The NIS2 Directive had a transposition deadline of October 17, 2024. Out of 27 EU member states, 4 made it. Belgium, Croatia, Italy, and Lithuania. The other 23 received infringement proceedings from the European Commission the following month.
By mid-2025, the number had climbed to 14. Germany’s implementation act finally entered into force in December 2025 after political dissolution forced the legislative process to restart from scratch. France bundled NIS2 into a broader national resilience bill that passed its first reading in December 2025. As of early 2026, several major economies are still catching up.
This is the EU’s most ambitious cybersecurity mandate. And it launched into a compliance vacuum.
What NIS2 actually requires
The directive covers 18 sectors, from energy and banking to food production and waste management. The European Commission estimates over 160,000 entities now fall in scope, up from roughly 20,000 under the original NIS1.
The requirements are substantial. Risk management measures across technical, operational, and organizational dimensions. Incident reporting in three stages: 24-hour early warning, 72-hour detailed notification, one-month final report with root cause analysis. Supply chain security assessments. Business continuity planning. And direct management accountability, including personal liability for gross negligence and the ability for authorities to temporarily ban executives from exercising managerial functions.
Penalties scale to EUR 10 million or 2% of global annual turnover for essential entities. EUR 7 million or 1.4% for important entities.
The fragmentation problem
NIS2 is a directive, not a regulation. Unlike GDPR, which is directly applicable and uniform across all member states, NIS2 requires each country to write its own national law implementing the directive’s requirements. This is why 23 countries missed the deadline. Each one had to draft, debate, and pass legislation. Some chose to add requirements beyond the directive’s baseline. Others simplified. The result is a patchwork.
An organization operating across multiple EU countries now faces different registration deadlines, different reporting formats, different technical requirements, and different enforcement timelines depending on which member states have transposed and how. Germany’s registration deadline with the BSI is April 2026. Other countries set theirs months earlier. Some have not set one at all because they have not finished transposing.
The Commission recognized the problem. In January 2026, it proposed targeted amendments to harmonize requirements: where the Commission adopts implementing acts specifying technical measures, member states would no longer be able to pile on additional national requirements. The amendments also introduce European cybersecurity certification schemes as a pathway to demonstrate compliance.
The gap between paper and practice
160,000 entities in scope. Many of them, particularly in manufacturing, food production, and waste management, have never operated under formal cybersecurity regulation. They lack the teams, the budgets, and the maturity to meet ENISA’s implementing guidance, which runs to nearly 200 pages of security measures.
NIS2 assumes a level of cybersecurity readiness that does not exist in a significant portion of the entities it now covers. The directive was designed to raise the floor. But raising the floor requires the floor to exist in the first place, and for many newly regulated organizations, it does not.
The enforcement machinery is starting up. Supervisory authorities are beginning audits and inspections. No major fines have been publicly reported yet. The question is whether regulators will enforce aggressively against organizations that are genuinely trying to comply in a fragmented regulatory landscape, or whether the first years of NIS2 will look like the early years of GDPR: a lot of guidance, a lot of anxiety, and a few headline enforcement actions that set the tone for everyone else.
The honest assessment
The ambition is right. The execution is a mess. 23 of 27 member states missed a deadline they had two years to meet. The entities that need the most help are the ones least equipped to comply. The regulatory landscape is fragmented across jurisdictions. The implementing guidance is dense enough to require dedicated compliance teams that most affected organizations do not have.
NIS2 will eventually work. The direction is correct. But the gap between the directive’s aspirations and the continent’s readiness is wider than the architects anticipated. The real implementation is happening now, in 2026, not in 2024 when the deadline said it should.