Article 45: Entry into force

Article 45: Entry into force requirement means NIS 2 became legally effective 20 days after publication in the Official Journal of the European Union, and your job is to anchor your compliance program to the correct legal start date and the correct national transposition laws that follow. Operationalize it by documenting dates, jurisdictional applicability, and a tracked implementation roadmap tied to local obligations. (Directive (EU) 2022/2555, Article 45)

Key takeaways:

• Record the NIS 2 entry-into-force date as a governance reference point, then map to each Member State’s transposition and your in-scope operations.
• Build and maintain an obligation register with owners, milestones, and evidence expectations so your program is audit-ready.
• Use the entry-into-force anchor to drive “when did we decide, plan, implement, and test” defensibility for incident handling and third-party risk.

For a CCO or GRC lead, “entry into force” reads like legal boilerplate, but it has real operational consequences. Article 45 is the directive’s timestamp: it establishes when NIS 2 started existing as EU law, which is the baseline for tracking downstream deadlines, national implementation, and supervisory expectations. (Directive (EU) 2022/2555, Article 45)

Your auditors and regulators rarely ask you to recite Article 45. They do ask questions that depend on it: When did you determine applicability? When did the board get briefed? When did you stand up incident reporting workflows? When did you bring critical third-party dependencies into scope? If you cannot show a clean timeline from “the law became effective” to “we took accountable action,” you create unnecessary findings, even if your technical controls are strong.

This page focuses on fast operationalization. You’ll translate Article 45 into program mechanics: a dated compliance narrative, a jurisdiction-by-jurisdiction applicability view, and an evidence set that ties governance decisions to execution. You can run this as a light-weight control, but it must be explicit, owned, and maintained.

Regulatory text

Text (verbatim): “This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.” (Directive (EU) 2022/2555, Article 45)

Plain-English interpretation

• NIS 2 became legally effective at the EU level 20 days after its publication in the Official Journal.
• Article 45 does not tell you the national compliance deadline in each EU Member State. It only establishes when the directive itself took legal effect. Member States then transpose it into national law, and supervision happens under those national laws. (Directive (EU) 2022/2555, Article 45)

What the operator must do

Treat Article 45 as your time anchor for program governance:

1. Capture the publication date and the calculated entry-into-force date in your compliance record.
2. Use that anchor to drive (and later defend) your sequencing: applicability determination, implementation planning, control rollout, testing, and evidence retention.
3. Maintain a jurisdictional view so you can show how EU-level timing translates into local obligations for each place you operate. (Directive (EU) 2022/2555, Article 45)

Who it applies to (entity and operational context)

Article 45 applies to:

• Any organization building a NIS 2 compliance program or assessing whether it is an “essential” or “important” entity under NIS 2, because you need a defensible legal timeline and a starting point for governance artifacts. (Directive (EU) 2022/2555, Article 45)
• Multi-country operators where different business units operate in different Member States, because national transposition timing and supervisory posture can vary.
• Organizations with meaningful third-party reliance (cloud, managed security, critical SaaS, OT vendors, logistics, telecom, data center providers), because implementation typically requires contractual and assurance changes that take time and must be scheduled and evidenced.

Operational contexts where this becomes exam-relevant:

• You are asked to show when you stood up incident triage and reporting triggers.
• You are asked how you determined which entities/business units are in scope.
• You are asked for a board-approved plan, including milestones and ownership.
• You must explain why some controls are in progress versus complete (and show the plan was not ad hoc).

What you actually need to do (step-by-step)

Step 1: Create a dated “NIS 2 timeline record”

Build a one-page record (wiki page, GRC system entry, or memo) with:

• Link to the directive in EUR-Lex
• Publication date (as displayed in the Official Journal reference)
• Calculated “entry into force” date (publication date + 20 days)
• A short statement: “This date is the program anchor; national transposition laws define enforceable obligations.” (Directive (EU) 2022/2555, Article 45)

Why this matters: You want one source of truth that stops internal debates and keeps audits consistent.

Step 2: Stand up an obligation register (jurisdictional and operational)

Create an obligation register that answers, for each jurisdiction where you operate:

• In-scope entity/legal entity and service lines
• National transposition law status (tracked as “pending/implemented/updated” with links to local counsel notes or official publications when you have them)
• Control owner (security, IT, legal, privacy, procurement, business)
• Implementation milestones and dependencies
• Evidence you will retain (artifacts listed below)

This is where Daydream typically fits cleanly: it gives you a durable obligation register structure with ownership, milestones, and evidence mapping so you can stay consistent across countries and business units.

Step 3: Translate “effective date” into governance actions

You need a short set of governance moves tied to the entry-into-force anchor:

• Applicability determination: document your initial scoping decision and what you relied on (sector, size, services, jurisdictions). Keep the version history.
• Executive accountability: document who owns NIS 2 readiness (CISO/COO/CCO), plus how the board is kept informed.
• Program plan: a roadmap that shows sequencing and what “done” means, including validation/testing activities.

Examiners respond well to dated decisions with owners and change history. They respond poorly to “we’ve always been doing security.”

Step 4: Make two operational workflows “exam-ready”

Article 45 is not an incident reporting rule, but it drives when you should have operationalized readiness. Prioritize these workflows because they are commonly tested in practice:

1. Incident triage, escalation, and reporting workflow

• Define severity thresholds, roles, decision rights, and a timer-based workflow for notification steps.
• Add evidence capture steps: who declared an incident, when, what data sources were used, and what was reported.
• Run table-top exercises and retain outputs.

2. Third-party dependency integration

• Create and maintain an inventory of critical third parties that support in-scope services.
• Tie third parties to risk assessments, remediation tracking, and assurance (contract clauses, security reviews, SOC reports where available, incident notification commitments).

Step 5: Put the timeline into your audit narrative

Prepare a short narrative that connects:

• Entry into force (Article 45) → scoping decision → roadmap approval → workflow implementation → testing cadence → current status. (Directive (EU) 2022/2555, Article 45)

This narrative is what you hand auditors so they do not force you into fragmented, ticket-by-ticket storytelling.

Required evidence and artifacts to retain

Use this as your “evidence checklist” for Article 45 operationalization:

Governance and legal anchoring

• NIS 2 timeline record showing publication reference and entry-into-force calculation (Directive (EU) 2022/2555, Article 45)
• Links to the directive text you relied on (Directive (EU) 2022/2555)
• Board/exec briefing materials where NIS 2 applicability and program approach were discussed (minutes, decks)

Obligation and scope management

• Obligation register with jurisdictions, owners, milestones, and review dates
• Scope statement: included/excluded entities, rationale, and change log

Operational readiness

• Incident triage and escalation procedure, with evidence retention instructions
• Table-top exercise plans and after-action reports (with remediation items tracked to closure)
• Third-party inventory of critical dependencies tied to in-scope services
• Third-party security assessment records and contractual obligations relevant to incident notification and security controls

Program management

• Roadmap with milestones, dependencies, and status reporting
• Risk register entries for major gaps and remediation actions

Common exam/audit questions and hangups

Expect these questions in internal audit, external audit, or supervisory interactions:

1. “When did you determine you were in scope?”
   Hangup: teams cannot produce a dated scoping memo and rely on informal assumptions.

2. “Show your NIS 2 plan and who owns it.”
   Hangup: no single accountable executive, or ownership split with no RACI.

3. “Why were certain capabilities not implemented earlier?”
   Hangup: no roadmap history or board-approved sequencing.

4. “How do you handle incidents with third parties?”
   Hangup: contracts lack notification obligations; third-party inventory is incomplete.

5. “How do you prove your process works?”
   Hangup: no exercises, or exercises exist but no after-action remediation tracking.

Frequent implementation mistakes and how to avoid them

Mistake	What it looks like	How to avoid it
Treating Article 45 as irrelevant	No record of entry into force; no timeline	Create a single timeline record and reference it in your program charter. (Directive (EU) 2022/2555, Article 45)
Confusing EU entry into force with national enforcement	Teams assume Article 45 is the compliance date	Track national transposition separately in the obligation register and involve legal early.
No single source of truth for obligations	Multiple spreadsheets across regions	Centralize the obligation register and assign control owners with change control.
Evidence is “somewhere in email”	Cannot reproduce decisions and timing	Define a standard evidence folder structure or use a GRC system record with immutable timestamps.
Third parties not in scope	Only internal IT/security controls are tracked	Inventory critical third parties per service and connect them to risk and assurance activities.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, Article 45 becomes relevant in supervision because it influences how credible your compliance timeline is. If your program shows late, undocumented action, you increase the risk of findings related to governance, preparedness, and failure to operationalize controls under national NIS 2 laws. (Directive (EU) 2022/2555, Article 45)

Practical 30/60/90-day execution plan

First 30 days (stabilize the timeline and scope)

• Create the NIS 2 timeline record and store it in your controlled repository. (Directive (EU) 2022/2555, Article 45)
• Draft your applicability/scoping memo with legal review.
• Stand up the obligation register with jurisdictions, owners, and a first-pass milestone plan.
• Identify your “critical services” and draft the critical third-party dependency list tied to those services.

Days 31–60 (turn governance into operating mechanisms)

• Finalize RACI across security, IT, procurement, legal, and business service owners.
• Publish the incident triage/escalation workflow with explicit evidence capture requirements.
• Start third-party outreach for high-impact dependencies (security artifacts, contract addenda where needed).
• Establish a single reporting cadence to executives: risks, gaps, milestone status, blockers.

Days 61–90 (prove it works and make it audit-ready)

• Run at least one incident response table-top that includes a third-party failure scenario; track actions to closure.
• Perform an internal “NIS 2 readiness review” against your obligation register and confirm evidence completeness.
• Freeze v1 of your audit narrative: entry into force anchor → roadmap → operating processes → testing artifacts. (Directive (EU) 2022/2555, Article 45)
• Decide how you will maintain this: periodic obligation register reviews, ownership attestations, and change management for new countries/services.

Frequently Asked Questions

Does Article 45 mean we had to be compliant 20 days after publication?

No. Article 45 states when the directive entered into force at the EU level. Your enforceable obligations generally flow through national transposition laws and supervisory processes. (Directive (EU) 2022/2555, Article 45)

What’s the single most important artifact to create for Article 45?

A dated “NIS 2 timeline record” that captures the publication reference, the entry-into-force calculation, and how you track national transposition by jurisdiction. It prevents scope and timing disputes later. (Directive (EU) 2022/2555, Article 45)

We operate in multiple EU countries. How do we avoid inconsistent implementation?

Use one centralized obligation register with jurisdictional rows, named control owners, and consistent evidence expectations. Then run one program cadence that rolls up status across regions.

How does this relate to incident reporting readiness?

Article 45 sets a defensible start point for your program timeline. Auditors often test whether your incident triage and escalation workflows were built and tested as part of a structured plan anchored to the directive’s effective existence. (Directive (EU) 2022/2555, Article 45)

What should we do if our scoping decision changes over time?

Keep version history: what changed, why, who approved it, and which entities/services moved in or out of scope. Auditors generally accept change if you can show controlled decisioning and timely implementation planning.

Where does Daydream help most with this requirement?

Daydream is a practical home for your obligation register, including jurisdictional applicability notes, control ownership, milestones, and evidence tracking. That structure makes it easier to defend your timeline and readiness narrative tied back to Article 45. (Directive (EU) 2022/2555, Article 45)