersecurity objectives and includes a mapping table that links NIS2 obligations and the European Implementing Regulation 2024/2690 to:

  • ISO/IEC 27001
  • IEC 62443
  • NIST Cybersecurity Framework 2.0
  • national cybersecurity frameworks
  • the CyberFundamentals Framework, CyFun®

The document is non-binding. It does not replace national NIS2 legislation or sector-specific guidelines. But for compliance teams already working against ISO 27001 or NIST CSF 2.0, it answers a question that has been open since the directive passed: how exactly do my existing controls map to NIS2 requirements?

The mapping is particularly useful for organizations operating across multiple member states. Rather than maintaining separate gap analyses per jurisdiction, teams can use the reference document as a shared baseline and then layer national deviations on top.

Access control, authentication, and privileged access management appear explicitly in the mapped objectives — areas where the reference document's guidance aligns directly with NIS2 Article 21(2)(j) on the use of multi-factor authentication and secure communication systems.

Where to find the documents
The reference document on security measures for NIS2 entities and the accompanying mapping table (Annex) are published on the official NIS Cooperation Group page of the European Commission's Digital Strategy website.

Sources: Center for Cybersecurity Belgium, 2026; European Commission, 2026


Ireland: NCSC publishes board-level cyber governance guidance for NIS2 entities

Ireland: NCSC publishes board-level cyber governance guidance for NIS2 entities

On July 7, 2026, Ireland's National Cyber Security Centre published guidance on cyber governance for management board members in NIS2-regulated organizations. The document targets CEOs, Managing Directors, CIOs, and CISOs — the executives who bear personal accountability for cybersecurity risk management under NIS2.

The guidance centers on the Cyber Fundamentals Framework (CyFun), Ireland's preferred national framework for NIS2 compliance. CyFun is built on the NIST Cybersecurity Framework and gives boards a structured, risk-based approach to meeting their legal obligations without requiring deep technical expertise.

The document covers three practical areas: understanding what questions boards should be asking about cyber risk, identifying and managing supply chain risks, and building an organizational culture where cybersecurity is treated as a governance issue, not an IT department problem.

The timing is deliberate. Ireland is currently subject to EU infringement proceedings for failing to fully transpose NIS2 into national law — the Commission referred the country to the Court of Justice on July 8, 2026. Publishing board-level guidance ahead of formal transposition signals that the NCSC is moving organizations toward compliance regardless of where the legislative process stands.

Guidance on Cyber Governance for Management Board Members in NIS2 Entities is available directly from the NCSC: download PDF

Source: The Irish Government's official portal, 2026


ENISA NIS360 2026: Space sector elevated to high criticality

ENISA NIS360 2026: Space sector elevated to high criticality

The ENISA NIS360 2026 report is the third annual assessment of cybersecurity maturity and criticality across all Annex I sectors under the NIS2 Directive. The headline finding: the space sector has joined banking, electricity, aviation, and digital-by-default services in the highest criticality band.

The elevation reflects space infrastructure's growing role as a dependency layer for other sectors: navigation, communications, financial settlement, and military logistics all run on satellite systems. Higher dependency means higher impact from disruption, and higher time criticality in recovery.

Seven sectors fall into the NIS360 2026 risk zone, where cybersecurity maturity falls below the level their criticality demands:

  1. Health
  2. Railway
  3. Maritime
  4. ICT service management
  5. Space
  6. Public administration
  7. Drinking and waste water

Three sectors reached the high maturity band: trust services, aviation, and financial market infrastructures. The gas sector has begun moving out of the risk zone, driven by improved information sharing and stronger implementation of risk management measures.

The risk zone composition matters operationally. Supervisory authorities use NIS360 data to prioritize audit calendars. If your organization operates in health, railway, or public administration, expect increased supervisory attention in the second half of 2026.

ENISA NIS Investments 2025 study found that 70% of surveyed organizations cited NIS2, DORA, and CRA compliance as the main driver of cybersecurity spending — a figure that will likely climb as supervisors shift from registration to active review.

Source: ENISA, 2026


Germany: BSI enters active supervision phase

Germany: BSI enters active supervision phase

Germany's BSI entered the active supervision phase on March 6, 2026 — the date the registration deadline under the NIS2-Umsetzungsgesetz (NIS2UmsuCG) expired. The law was enacted on December 6, 2025. By June 2026, it had been in force for six months.

SecurityToday.de's June 16 analysis of the supervisory shift noted that the question has changed: no longer whether an entity is registered, but whether its reported measures hold up under scrutiny.

The BSI registration portal opened January 6, 2026. A significant share of the approximately 29,000 in-scope entities missed the March deadline. The BSI set a secondary registration deadline of July 31, 2026. Late registration remains possible but creates no safe harbor — the compliance obligations have applied since December 2025, regardless of registration status.

What active supervision means in practice:

  • The BSI can proactively request evidence of security measures — without waiting for an incident.
  • On-site and remote audits are now within scope.
  • Fines for essential entities reach up to €10 million or 2% of global annual turnover, whichever is higher.
  • Management body members face personal liability, including potential temporary bans from exercising management functions.

Germany's implementation goes beyond the EU minimum on executive accountability. The NIS2UmsuCG explicitly requires management bodies to approve cybersecurity measures, supervise their implementation, and demonstrate personal competence. Supervisors can hold individual executives personally responsible for systemic failures.

There is a practical upside to Germany's stricter standard. Organizations that meet the NIS2UmsuCG requirements satisfy the EU minimum with margin. For companies operating across multiple member states, a security posture that passes BSI scrutiny will generally hold up with neighboring supervisory authorities as well.

For late registrants, the priority order is clear: register first, then establish documented evidence of measures. If a reportable incident occurs before measures are demonstrably in place, a missed or delayed registration is an aggravating factor.

Source: SecurityToday.de, 2026


EU Action Plan on Cybersecurity and AI published

EU Action Plan on Cybersecurity and AI published

On July 7, 2026, the European Commission published the EU Action Plan on Cybersecurity and Artificial Intelligence. The document sets out a coordinated EU approach to AI-driven cybersecurity across member states, public authorities, and businesses.

The plan is built around three objectives: promoting safe and responsible use of advanced AI, reinforcing EU cybersecurity and resilience, and scaling up Europe's AI capabilities for cybersecurity purposes.

On the NIS2 side, the Action Plan explicitly names the NIS2 Directive as part of the existing legal framework it builds on, and encourages organizations subject to NIS2 to use AI (including open-source models) to detect and address vulnerabilities faster. This is the first EU-level document to formally link NIS2 compliance with AI-assisted threat detection as an expected operational practice.

Concrete measures include:

  • A European Blueprint for secure access to advanced AI systems for cybersecurity purposes, to be developed with ENISA.
  • A secure testing platform for organizations in critical sectors (energy, transport, health, finance, and public administration) to safely test and deploy AI solutions.
  • An EU Grand Challenge on AI for cybersecurity, bringing together industry, researchers, and open-source communities.

The Action Plan sits alongside the AI Act, the Cyber Resilience Act, DORA, and the Cyber Solidarity Act. It does not create new binding obligations on its own, but it signals where the Commission expects enforcement emphasis and investment to go over the next legislative cycle.

The full Action Plan is available for download from the European Commission

Source: European Commision, 2026


UK: Cyber Security and Resilience Bill passes Commons, enters Lords

UK: Cyber Security and Resilience Bill passes Commons, enters Lords

On June 16, 2026, the Cyber Security and Resilience (Network and Information Systems) Bill completed its third reading and report stage in the House of Commons. It received its first reading in the Lords on June 17 and is scheduled for a Lords second reading on July 14, 2026.

The Bill was introduced to Parliament on November 12, 2025, and updates the existing Network and Information Systems Regulations 2018 (NIS1). It does not transpose NIS2 (the UK is no longer bound by EU law) but it moves UK requirements significantly closer to the NIS2 standard in scope and enforcement.

What the Bill adds:

  • Managed service providers come into scope for the first time. Relevant Managed Service Providers (RMSPs) must register with the ICO, implement risk management measures, and nominate a UK representative if not established in the UK.
  • Data centre operators are also brought into scope.
  • Incident reporting timelines tighten: 24-hour initial report, 72-hour full notification — matching NIS2's Article 23 structure.
  • Critical supplier designation: The ICO gains power to designate suppliers whose compromise would affect essential services or RMSPs.
  • Penalties increase to up to £17 million or 4% of global annual turnover for serious breaches; up to £10 million or 2% for less serious ones.

The incident definition is also broadened: the Bill covers incidents "capable of having an adverse effect" on regulated services, not just those with a demonstrated actual effect. This is a meaningful change for organizations currently calibrating their reporting thresholds.

63 amendments have been proposed during the Bill's passage. Two amendments tabled in June, including one to add the food supply chain as a regulated essential service, received no decision at report stage.

The government expects to consult in 2026 on secondary legislation covering specific risk management measures and notification requirements. Some provisions will take effect from the first day or second month after Royal Assent; others will follow via secondary legislation.

Sources: UK Parliament, 2026; Parallel Parliament, 2026


Recap

The period from June to early July 2026 marks the point where NIS2 enforcement moved from political pressure to active legal and supervisory action. Court referrals are filed. National laws are entering force. Supervisory authorities are requesting evidence of security measures, not just registration confirmations.

For organizations in Ireland, Spain, France, and the Netherlands, the infringement proceedings change nothing about the underlying obligations. NIS2 requirements have been binding since October 2024 regardless of national transposition status. The proceedings add financial consequences for governments — they do not create a grace period for regulated entities.

For organizations in Germany and the Netherlands, the compliance calendar is now set. The BSI is auditing. The Cyberbeveiligingswet enters force August 15. The Article 21 mapping document published by the NIS Cooperation Group in June 2026 is the most actionable output from this period: if your team is already working against ISO 27001 or NIST CSF 2.0, it provides a direct path to closing your NIS2 gap analysis before a supervisory authority does it on your behalf.

Credential management under NIS2 Article 21
The NIS Cooperation Group's June 2026 mapping document links NIS2 Article 21 directly to access control, authentication, and privileged access management — areas supervisory authorities will audit against. Passwork is an enterprise password and secrets manager built for EU compliance requirements. Explore how Passwork maps to NIS2
NIS2 access controls for supply chain security
48% of breaches now involve third parties. NIS2 Article 21 makes supplier access governance a legal obligation. Here’s how to map vendor access, enforce MFA and least privilege, and keep the audit evidence that proves your controls work.
Shadow IT vs Shadow AI: Why AI is the bigger threat
Employees are using AI tools you didn’t approve, on accounts you can’t monitor, with data you can’t recover. Here’s what the risk actually looks like and what governance needs to address.
Employee offboarding: Secure access revocation guide 2026
Disabling an SSO account doesn’t revoke access. API keys, AI agent credentials, and shared passwords survive it. This guide covers the full offboarding playbook — from zero-hour triggers to NHI cleanup.