Eight EU countries, including Ireland, Spain, France, Bulgaria, Luxembourg, the Netherlands, Portugal, and Sweden, have been warned by the European Commission for failing to meet the deadline on the implementation of the NIS2 Directive.

What is the NIS2 Directive about?

The NIS2 Directive, adopted by the EU in 2022, is an updated legal framework designed to strengthen the cybersecurity and resilience of critical infrastructure and essential services. Essentially, this directive replaces the 2016 NIS Directive, the EU's first legislation to improve cybersecurity across crucial sectors such as energy, transport, banking, and healthcare. It set baseline security and incident reporting requirements for critical infrastructure operators and digital service providers to enhance the overall resilience of network and information systems in the EU.

With the adoption of the NIS2 Directive, the EU aims to broaden the scope to include not only traditional sectors like energy, transport, banking, and healthcare, but also public administration, space, manufacturing of critical products, food production, postal services, and a wide range of digital service providers.

NIS2 introduces stricter risk management, supply-chain security requirements, and enhanced incident reporting rules, with early warnings due within 24 hours. It increases management accountability, requiring leadership to oversee compliance and undergo cybersecurity training.

It also imposes heavy penalties for violations, including up to E10 million or 2% of global annual turnover for essential entities. The Directive also aims to strengthen EU-level cooperation through bodies like ENISA and EU-CyCLONe.

Member States were expected to transpose NIS2 into national law by 17 October 2024, making timely compliance preparation critical.

What is a directive?

There are two main types of the EU laws: regulations and directives. Regulations apply automatically and uniformly across all member states once adopted by the EU.

In contrast, directives set specific goals that member states must achieve but leave it up to each country to decide how to implement them, allowing for different approaches based on each member state's capacities and legal systems.

So, why is there a delay in implementing the NIS2 Directive?

According to Insecurity Magazine, the delay is due to member states' implementation challenges, and many companies across the EU are 'not fully ready to comply with the directive.' Six critical infrastructure sectors are facing challenges, including:

• IT service management is challenged by its cross-border nature and diverse entities
• Space, with limited cybersecurity knowledge and heavy reliance on commercial off-the-shelf components
• Public administrations, which "lack the support and experience seen in more mature sectors"
• Maritime, facing operational technology-related challenges and needing tailored cybersecurity risk management guidance
• Health, relying on complex supply chains, legacy systems, and poorly secured medical devices
• Gas, which must improve incident readiness and response capabilities

The deadline for the implementation was 17 October 2024. In May 2025, the European Commission warned 19 member states about delays, giving them two months to act or risk referral to the Court of Justice of the EU. It remains unclear whether the eight remaining holdouts will face further legal consequences.