The European Union’s NIS2 directive (Network and Information Security) is a crucial piece of legislation designed to enhance cybersecurity resilience across the bloc. Unlike a regulation, which is immediately and uniformly applicable, a directive requires each member state to integrate its provisions into their own national laws. This process, known as transposition, is intended to be completed by a set deadline.
The deadline for the NIS2 directive was October 17, 2024, and as of a recent review, a number of countries have failed to meet this obligation, drawing the attention and potential legal action from the European Commission. The countries cited for these delays include Ireland, Spain, France, Bulgaria, Luxembourg, the Netherlands, Portugal, and Sweden.
The Commission has initiated a formal process, contacting 19 member states in May 2025 about their delays. This formal warning gave them a two-month window to either respond or take the necessary steps to comply. The Commission has the authority to refer these cases to the Court of Justice of the European Union (CJEU), a step that would escalate the legal pressure on the non-compliant countries.
The failure to transpose the directive not only creates legal uncertainty but also poses a potential risk to the cohesive cybersecurity framework the EU aims to build. It highlights a common challenge in European governance, where the process of adapting pan-European directives can lead to significant delays and varying levels of implementation across member states.
Even among countries that have successfully transposed the directive, compliance remains a significant challenge. A report from the European Union Agency for Cybersecurity (ENISA), published in March, identified several sectors facing acute difficulties in meeting the new standards.
It specifically highlighted IT service management, space, public administration, maritime, health, and gas as being in a “NIS360 risk zone.” These sectors are considered critical but are struggling to adapt to the new regulatory requirements, underscoring the gap between legal compliance and practical implementation. This suggests that while legal frameworks are important, the actual on-the-ground readiness for enhanced cybersecurity varies greatly.
Conversely, other critical sectors have been lauded for their strong compliance. The electricity, telecommunications, and banking sectors were identified by the ENISA report as the most mature in their cybersecurity readiness. This is attributed to a combination of factors, including long-standing “significant regulatory oversight,” dedicated funding, strategic investment, political focus, and effective public-private partnerships.
The success of these sectors provides a potential roadmap for others, demonstrating that a combination of clear regulatory mandates and sustained investment can lead to robust cybersecurity infrastructure. Their experience offers valuable insights into what is required to effectively meet the challenges posed by directives like NIS2.
The impact of the NIS2 directive also extends beyond the EU’s borders. For British companies with a presence in Europe, compliance with NIS2 is often required. However, a Green Raven study from November 2024 revealed significant confusion and non-compliance within the UK business community. A notable 22% of UK companies claimed not to know whether NIS2 applies to them, and a further 10% of those who knew it applied admitted they were not compliant by the October 17 deadline. This highlights a broader issue of awareness and preparedness.
The UK is developing its own equivalent legislation, the Cyber Security and Resilience Bill, which is expected to progress through parliament later this year. This parallel legislative effort underscores the global nature of cybersecurity challenges and the need for comprehensive and coordinated legal responses.
Reference:
