NIS2 – Implementation of the Second Directive

The second Network and Information Security Directive (NIS2) was first discussed in mid-2020, in response to the European Commission’s consultation on the need to reform the original 2016 NIS directive. NIS2 was formally adopted and entered into force in January 2023, with European Union (EU) Member States required to transpose it into national law by 17 October 2024, replacing the (subsequently repealed) 2018 NIS Directive with immediate effect.¹ Despite the time that has passed since its inception, NIS2 continues to create confusion and compliance concerns across the EU and beyond.

For those who have not been closely following the policy and legislative developments behind this transformative regulation, it may be unclear how we have reached this point. To help reduce confusion, it is important to consider the key factors at play, the impact on firms required to comply with the Directive’s sprawling regulatory landscape, and future developments around NIS2.

The Legislative Position

NIS2 is a directive, not a regulation. It requires each of the EU Member States to transpose it into national law, which is not a quick process. Across the 27 EU Member States, only 14 have fully transposed the directive into regulation at the time of this writing.² The remaining Member States find themselves in receipt of reasoned opinions from the European Commission for failing to notify full transposition of NIS2.³

In the EU context, a reasoned opinion is a formal request from the European Commission urging a Member State to comply with EU law. It is the first step in the enforcement process for transposing the Directive. If the Commission finds the Member State’s reasoning for non-compliance insufficient, the cases may go to the European Court of Justice (ECJ), which will determine whether the transposition status and reasoning is justified. If not, the court can mandate that compliance is met within a determined timeframe or financial penalties will be imposed.

Operational Implications

Whilst the legislative position plays out, more than 300,000 organisations with operations in the EU and impacted by the NIS2 directive remain in a position where they lack clarity on what requires compliance and what does not.⁴ The current transposition status reveals that Member States which have implemented the Directive and enacted the regulation have done so in different ways, resulting in varying national requirements despite the shared intent of NIS2.

Hungary, for example, has imposed a requirement for independent audits and that the results are shared with the NIS2 regulatory authority.⁵ This brings significant and additional scrutiny to organisations operating in Hungary, as any NIS2 non-compliances will be revealed. Belgium have taken a similar approach, leveraging their Cyber Fundamentals Framework (CyFun®) as the baseline for compliance and mandating assessments according to requirements included in the CyFun® Conformity Assessment Scheme. The assessment must be performed by an accredited and authorised conformity body and brings similar noncompliance exposure risks to the Hungarian scheme.⁶

The NIS2 scheme in Belgium is also based on a range of different frameworks, including NIST CSF, ISO 27001, ISO 27002, CIS Controls, and IEC 62443. In Hungary however, their guidance refers only to standards referenced within the NIS2 Directive, without reliance on a domestic framework.

An entity operating in both countries therefore has differing NIS2 obligations to reach compliance. Extrapolating this problem across each member state quickly highlights how an EU-wide requirement results in a fragmented compliance position, necessitating considerable time and effort to manage.

The Route Forward

How can multi-national enterprises operating in several EU Member States respond to such regulatory requirements? It is unusual for such a powerful piece of regulation to have so many potentially variants of the same requirement. As a result, a dynamic and intentionally flexible approach is essential to establishing a strong foundation for meaningful and sustained compliance assurance. This can be achieved through:

Map the Requirements – Deconstruct and understand the regulatory requirements in each NIS2-relevant operating jurisdiction. Ensure that this deconstruction captures all requirements and then map those requirements to information security control environments. Understand and articulate each existing control to meet obligations, identify who owns and maintains the control, and determine how the control is performing operationally.

Target Baseline Outcomes – Regardless of where an organisation operates, most fundamental requirements will remain the same.

Make sure that governance is appropriately designed and implemented, and that the executive and board bodies have defined and understand their roles and accountability.
Make sure that risk management processes are operating effectively and enabling a risk-based approach to information security decisions. Integrate threat intelligence into these risk process to ensure that the threat environment context is a key factor in maintaining a view of effective risks.

Maintain Assurance – Ensure that an appropriate degree of independent assurance over operating environments is gained. Often, it is difficult for organisations to ‘see the wood for the trees,’ and an objective, external perspective is critical in finding vulnerabilities and challenging flawed assumptions. Take action early and be prepared to remediate – ensure the first independent review of NIS2 compliance does not occur under regulatory scrutiny.

Conclusion

NIS2 is in effect, regardless of whether an EU Member State has transposed it into national law, issued regulatory guidance, or started to finalize its jurisdictional list of essential and important entities. There is little room for delay or exemption, meaning organisations subject to the Directive’s requirements are best positioned if they act early, allowing sufficient time to adopt and adapt.

Entities near the top of the list must be prepared to respond quickly to incidents by notifying national Computer Security Incident Response Teams (CSIRTs), while also implementing specific risk management governance regarding third-party oversight and critical services, senior leadership governance in risk oversight and approval, and structured communication with public sector bodies, such as the European Cyber Crises Liaison Organisation Network (CyCLONe).

These are not trivial changes, and most will require time to develop and integrate into existing operational processes. The key is simple: organisations should start now.

Footnotes:

1: “NIS2 Directive: securing network and information systems”, European Commission (June 20, 2025).

2: “NIS2 Directive Transposition Tracker”, European Cyber Security Organisation (June 20, 2025).

3: “NIS2 Directive transposition in EU countries”, European Commission (June 20, 2025).

4: “NIS2 Compliance for Industries White Paper”, Cisco (June 20, 2025).

5: Adam Liber, Tamás Bereczki, “Analysing the Transition: From the 2023 Cybersecurity Act to the 2024 Cybersecurity Act in Hungary”, Chambers and Partners (March 13, 2025).

6: Johan Klykens, Dirk De Paepe, “CyberFundamentals, a tool to reduce the cyber protection gap”, Belgian Financial Forum (June 20, 2025).