← Back to all briefings
Policy 6 min read Published Updated Credibility 40/100

Policy Briefing – NIS2 Directive Implementation and Compliance

NIS2 expands the EU's cybersecurity regime to more sectors and imposes harmonised risk management, supply‑chain and incident‑reporting obligations. Organisations must implement robust cybersecurity measures, designate their status as essential or important entities, and navigate varied national transposition and penalties.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Context

NIS2 (Directive (EU) 2022/2555) aims to raise the EU's baseline for cyber‑security by replacing the 2016 NIS1 directive and creating a unified legal framework across 18 critical sectors【134426379305291†L64-L96】. It requires EU Member States to develop national cyber‑security strategies, adopt updated legislation and co‑ordinate via CSIRTs and EU‑CyCLONe【134426379305291†L82-L112】. The directive extends its scope beyond traditional sectors such as energy, transport and healthcare to include digital infrastructure, public electronic communications, postal and courier services, manufacturing of critical products, and public administration【134426379305291†L88-L93】. Medium‑sized and large organisations in these sectors are considered “essential” or “important,” depending on their size and criticality, with a default threshold of 50 employees and €10 million turnover【199588878921694†L112-L117】. Certain providers—DNS operators, domain‑name registries, public electronic communications, some public agencies and trust service providers—are in scope regardless of size【199588878921694†L119-L124】.

The directive entered into force in January 2023, and EU Member States were required to transpose its provisions into national law by 17 October 2024【199588878921694†L54-L56】. As of October 2025 only 14 Member States had fully transposed NIS2; the European Commission issued reasoned opinions to 19 states for failing to notify full transposition and warned that unresolved cases could be referred to the Court of Justice of the EU【199588878921694†L54-L60】. Member States must also identify and designate all essential and important entities by 17 April 2025, yet some jurisdictions have not completed this process【199588878921694†L91-L95】. Because NIS2 repealed NIS1 and is designed to be a minimum baseline, some governments have added stricter requirements or expanded sectoral scope, creating national variations that organisations must navigate【199588878921694†L69-L84】.

Core obligations

NIS2 imposes baseline cyber‑security obligations on in‑scope organisations. Entities must implement proportionate technical, operational and organisational risk‑management measures, including network security controls, vulnerability handling and patch management, cryptographic protections, and business‑continuity planning【199588878921694†L147-L152】. They must also conduct supply‑chain and third‑party risk assessments, ensure appropriate contractual terms with vendors, and monitor compliance of suppliers【199588878921694†L164-L167】. A harmonised incident‑reporting regime requires organisations to submit an early warning to national authorities within 24 hours of becoming aware of a significant incident, provide a follow‑up report within 72 hours, and file a final report within one month【199588878921694†L153-L156】. Boards and senior management are explicitly responsible for approving and overseeing cybersecurity strategies, and management failures can result in personal liability【199588878921694†L159-L163】. Essential entities may face administrative fines of up to €10 million or 2 % of global annual turnover for non‑compliance, while important entities can be fined up to €7 million or 1.4 % of turnover【199588878921694†L187-L191】. National authorities are empowered to conduct audits, inspections and spot checks, and they may impose stricter penalties under national law【199588878921694†L187-L192】.

NIS2 also strengthens cooperation mechanisms. Member States must adopt national cyber‑security strategies that cover supply‑chain security and vulnerability management【134426379305291†L82-L86】. The directive establishes a network of Computer Security Incident Response Teams (CSIRTs) to share information and coordinate responses, and it creates the EU‑CyCLONe to manage large‑scale cyber crises【134426379305291†L105-L111】. A NIS Cooperation Group facilitates strategic cooperation and publishes non‑binding guidelines and recommendations【134426379305291†L114-L118】.

Implementation status and challenges

Transposing NIS2 has proven uneven. Goodwin’s October 2025 update notes that only 14 Member States have enacted laws implementing NIS2, leaving Germany, France, Ireland, Spain and several others still working through national legislation【199588878921694†L54-L60】. Some jurisdictions, such as Italy and Slovenia, have expanded the list of regulated sectors beyond the Directive’s annexes, while Belgium has imposed additional board‑level oversight requirements and Germany’s draft law proposes mandatory cyber‑security certification for certain essential entities【199588878921694†L69-L87】. Differences also exist in procedures for designating regulated entities, registration requirements and reporting timelines【199588878921694†L88-L90】. These variations complicate compliance for companies operating across multiple Member States.

Designating regulated entities is an immediate priority: NIS2 required Member States to identify all essential and important entities by 17 April 2025【199588878921694†L91-L95】. Some countries, such as Italy and Hungary, began this process early, whereas others have yet to publish national registers【199588878921694†L91-L95】. Without clear national lists, organisations may be uncertain whether they are in scope. Moreover, enforcement regimes are still being finalised. While no enforcement actions have been reported as of late 2025【199588878921694†L181-L185】, Member States are establishing supervisory authorities, and penalties will likely vary across jurisdictions【199588878921694†L187-L192】.

Implications

For engineering and cyber‑security teams, NIS2 means that security cannot be an afterthought. Organisations must conduct comprehensive risk assessments, implement access controls, vulnerability management and cryptographic protections, and develop robust business‑continuity plans【199588878921694†L147-L152】. Supply‑chain security becomes central: companies must evaluate third‑party providers, negotiate breach‑notification clauses and monitor compliance【199588878921694†L164-L167】. To meet incident‑reporting requirements, organisations need detection capabilities that can identify significant incidents quickly and processes to gather information for the 24/72/30‑day reporting deadlines【199588878921694†L153-L156】.

Legal teams must map how NIS2 has been transposed in each Member State where the organisation operates and determine whether they are classified as essential or important. They should prepare to submit registration details where required, appoint an EU representative if the organisation is not established in the EU【199588878921694†L140-L145】, and implement governance frameworks that assign cyber‑security oversight to senior management【199588878921694†L159-L163】. Because national laws vary, companies may need to adopt the highest standard among jurisdictions to ensure consistent compliance.

Business leaders must understand that NIS2 introduces board‑level accountability and significant financial penalties【707550583818934†L91-L99】. They should allocate resources for compliance programmes, integrate cyber‑security into enterprise risk management and cultivate a security‑aware culture through regular training【199588878921694†L160-L163】. Given that many Member States have not yet transposed NIS2, proactive engagement with national authorities and industry associations will help organisations anticipate local requirements and influence emerging guidance.

Recommended actions

  • Determine applicability: Identify all EU Member States where your organisation operates and assess whether you qualify as an essential or important entity under NIS2【199588878921694†L112-L117】. Consider exceptions such as trust service providers and DNS operators that are automatically in scope【199588878921694†L119-L124】.
  • Monitor national transposition: Track how each relevant Member State is implementing NIS2 and register with competent authorities where required【199588878921694†L69-L90】. Map jurisdictional differences in sector scope, reporting deadlines and supervisory regimes【199588878921694†L69-L87】.
  • Implement risk‑management frameworks: Establish technical and organisational measures for network security, vulnerability handling, encryption, business continuity and supply‑chain risk management【199588878921694†L147-L152】【199588878921694†L164-L167】.
  • Prepare incident‑reporting processes: Develop playbooks to deliver early warning within 24 hours, follow‑up within 72 hours and a final report within one month for significant incidents【199588878921694†L153-L156】. Conduct tabletop exercises to test these timelines【199588878921694†L237-L240】.
  • Strengthen governance and training: Assign cyber‑security oversight at board level, provide regular training for management and staff, and ensure accountability for compliance【199588878921694†L159-L163】.
  • Evaluate business continuity and recovery: Update disaster recovery and crisis management plans and test them regularly【199588878921694†L241-L243】.
  • Plan for certification and audits: Consider obtaining internationally recognised security certifications and prepare for possible audits by national regulators【199588878921694†L69-L87】【199588878921694†L169-L171】.

Zeph Tech analysis

NIS2 reflects the EU’s view that cyber‑security is now a cornerstone of critical‑infrastructure regulation. By expanding scope to new sectors and introducing harmonised incident‑reporting deadlines, it elevates cyber‑security from a technical issue to a boardroom obligation. Yet the uneven pace of national transposition and the designation of regulated entities mean that organisations must monitor legal developments closely and be ready to adapt. For practitioners, NIS2 emphasises fundamentals: secure architecture, vulnerability management, supply‑chain diligence and crisis preparedness. For policy leaders, it underscores the importance of harmonisation and international cooperation. Organisations that treat NIS2 compliance as an opportunity to strengthen their security posture will be better positioned to withstand the next generation of cyber threats and build trust with customers and regulators.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

Back to curated briefings