.jpg?width=400&height=225&name=Evangelists-Martin%20Kraemer%20(1).jpg)
The Network and Information Systems Directive 2022 (NIS2) was designed to strengthen the cybersecurity resilience of critical infrastructure across the European Union.
However, while member states were required to transpose NIS2 into national law by October of 2024, many fell short of this deadline.
As a result, on November 28, 2024, the European Commission launched infringement procedures against 23 member states for failing to meet their obligations.
NIS2 introduces 10 key security measures aimed at enhancing cyber resilience in essential sectors such as energy, healthcare and digital services. These include cyber risk management, supply chain security, and mandatory training and education. Yet, the uneven pace of adoption has created regulatory uncertainty, leaving organizations navigating a complex and fragmented compliance landscape.
Differences between EU countries in the implementation of the NIS2 Directive: Confidence vs Reality
As the October 2024 transposition deadline passed, significant disparities emerged in how EU member states incorporated NIS2 into their national laws. While a few countries—such as Belgium, Croatia, Hungary, Italy, Latvia and Lithuania—had successfully transposed the directive and were prepared to enforce compliance measures, others lagged behind. France, Denmark and the Netherlands announced delays, pushing implementation to early 2025, while Germany’s NIS2 bill, approved by the Federal Government in July 2024, remained stalled in parliamentary approval, with enforcement now expected in March 2025.
Beyond timing, the directive’s interpretation varies widely. For instance, France explicitly includes local authorities in its scope, whereas Germany does not. These inconsistencies have created compliance challenges for pan-European organizations, forcing them to navigate a patchwork of regulations rather than a unified cybersecurity framework.
This regulatory fragmentation stands in stark contrast to the confidence many organizations expressed early on. As of June 2024, 80% of businesses believed they could meet NIS2 requirements, yet only 14% were actually compliant. Many assumed delays in national legislation would provide additional time to prepare, but underlying issues persisted—53% of organizations lacked confidence in understanding the directive’s requirements, and 49% reported insufficient leadership support. Without executive buy-in, IT teams may have been technically ready, but their organizations as a whole were not.
By January 2025, these concerns had become reality. With 16 member states still navigating national legislative procedures and two yet to publish their drafts, the envisioned harmonization remained elusive. As organizations struggle to finalize compliance strategies, the gap between early confidence and the fragmented regulatory landscape is clearer than ever.
Bridging the Gap: What Organizations Must Do to Prepare
Despite delays in national legislation, organizations cannot afford to take a passive approach to NIS2 compliance. The challenges faced by member states in transposing the directive should serve as a warning—businesses must take responsibility for their own cybersecurity readiness rather than waiting for regulatory clarity.
A key issue remains the lack of engagement from company leadership. Many organizations struggle with understanding the directive’s requirements, and without management buy-in, compliance efforts risk being underfunded and deprioritized. Cybersecurity is no longer just an IT issue; executives are personally responsible and accountable for ensuring compliance. Organizations must foster a security-first culture, where leadership plays an active role in risk management.
Proactive preparation is essential. Implementing internationally recognized cybersecurity standards like ISO 27001 can provide a strong foundation for compliance. Organizations should also conduct thorough risk assessments to identify their most critical vulnerabilities and develop targeted mitigation strategies. Employee training remains one of the most crucial components—since human error is a primary attack vector, organizations must invest in continuous education to strengthen resilience.
Ultimately, NIS2 is more than just a compliance requirement; it is a wake-up call. Organizations, particularly those in critical infrastructure sectors, must use this time wisely to enhance their security posture. With cyber threats from nation-states, hacktivists, and cybercriminals on the rise, prioritizing cybersecurity is not just about avoiding fines—it’s about safeguarding operations, protecting customers, and ensuring long-term continuity in an increasingly volatile digital landscape.
