Member States were required to implement the NIS 2 Directive ("NIS 2")1 into national law by 17 October 2024. One year on, many EU Member States have failed to meet the transposition deadline, creating confusion and increasing compliance complexity for organisations across the EU.
NIS 2 – a recap:
NIS 2 is an EU cybersecurity directive that replaces Directive (EU) 2016/1148 ("NISD").2 The primary goal of NIS 2 is to uplift the level of cybersecurity across the EU (improving confidence in the market and resilience across important market sectors) and address the weaknesses and inadequacies of NISD. NIS 2 seeks to achieve this by:
- expanding the scope of regulated products and services (e.g., NIS 2 regulates electronic communications services and social networking services);
- introducing minimum mandatory security measures that must be implemented by in-scope entities, along with specific responsibilities and liability for senior management; and
- granting regulators wide-ranging supervisory and enforcement powers (e.g., NIS 2 introduces steep penalties for non-compliance: (i) €7 million or €10 million (depending on the sector); or (ii) 1.4% or 2% (depending on the sector) of total worldwide turnover in the preceding financial year).
The national laws implementing NIS 2 apply to a large number of businesses operating in the EU, many of which have had no prior direct exposure to specific cybersecurity legislation, including data centre service providers, social media companies and manufacturers.
For more information on NIS 2, you can watch our webinar which explores the key issues for organisations grappling with NIS 2 compliance.
Implementation delays
As an EU directive, Member States must implement NIS 2 into domestic law before it becomes applicable and enforceable in that Member State.
The deadline for implementing NIS 2 into national law was 17 October 2024; however, the implementation landscape is fragmented, with many Member States failing to adopt transposing legislation.
On 7 May 2025, the European Commission sent a reasoned opinion to 19 Member States (including Germany, Ireland, Spain, and France) for failing to complete the transposition of NIS 2 by the deadline. The Commission warned those 19 Member States that if they did not respond to the Commission and take the necessary measures within two months, the Commission may decide to refer the matter to the Court of Justice of the European Union.
Current state of play
Despite the Commission's warning, only approximately half of Member States have transposed NIS 2 at the time of publication (e.g., Belgium, Croatia, Cyprus, Czech Republic (enters into force on 1 November 2025), Denmark, Finland, Greece, Hungary, Italy, Lithuania, Malta, Romania, Slovakia and Slovenia), leaving the remaining EU jurisdictions in a state of incomplete transposition (either partially or fully).
In practice, this means that organisations operating across multiple Member States (e.g., electronic communication service providers) have a complex compliance framework to contend with. This creates particular issues when it comes to incident reporting and overlapping regulatory supervision.
What's next?
We expect the remaining Member States to prioritise implementation over the coming months, although timelines remain unclear. The lack of clarity is creating challenges for multinational organisations trying to implement compliance frameworks which scale across the EU.
For those organisations operating in Member States that have not yet implemented NIS 2, this time can be used to become familiar with the requirements of NIS 2, assess the impact on the organisations and current compliance status, and take steps to address material gaps.
Questions?
Please contact John Timmons or Joe Devine if you have any questions, or if you require assistance with the matters discussed in this article.
Emily Digby (Trainee Solicitor, United Kingdom, White & Case) co-authored this publication.
1 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
2 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2025 White & Case LLP
