Is your EU NIS2 register complete? Today's briefing

By the start of May 2026, 22 of 27 EU Member States have transposed NIS2 into national law. Active enforcement is most advanced in Germany, whose NIS2UmsuCG entered into force on 6 December 2025, with the BSI registration deadline of 6 March 2026 now lapsed for an estimated 29,500 in-scope entities. France and the Netherlands are among the five Member States still completing transposition. Maximum administrative fines run to €10,000,000 or 2% of global turnover for essential entities, and €7,000,000 or 1.4% for important entities — whichever is higher.

One line of action: If any EU subsidiary is unregistered with its national NIS2 competent authority, complete registration this week and refresh management-body cybersecurity training (Article 20 personal accountability).

European Commission — NIS2 directive overview · NIS2 transposition tracker

CIRCIA final rule still tracking May 2026 — 72-hour incident / 24-hour ransom clock for ~300,000 entities. CISA continues to target this month for publication of the final Cyber Incident Reporting for Critical Infrastructure Act rule, covering approximately 300,000 covered entities across 16 critical-infrastructure sectors. The town-hall series scheduled for 9 March – 2 April was cancelled during the spring appropriations lapse, which CISA has flagged as a further-slip risk. Action: Build a 72-hour incident-report workflow and a 24-hour ransom-payment notification path with Legal and Finance now — the statute requires additional time-to-comply after publication, but the runway is short. CISA — CIRCIA topic page

FTC bans Kochava from selling sensitive location data without express consent — 4 May 2026 settlement. The Federal Trade Commission settled its August 2022 case against data broker Kochava, Inc. and subsidiary Collective Data Solutions, banning the sale of sensitive location data without affirmative express consent. The order requires a supplier-assessment program, incident reports to the FTC when third parties share precise location data in violation of contract, an opt-out / consent-withdrawal mechanism, and a data-retention-and-deletion schedule. Action: Any data pipeline that touches precise location data — ad-tech, retail analytics, fleet, navigation — should map upstream suppliers against the new compliance template this week. FTC press release (4 May 2026)

EU Tech Sovereignty Package expected 27 May — possible curbs on US hyperscalers for sensitive public-sector data. CNBC reported on 7 May that the European Commission's Tech Sovereignty Package — expected to include the Cloud and AI Development Act (CADA) and Chips Act 2.0 — may restrict EU member-state government use of AWS, Microsoft Azure, and Google Cloud for sensitive data in finance, justice, and healthcare. Restrictions are reportedly tiered by data sensitivity, public sector only. Text is not yet public. Action: EU public-sector account teams should map sensitive-data workloads against probable sovereignty tiers and pre-position residency or sovereign-cloud options. CNBC reporting (7 May 2026)

The Dutch Cyberbeveiligingswet (Cbw) — the Netherlands' NIS2 transposition — cleared the Tweede Kamer on 15 April 2026 alongside the Wet weerbaarheid kritieke entiteiten (Wwke, the CER Directive transposition). The Eerste Kamer's Digitalisation (DIGI) and Justice & Security (J&V) committees have set 19 May 2026 as the deadline for input on the preliminary report. Entry into force is targeted Q2/Q3 2026. If you operate Dutch in-scope entities, pre-stage NCSC registration documentation. Eerste Kamer — Cyberbeveiligingswet 36.764 dossier

Confirm every EU subsidiary is registered with its national NIS2 competent authority — and pull the registration evidence into a single tracker. Germany's BSI deadline has already lapsed; Belgium, Italy, Croatia, and Lithuania are in active supervision; and the Dutch Cbw is days from Senate review. If you cannot show the registration record on demand, you are exposed to administrative sanction.

Tuesday — Privacy. Personal-data protection, state privacy laws, cross-border transfer rules.

CyberEyeQ — Actionable Regulatory Intelligence for compliance, security, and legal teams.Questions or feedback? Reply to this email or write us at [email protected].