The deadline for the transposition of the EU’s second Network and Information Systems Security directive (NIS 2) came and went in October 2024 with only a handful of member states having completed the task. As it became clear that this was not just a minor case of not submitting the paperwork on time, the European Commission (EC) swung into action, initiating infringement proceedings against 23 member states in November 2024, with those countries given until January 2025 to provide updates on their progress or demonstrate that they had achieved compliance. Only Belgium, Croatia, Italy, and Lithuania escaped the wrath of the Commission.
Changes
Through the first half of 2025 the picture gradually changed, although decisive numbers depend on the interpretation of what it means to be compliant. In May 2025, 19 member states were on the receiving end of another ultimatum from the EC. However, by July 2025, the list of countries that had enacted laws on the implementation of NIS 2 had swelled to 14 states, with Cyprus, Denmark, Finland, Greece, Hungary, Latvia, Malta, Romania, Slovakia, and Slovenia joining the first four countries noted above. Denmark, Finland, Hungary, Latvia, and Slovenia were the countries with the dubious honour of having transposed the directive but still making the EC’s naughty list. The nuance is that countries not only have to transpose the law, they also have to provide full notification of all applicable legislation to the Commission.
Note that EC saber-rattling is not confined to NIS 2: the Commission provides a monthly list of its infringement decisions and recent iterations have included calls around energy legislation, emissions trading, corporate sustainability reporting, and more.
It’s also worth looking at why some of the non-compliant states have not made the required progress. In several cases, the countries in question have gone through changes in government, often multiple times. In Portugal, the government has toppled three times in three years, most recently in March 2025. Germany’s elections in February 2025 meant that all pending legislation either had to be reintroduced or was put on hold. The collapse of the Dutch government at the beginning of June 2025 further set back a process that was already behind schedule.
Legislative processes are complex and any disruption can lead to delays both initially and then further down their carefully calibrated calendars.
Under pressure
What does this mean for all the organizations covered – or likely to be covered – by the Directive? How should a company with operations in 10 EU member states, for example, build its compliance strategy and roadmap if 5 of those member states have transposed the Directive and 5 have not? The legislation is already extensive and complex enough without such additional uncertainty layered on top.
Uncertainty impacts organizational planning. According to IDC’s 2025 EMEA Security Technologies and Strategies Survey, almost two-thirds of organizations covered directly by the legislation had not yet started compliance work, as of spring 2025. Allocation of dedicated funding is difficult under these circumstances, with 82% of organizations saying they had not seen any change in their security budget to address NIS 2 requirements. That does not mean no funding is available – but when the directive comes into force in their relevant markets, it may require reallocation of existing funds from other initiatives.
Of course, there are measures that can be taken that do not require technology investments, with 19% of organizations saying they have updated their security policies and processes in relation to NIS 2 requirements. Still, that is less than 1 in 5.
Up the hill backwards
Delays in transposition of the legislation may lead some organizations to consider that time is on their side and there is little need to press ahead with preparations for compliance. Until a European law has come into force, there is no legal basis to enforce compliance. Nevertheless, there are legal principles that caution against taking this approach.
The so-called doctrine of effectiveness principle created by the European Court of Justice in relation to EU laws puts obligations on EU member states to act in certain circumstances. It may seem like there is little incentive to pursue such cases but bear in mind that NIS 2 aims to build cyber resilience in critical and important entities, in the face of ever-increasing cyberattacks. So, when a major cyber incident disrupts operational capability in a critical vertical, after the initial impact has been contained and services restored, investigations and audits will follow. In that situation, there is no guarantee that the principle of effectiveness will not be invoked, if it is deemed that an in-scope organization failed to take appropriate measures to manage the risk.
Most member states have set up registration mechanisms through which in-scope organizations have to provide certain information such as designated personnel, contact details, IP ranges, and more. The designated authorities in each member state are required to compile those lists of critical and important entities and share the number of entities, along with the sector and subsector breakdown, with the EC and the NIS 2 Cooperation Group. These coordinated actions serve a broader function of enabling the EU’s supranational cybersecurity operational bodies to track and address major incidents that may transcend national borders and lead to impacts spreading across sectors and countries. Consequently, even in member states that have not completed transposition it is crucial that in-scope entities fulfill the registration requirements for their organization.
The area of incident response also bears scrutiny. Article 23 of the NIS 2 directive details incident reporting obligations, which include an initial alert that must be made within 24 hours of becoming aware of the incident, full notification within 72 hours, and a final, detailed report within one month. Even before full transposition, member states themselves are required to run Computer Security Incident Response Teams (CSIRTs) that are obliged to support in-scope entities in case of an incident. Subject to the findings of those cases, compliance demands could be applied retroactively or specific requirements imposed with compressed deadlines to address key issues.
It’s no game
Despite delays in transposing the legislation, the NIS 2 directive is moving inexorably towards being enforced across the EU and even beyond, when we take into account international companies with operations in EU member states or companies that are suppliers to in-scope organizations. According to IDC’s survey, 41.1% of organizations said that despite not being in-scope for NIS 2, they are still facing compliance requests from some of their partners that are covered by the directive. Individual countries continue to make progress: in Finland the legislation came into force on April 8th 2025; in Slovenia on 19th June; and in Denmark and Estonia on July 1st. Cyber incidents and the risk of extended legal actions make a very strong case for all in-scope entities to prioritize achieving NIS 2 compliance. And even if the auditors aren’t watching you – maybe the cybercriminals are.
To learn more about how European organizations are preparing for NIS 2 compliance, visit IDC’s European Security Technologies and Strategies page. If you have a specific query about NIS 2, drop it in this form.
Mark will be speaking at IDC’s CISO Xchange, which takes place 9-11 November in Marbella, Spain.