The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.
The EU's NIS2 Directive has arrived, bringing stricter cybersecurity regulations to vital sectors like energy, water, and transportation. Operational Technology (OT) systems, the backbone of our critical infrastructure, are now under the spotlight, requiring organizations to ramp up their security posture to ensure the continued operation of essential services. You can read my full article on NIS2, who it impacts, expectations…etc here.
The NIS2 Directive, designed to bolster cybersecurity across the European Union, has progressed from legislation to implementation. This article examines the current state of NIS2 since its enforcement, member state progress, potential penalties, and implications.
Delayed and Fragmented Implementation Across the EU
The most significant update is that many EU member states have been slow to transpose the NIS2 Directive into their national legal frameworks.
- Widespread Delays: As of early 2025, a large number of countries had not yet finalized their national legislation. In response, the European Commission has sent reasoned opinions to 19 member states, formally urging them to complete the transposition.
- A Patchwork of Progress: This has resulted in a fragmented landscape for businesses operating across the EU. While countries like Belgium, Croatia, and Italy have enacted their laws, others are still in the drafting or parliamentary stages, with some not expected to be fully implemented until later in 2025.
- Diverging National Approaches: The national implementations that are in place show variations in how "essential" and "important" entities are defined, the specifics of reporting obligations, and the auditing requirements. This creates complexity for multinational organizations.
Progress of Member State Enforcement
Member states are in varying stages of transposing NIS2 into national law.
NIS2 Implementation Progress
|
Member State |
Current Status |
Notes |
| Belgium, Romania, Hungary, Lithuania, Italy, Latvia, Slovakia, Croatia, Greece |
ADOPTED NIS2 LAWS |
National laws in effect. |
| Germany, Sweden, The Netherlands, Poland, Finland, Austria, Denmark, Bulgaria, Portugal, Luxembourg, Slovenia, Cyprus, Czech Republic, France, Ireland, Malta, Estonia |
DRAFT NIS2 LAWS |
Undergoing national legislative procedures |
| Spain |
COUNTRIES AWAITING DRAFT NIS2 LAWS |
Public consultations underway. |
Fines and Enforcement Actions
As NIS2 is relatively new, concrete examples of fines are still emerging. It is expected that enforcement will increase as national laws fully come into force. A key question for many is about enforcement and fines.
- No Fines Issued Yet: To date, there have been no publicly reported fines under the NIS2 Directive.
- Enforcement Depends on National Law: This is because penalties can only be enforced once the directive is fully operational within a member state's legal system. With the widespread delays in transposition, national competent authorities in many countries are not yet in a position to issue fines.
- Significant Penalties Remain a Major Concern: Despite the lack of fines so far, the severe penalties outlined in the directive remain a primary driver for compliance. These can be up to €10 million or 2% of a company's global annual turnover for essential entities, and €7 million or 1.4% for important entities. Crucially, NIS2 also introduces the possibility of personal liability for senior management.
New Guidance and Resources to Aid Compliance
To support the implementation of the directive, key resources have been released:.
- ENISA's Proactive Role: The EU Agency for Cybersecurity (ENISA) has been actively providing guidance. This includes:
- A handbook on cyber stress testing to help authorities and organizations assess their resilience.
- The launch of the European Vulnerability Database (EUVD), a central repository for information on cybersecurity vulnerabilities.
- Industry Collaboration: Organizations like the OpenID Foundation have also been contributing by providing recommendations on ENISA's guidance, particularly concerning authentication and security protocols.
Conclusion
NIS2 is driving a fundamental shift in cybersecurity across the EU. While implementation is ongoing and enforcement actions are still developing, the directive is placing greater emphasis on security, especially in OT and NCI sectors. Organizations must stay informed, prioritize compliance, and enhance their cybersecurity posture to meet the new regulatory landscape.
Recommendations
- Stay updated on national transposition laws and guidelines.
- Conduct risk assessments and implement necessary security measures.
- Develop incident response plans and procedures.
- Engage with relevant authorities and industry groups.
- Ensure supply chain security and vet third-party providers.
--------------------
Author: Vinny Sagar, Field Strategist, swIDch
With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.
--------------------
swIDch will continue its quest to innovate and pioneer next-generation authentication solutions. To stay up-to-date with the latest trends sign up to our newsletter and check out our latest solutions.
