The EU’s Network and Information Systems Directive (NIS2) is slowly crawling towards full adoption more than three years after it went into force. The process of transposing the directive into Member State law has been marred by delays, interpretive complexities, and legislative disharmony with other EU cyber mandates. As a result, some key European markets have yet to finalize NIS2 adoption, despite an October 2024 deadline.
This uncertainty has made it difficult for EU enterprises to devise compliance strategies and make necessary upgrades to their cybersecurity posture. As of last year, two-thirds of organizations directly impacted by NIS2 have not yet started compliance work.
However, recent developments signal that the dust is starting to settle – providing new openings for cybersecurity firms looking to expand in compliance-conscious European markets.
NIS2 in Brief
Between rising geopolitical tension, growing digital-first economies, and increasingly sophisticated threats, the EU’s cyber objectives have evolved significantly since the original NIS directive (commonly referred to as NIS1) was passed in 2016.
NIS1 marked the EU’s first serious attempt to set continent-wide cybersecurity rules. However, in practice, the directive exposed major gaps in how cybersecurity was defined, implemented, and enforced across Member States. This resulted in inconsistent requirements, limited cross-border coordination, and uneven levels of cyber preparedness across the Union. Many sectors critical to modern digital economies were left outside the directive’s scope, incident reporting obligations varied widely, and national authorities often lacked the tools to enforce compliance effectively.
NIS2 seeks to address these gaps by:
- Expanding the scope. NIS2 broadens the sectors under the directive’s purview and categorizes them as either “Sectors of High Criticality” or “Other Critical Sectors.”
- Setting stringent reporting mandates. The directive dictates strict deadlines by which medium and large entities must report cybersecurity incidents, including a 24-hour early warning report, a 72-hour incident report, and a final report after 30 days.
- Building stronger intra-EU coordination. NIS2 enhances cross-sectoral and cross-border coordination on cybersecurity through the establishment of Computer Security Incident Response Teams (CSIRTs) and the European cyber crisis liaison organisation network (EU-CyCLONe).
- Formalizing cybersecurity strategies. The directive requires each Member State to adopt and publish an official national cybersecurity strategy.
As a directive, NIS2 is procedurally distinct from other key EU tech regulations like the AI Act and GDPR because it does not automatically go into effect but rather must be transposed into national law by individual Member States. This means NIS2 establishes a common baseline of cybersecurity expectations across the Union, but not a common ceiling, granting Member States the discretion to design legislation suited to their particular contexts.
This process has been a tenuous one. Only four early adopters– Belgium, Croatia, Italy, and Lithuania– met the October 2024 deadline for transposition. The European Commission has repeatedly initiated infringement proceedings against Member States for failing to comply with NIS2, with the next step being referral to the Court of Justice of the European Union (CJEU) for punitive fines.
NIS2 in 2026
The EU is making slow progress toward full NIS2 adoption. As of early 2026, seven EU member states have yet to transpose NIS2 into national law, though all states plus EEA member Norway have at least published draft legislation. Several key expectations stand out as this transposition landscape takes shape.
Continued Delays
As a directive that must be transposed into Member State law, NIS2 is beholden to the ebbs and flows of national-level politics. This is particularly evident in European parliamentary democracies, where governments can change quickly and with little notice– like the Netherlands, whose government collapse in October 2025 helped delay key NIS2 legislative milestones.
Elsewhere, delays have emerged from disagreements on key statutory provisions. The Spanish draft NIS2 law, for instance, has been met with pushback related to a provision holding company boards jointly liable for breaches. Similarly, the French bill remains in limbo due to a standoff between MPs and the Ministry of the Interior over a proposed amendment banning hidden entry points on encryption services.
Of these key holdout markets– France, the Netherlands, and Spain– the Dutch are likely the closest to successful transposition, with a 2026 Q2 implementation in their sights.
National-Level Variation
As these disagreements over draft laws indicate, Member States have approached transposition in different ways. Some of these discrepancies are fairly procedural, relating to registration processes, enforcement tools and CSIRT competencies.
Others are more significant. There are some major differences in scope, like Spain’s addition of the nuclear industry as an additional critical sector covered by NIS2. Some states instituted stricter incident reporting deadlines (e.g. Cyprus, whose initial reporting deadline is 6 hours), or harsher penalties for repeat offenders (e.g. Poland, Belgium and Italy).
These differences speak to a broader variability in Member States’ risk appetite and overall cyber objectives, all the while complicating the ability of multinational enterprises to understand their compliance obligations.
An Evolving Mandate
A proposed January 2026 revision to the EU Cybersecurity Act includes targeted amendments to NIS2 that aim to simplify the overall EU cyber regulatory regime. The new legislation clarifies a few issues of scope and introduces a single entry point for incident reports.
If the proposed revision passes, which looks likely, national-level NIS2 will need to reflect these changes. This shouldn’t slow down transposition too much, since much of the legislation impacts EU-side coordination mechanisms and some of the clarifying elements make NIS2 easier to transpose. That said, the amendments provide some degree of cover for non-compliant states to justify delays, which eases pressure on Member States to comply expeditiously by making CJEU referral less likely.
Meeting the Moment
As EU enterprises navigate this complicated landscape and seek new tools to stay secure, connected and compliant, it’s an opportune time for cybersecurity firms to make strides in EU markets. A few key insights can help guide this approach.
Expect Greater Budget Space in Newly-Liable Sectors.
NIS2’s stilted regulatory progress has, unsurprisingly, made it difficult for EU enterprises to plan for compliance. As recently as July 2025, 82% of impacted organizations had not yet modified security budgets to address NIS2 obligations, according to an IDC report.
With at least draft legislation available in each EU country, private sector budgets are likely to catch up around mid-year 2026. It’s even advisable to re-engage previous sales targets who may now be in a better position to procure as their compliance expectations settle into place.
Sectors that were not covered by NIS1– like waste, critical manufacturing and courier services– could offer the greatest inroads, given that NIS2 exposes them to a wholly new compliance framework with which they had no previous experience.
Emphasize Continuous Real-Time Monitoring and Reporting Capabilities.
NIS2’s strict and time-sensitive incident reporting obligations mean that comprehensive, continuous network monitoring and management will be a core expectation for EU enterprises moving forward. Particularly given NIS2’s emphasis on critical sectors, autonomous and unobtrusive monitoring will be at a premium.
Further, businesses will be looking for workflows and tools that can quickly export comprehensive incident reports covering potential root causes, mitigation measures, and predicted impact. Emphasizing these capabilities, alongside easily auditable and transparent SBOM features, can set firms apart.
Focus on “Main Establishment” Member States.
To simplify compliance obligations for multinational enterprises, NIS2 includes a “main establishment” provision applying to certain cyber-primary sectors. This allows eligible organizations to adhere to the compliance expectations of the Member State in which they carry out their cybersecurity operations, or, if one cannot be identified, the Member State in which they have the highest number of employees.
Consequently, sales efforts should be focused on your targets’ states of main establishment. Broadly, the Netherlands, Germany and France are considered the controlling country for the highest number of multinational enterprise groups, while Ireland is also a leading hub for foreign headquarters. Though this is an imperfect proxy for main establishment criteria, it is likely that these countries’ NIS2 laws will dictate the compliance posture of the greatest number of enterprises. Their legislation can therefore inform the overall design of cyber compliance tools and workflows.
Don’t Count Out EU-Ascendant Countries.
For European states seeking EU membership, regulatory alignment has become a key means to support accession processes and generate momentum for intra-EU trade. As such, Albania, Serbia, Montenegro and North Macedonia all have voluntarily transposed NIS2, while draft versions of NIS2-aligned laws are on the table in Moldova and Ukraine.
Businesses headquartered and operating in these countries will be looking to fill in cybersecurity gaps prior to EU accession, providing key entry points for cyber firms looking to expand into these areas.
Want to dive deeper on what NIS2 might mean for you? Get in touch with us to learn more about OpenPolicy and book a demo today.
