NIS2 in North Macedonia: The Complete Guide for Essential and Important Entities (2026)

North Macedonia's cybersecurity law came into force on January 1, 2026, bringing the country's legal framework in line with the EU's NIS2 Directive. Organizations covered by the law now have until January 1, 2027 to achieve full compliance before enforcement and financial penalties begin.

If your organization operates in a regulated sector, the question is no longer whether the law applies to you. The question is whether you're prepared.

Who Must Comply?

The law classifies organizations as either essential entities or important entities.

Essential entities include large organizations operating in sectors such as energy, transport, healthcare, banking, digital infrastructure, manufacturing, public administration, and providers of qualified trust or DNS services.

Important entities generally include medium-sized organizations (50–250 employees) operating in those same sectors.

Both categories must meet cybersecurity requirements, although essential entities are subject to stricter supervision and higher penalties.

What Does the Law Require?

Article 32 requires organizations to implement a set of minimum cybersecurity measures, including:

• Risk assessments

• Incident response procedures

• Business continuity and disaster recovery plans

• Backup testing

• Supply chain security

• Secure system development and maintenance

• Cybersecurity policies

• Security awareness training

• Encryption policies

• Access control and asset management

• Multi-factor authentication (MFA)

These are legal obligations, not recommendations. Organizations must also maintain documentation demonstrating compliance.

Cybersecurity Officer Requirement

Essential entities must appoint a Cybersecurity Officer responsible for overseeing compliance and communicating with the relevant authorities.

The role must operate independently and cannot be influenced by management when carrying out its legal responsibilities.

Mandatory Incident Reporting

Organizations must report significant cybersecurity incidents to MKD-CIRT within strict deadlines:

• 3 hours – Initial notification

• 24 hours – Early warning

• 72 hours – Full incident report

• 1 month – Final report with root cause analysis and remediation

Missing these deadlines can itself result in non-compliance, regardless of the incident.

Penalties

Enforcement begins on January 1, 2027.

Organizations that fail to comply may face:

• Essential entities: fines of up to 2% of annual global turnover

• Important entities: fines of up to 1.4% of annual global turnover

• Personal fines of up to €5,000 for responsible individuals

• Additional enforcement measures, including restrictions on certain business activities in serious cases

Who Enforces the Law?

Compliance is supervised by:

• Ministry of Digital Transformation for public sector organizations.

• MKD-CIRT for private sector essential and important entities.

Both authorities may conduct inspections, request documentation, require independent security audits, and issue mandatory remediation orders.

How to Become Compliant

A practical approach includes four steps:

1. Determine whether your organization is an essential or important entity.

2. Perform a gap assessment against Article 32 requirements.

3. Appoint a Cybersecurity Officer if required.

4. Build and execute a compliance roadmap before the 2027 enforcement deadline.

Final Thoughts

North Macedonia's NIS2-based cybersecurity law is already in force. Organizations that begin their compliance journey today still have enough time to prepare before penalties take effect. Those that delay risk higher implementation costs, operational disruption, and regulatory action.

Cybersecurity compliance is no longer just an IT responsibility. It is a legal and business requirement.