NIS2 audit deadline: it’s not the date of registration that matters – the authority clarifies the misconception
NIS2 audit deadline: it’s not the date of registration that matters – the authority clarifies the misconception
A serious misconception is spreading among organizations affected by NIS2: many believe that the deadline for the first cybersecurity audit is always calculated from the date of registration in the official registry or from the date of the authority’s approval decision. Based on this logic, some assume that if they failed to register on time, they could effectively “gain time” — the later they register, the later their audit deadline would be, potentially giving them up to two additional years from the date of the decision.
That would be convenient — but it is a serious mistake.
The authority has provided a clear answer
As we encountered this interpretation more and more frequently and it became a recurring question which organizations are actually subject to the final deadline of June 30, 2026, we decided not to leave any uncertainty: we requested an official position from the Supervisory Authority for Regulated Activities (SZTFH). We have received their response, and it clearly settles the issue.
According to the authority’s position, for organizations that were already in scope as of January 1, 2025, the deadline for the first cybersecurity audit is uniformly June 30, 2026, and this is not affected by late registration or by the date of the official registration decision.
The wording leaves no room for interpretation:
and:
There is no “extra two years”
In practice, this means that the assumption that registration “resets the clock” is simply incorrect. The deadline is not determined by administrative steps, but by when the organization actually started performing the activity that brings it under the scope of the regulation.
Therefore, if an organization was already subject to NIS2 before 2025, the June 30, 2026 deadline remains fully applicable — even if registration only took place later, including cases where it happened following an official notice.
If you are affected, now is the time to act
What we are currently seeing in the market is that many organizations are still planning with a later deadline and, as a result, have not yet started their preparation. This creates significant risk: an audit is not something that can be completed at the last minute, and auditor capacity is limited.
If this sounds familiar, and you have been calculating your deadline based on the registration date, it is time to reassess.
Feel free to contact us — we can quickly clarify your scope, assess your current level of compliance, and help you prepare for the audit in a way that keeps the June 30, 2026 deadline achievable.
| Contact us |
Key takeaway
It is not the date of registration that matters, but when your organization became subject to NIS2. If that was before 2025, the deadline is fixed — and there is no extension.