Register LEI

NIS2 and LEI

Table of Contents

Recent Posts
Get your LEI
Complete our application process in just a few minutes.
Click Here
Ready with 15 min

What Is NIS and Why NIS2 Matters

The Network and Information Security Directive (NIS) was the EU’s first cybersecurity law, adopted in 2016. It required Member States to create competent authorities, set up national CSIRTs, and apply minimum risk management standards.

Experience showed that NIS1 was too narrow. Many sectors were not covered, and obligations differed widely.

That is why the EU adopted the NIS2 Directive (Directive (EU) 2022/2555) on 14 December 2022. It was published in the Official Journal on 27 December 2022 and entered into force on 16 January 2023. All Member States had to transpose it into national law by 17 October 2024, replacing NIS1. You can read the official directive text on EUR-Lex.

Who Must Comply with NIS2

NIS2 applies to two categories of entities:

  • Essential entities – energy, transport, healthcare, digital infrastructure, public administration.
  • Important entities – legal services, postal and courier services, food supply, digital platforms.

In practice, most companies in the sectors covered by NIS2 with more than 50 employees or over €10 million turnover fall under the scope. This brings thousands of mid-sized companies in Europe within the directive. See more in who needs an LEI code.

Core Obligations Under NIS2

The directive sets strict obligations:

  • Risk management – implement security measures proportionate to threats.
  • Incident reporting – notify significant incidents within 24 hours and submit a full report within 72 hours.
  • Supply chain security – assess the cybersecurity of suppliers and service providers.
  • Board accountability – executives are responsible for compliance.
  • Sanctions – fines can be similar in scale to GDPR penalties.

For a structured overview, see ENISA’s summary of NIS2.

Why Many Countries Are Still Late

NIS2 is an EU directive. That means it sets objectives, but each Member State must transpose them into its own laws. The deadline was 17 October 2024, but many countries missed it.

On 28 November 2024, the European Commission sent letters of formal notice to 23 Member States for failing to transpose the NIS2 Directive by the deadline set out in the law. On 7 May 2025, the Commission issued reasoned opinions to 19 Member States – including Estonia, Latvia, Poland, Finland, Spain and others – who still had not fully transposed NIS2. This is the final stage before potential legal action in the Court of Justice of the European Union. See the Commission press release: “Commission calls on 19 Member States to fully transpose the NIS2 Directive”

This means Member States are under strong pressure. Transposition is happening now at full speed. For businesses the message is clear: NIS2 rules will soon apply in every EU country, whether your national law is updated already or not.The

Role of the LEI Code

The Legal Entity Identifier (LEI) is a 20-character alphanumeric code that uniquely identifies legal entities worldwide. It was created after the 2008 financial crisis to improve transparency in global markets and is now widely used by regulators, banks, and corporations. Learn more at the Global Legal Entity Identifier Foundation (GLEIF).

In the NIS2 context, the LEI is a practical tool:

  • Clear identity – reports and communications across borders are consistent.
  • Supply chain transparency – the LEI shows both “who is who” and “who owns whom.”
  • Audit trail – a standard identifier reduces errors and improves reporting.

See also what is an LEI for a full explanation.

Steps for Companies Now

  1. Check your status – are you classified as an essential or important entity?
  2. Apply for an LEI code – if you don’t have one yet, register now. You can apply for an LEI directly with LEI System.
  3. Integrate LEI into governance – include it in contracts, supply chain audits, and incident reports.
  4. Educate your board – leadership is accountable under NIS2.
  5. Prepare reporting workflows – ensure you can meet the 24h/72h deadlines.

For cost details, visit our LEI pricing page.

The Bigger Picture

NIS2 is not optional. It is already EU law. Even though some national laws are not yet complete, enforcement is coming everywhere.

And the impact goes beyond the EU. Companies in countries like Norway or Mexico that serve EU clients will also feel the pressure to meet these standards.

The LEI code is a simple but powerful way to build trust and transparency in this new era of digital regulation.

Country-by-Country Overview

LEI System provides LEI registration services in more than 170 jurisdictions worldwide, making us one of the most globally connected registration agents. Below we highlight a selection of markets where we already operate dedicated local websites. This list is not exhaustive – new country domains are continuously added as our international presence expands. The following examples show how NIS2 implementation is developing in these countries, what it means for companies, and how the LEI code supports compliance.

🇪🇪 Estonia

Status. On 7 May 2025, the European Commission issued a reasoned opinion to Estonia because full transposition of NIS2 had not been notified. Estonia already has the Cybersecurity Act (2018, amended 2022), which is now being updated in line with NIS2. The Ministry of Economic Affairs and Communications is responsible. See also the EU Digital Strategy page on NIS2.
What this means. Implementing acts will specify requirements for risk controls, board accountability, supply chain assessment, and incident reporting. Companies should prepare their processes now.
Role of the LEI. Among other things, the LEI is necessary for clear identification in incident reports and supply chain audits. It speeds up cross-border cooperation, avoids confusion over company names, and supports audit trails.
It is very easy to apply for an LEI on the Estonian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇱🇻 Latvia

Status. Latvia adopted a new Cybersecurity Law, which entered into force on 1 September 2024. Companies were required to register their status by 1 April 2025 and submit the first self-assessment by 1 October 2025. The competent authority is CERT.LV.
What this means. Latvian companies must appoint a responsible officer, conduct risk assessments, and comply with reporting obligations under the new law.
Role of the LEI. Among other things, the LEI helps clearly identify cross-border partners and improves transparency in the Baltic market.
It is very easy to apply for an LEI on the Latvian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇱🇹 Lithuania

Status. Lithuania amended its Cybersecurity Law on 11 July 2024, with provisions entering into force on 18 October 2024. Implementing regulations followed on 11 November 2024. The competent authority is the National Cyber Security Centre (NCSC).
What this means. Lithuanian companies must comply with new obligations on risk management, supply chain controls, and incident reporting.
Role of the LEI. Among other things, the LEI is important for supplier mapping and audits, ensuring consistent identification across borders.
It is very easy to apply for an LEI on the Lithuanian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇵🇱 Poland

Status. Poland missed the October 2024 deadline. On 7 May 2025, the Commission issued a reasoned opinion. A draft law is under preparation and expected in 2026. The competent authority will be the Ministry of Digital Affairs.
What this means. Polish companies will soon need to demonstrate compliance through registration, risk management, and supply chain checks.
Role of the LEI. Among other things, the LEI helps standardise supplier checks and simplifies reporting in EU systems.
It is very easy to apply for an LEI on the Polish LEI System website. See also a detailed overview of our affordable LEI pricing.

🇩🇰 Denmark

Status. Denmark received a reasoned opinion on 7 May 2025 for failing to notify full transposition. Draft sectoral laws have been published. The Danish Business Authority is responsible.
What this means. Companies should already be setting up systems for risk management, incident reporting, and board accountability, as these requirements will soon become mandatory.
Role of the LEI. Among other things, the LEI enhances supply chain transparency and facilitates compliance with EU partner requirements.
It is very easy to apply for an LEI on the Danish LEI System website. See also a detailed overview of our affordable LEI pricing.

🇸🇮 Slovenia

Status. Slovenia received a reasoned opinion on 7 May 2025. Adjustments will be included in the Information Security Act. The competent authority is the Information Security Administration.
What this means. Detailed procedures for incident notifications and risk management are being prepared.
Role of the LEI. Among other things, the LEI brings clarity in reports and partner assessments.
It is very easy to apply for an LEI on the Slovenian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇮🇹 Italy

Status. Italy has completed transposition of NIS2. The competent authority is ACN (National Cybersecurity Agency).
What this means. Italian companies must follow clearly defined requirements on risk management, board responsibility, and incident reporting.
Role of the LEI. Among other things, the LEI helps unify reporting across international organisations and reduces errors in cross-border exchanges.
It is very easy to apply for an LEI on the Italian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇪🇸 Spain

Status. Spain received a reasoned opinion on 7 May 2025. Transposition is ongoing. The Ministry of Economic Affairs and Digital Transformation is in charge.
What this means. Spanish companies must prepare for updated reporting procedures and stricter supply chain assessments.
Role of the LEI. Among other things, the LEI simplifies identification of cross-border suppliers and improves reporting accuracy.
It is very easy to apply for an LEI on the Spanish LEI System website. See also a detailed overview of our affordable LEI pricing.

🇫🇮 Finland

Status. Finland received a reasoned opinion on 7 May 2025. Technical regulations are in preparation. The National Cyber Security Centre is responsible.
What this means. Companies must prepare for 24h and 72h reporting deadlines as well as supply chain security checks.
Role of the LEI. Among other things, the LEI supports supplier due diligence and ensures consistent identification in reports.
It is very easy to apply for an LEI on the Finnish LEI System website. See also a detailed overview of our affordable LEI pricing.

🇸🇪 Sweden

Status. Sweden received a reasoned opinion on 7 May 2025. A new cybersecurity law is under preparation. The Swedish Civil Contingencies Agency (MSB) will be the competent authority.
What this means. Companies should expect rapid enforcement once the law is adopted and begin adapting processes now.
Role of the LEI. Among other things, the LEI reduces errors in supplier identification and strengthens audit trails.
It is very easy to apply for an LEI on the Swedish LEI System website. See also a detailed overview of our affordable LEI pricing.

🇨🇿 Czechia

Status. Czechia received a reasoned opinion on 7 May 2025. The competent authority is NÚKIB (National Cyber and Information Security Agency).
What this means. Lists of essential and important entities and incident reporting procedures are being finalised.
Role of the LEI. Among other things, the LEI helps avoid confusion with company names and supports cooperation across borders.
It is very easy to apply for an LEI on the Czech LEI System website. See also a detailed overview of our affordable LEI pricing.

🇧🇪 Belgium

Status. Belgium has completed transposition of NIS2. The competent authority is the Centre for Cybersecurity Belgium (CCB).
What this means. Belgian companies must follow the supervisory framework and comply with incident reporting obligations.
Role of the LEI. Among other things, the LEI speeds up audits and ensures precision in reporting.
It is very easy to apply for an LEI on the Belgian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇳🇱 Netherlands

Status. The Netherlands received a reasoned opinion on 7 May 2025. The National Cyber Security Centre (NCSC) is the competent authority.
What this means. Dutch companies will soon need to meet detailed supervisory and compliance obligations.
Role of the LEI. Among other things, the LEI streamlines KYC/KYB processes in international supply chains.
It is very easy to apply for an LEI on the Dutch LEI System website. See also a detailed overview of our affordable LEI pricing.

🇵🇹 Portugal

Status. Portugal received a reasoned opinion on 7 May 2025. Transposition is still incomplete. The competent authority is the National Cybersecurity Centre (CNCS).
What this means. Portuguese companies should prepare for sector-specific requirements and stricter incident reporting.
Role of the LEI. Among other things, the LEI can be used in contracts and supplier audits to strengthen accountability.
It is very easy to apply for an LEI on the Portuguese LEI System website. See also a detailed overview of our affordable LEI pricing.

🇫🇷 France

Status. France received a reasoned opinion on 7 May 2025. Transposition is partly incomplete. The competent authority is ANSSI (National Cybersecurity Agency).
What this means. French companies are awaiting sector-specific implementing acts that will define compliance steps.
Role of the LEI. Among other things, the LEI supports reliability in cross-border contracts and regulatory reporting.
It is very easy to apply for an LEI on the French LEI System website. See also a detailed overview of our affordable LEI pricing.

🇳🇴 Norway (outside the EU)

Status. Norway is not an EU member but often adopts EU rules via the EEA. NIS1 is already in place, and preparations for alignment with NIS2 are underway. The National Security Authority (NSM) is responsible.
What this means. Norwegian companies working with EU partners should proactively align with NIS2 standards to remain compliant and competitive.
Role of the LEI. Among other things, the LEI reduces costs in KYC/KYB processes and facilitates cooperation with EU partners.
It is very easy to apply for an LEI on the Norwegian LEI System website. See also a detailed overview of our affordable LEI pricing.

🇲🇽 Mexico (outside the EU)

Status. Mexico currently has no single national cybersecurity law. In 2025, discussions are ongoing on creating a cybersecurity framework. The Federal Data Protection Law was recently updated.
What this means. Companies linked to EU partners should voluntarily align with EU standards to maintain trust in cross-border supply chains.
Role of the LEI. Among other things, the LEI strengthens trust in international operations, especially in finance and logistics.
It is very easy to apply for an LEI on the Mexican LEI System website. See also a detailed overview of our affordable LEI pricing.