The ACN baseline framework sets the deadline for adopting baseline security measures at 18 months from the official inclusion notice. For most entities, this places the compliance deadline around October 2026. With roughly 8 months remaining at the time of writing, organizations must move from planning to execution immediately. There is no room for a slow ramp-up: every month counts.
Key takeaways
- The NIS2 baseline compliance deadline falls around October 2026 for most entities.
- With only 8 months left, a compressed, phased approach is essential.
- Governance and documentary evidence must be established immediately, not deferred.
- Organizations that have not started are already behind schedule.
8-month implementation roadmap (February–October 2026)
Phase 1 — February–March 2026: scope and governance setup
Confirm entity classification, map applicable annexes, assign control owners, and establish governance reporting cadence. This phase must be completed within the first 60 days to avoid cascading delays on every subsequent phase.
Phase 2 — April–May 2026: baseline design and prioritization
Define the policy set, risk-treatment roadmap, and control priorities for high-impact systems and services. Focus on controls with the highest implementation dependency first, as these will gate later phases.
Phase 3 — June–August 2026: implementation and evidence build
Deploy controls across governance, identification, protection, detection, response, and recovery. Build auditable evidence packs in parallel. This is the longest and most resource-intensive phase—allocate capacity accordingly.
Phase 4 — September–October 2026: verification and closure
Run internal checks, close residual gaps, validate document approvals, and prepare authority-facing readiness evidence. No new implementation should be started in this phase—it is strictly for verification and remediation.
Operating controls for schedule reliability
| Control | Objective | Evidence |
|---|---|---|
| Program governance | Keep timeline and ownership under control | Steering minutes, status dashboard |
| Milestone tracking | Detect delays early | Milestone register, risk log |
| Evidence-by-design | Avoid end-period documentation gaps | Control-to-evidence matrix |
| Gap closure discipline | Resolve blockers before deadline | Remediation tracker, closure proof |
Immediate action checklist (first 30 days)
- Confirm receipt date of official inclusion notice and calculate your exact deadline.
- Build the phased delivery plan through October 2026 with monthly governance checkpoints.
- Assign control owners and secure budget approval for implementation resources.
- Prioritize controls with the highest implementation dependencies.
- Start documentary evidence collection from day one—do not wait for controls to be fully deployed.
- Set an escalation path for milestones at risk.
FAQ
Is October 2026 the exact deadline for all entities?
The 18-month term runs from each entity’s individual receipt of the official inclusion communication. For most entities notified in early 2025, the deadline falls around October 2026. Check your specific notification date to calculate your exact deadline.
Can implementation be deferred until the summer?
With only 8 months total, deferring implementation to the last 3–4 months creates extreme delivery risk. Baseline implementation must begin immediately with continuous evidence generation.
What if we haven’t started yet?
Start with Phase 1 immediately: scope definition, governance setup, and control-owner assignment. These can be completed in weeks, not months. The key risk is not the complexity of any single control, but the cascading delays from a late start.
What is the first governance deliverable?
A documented implementation roadmap with owners, milestones, dependencies, and evidence outputs per control family—aligned to the October 2026 deadline.