Multiple European countries are facing the regulatory wrath of the European Commission for failing to transpose the NIS2 directive into domestic law.
Ireland, Spain, France, Bulgaria, Luxemburg, the Netherlands, Portugal and Sweden are the erring countries, according to the commission.
Whereas “regulations” like the GDPR become law automatically across the bloc, European directives require each member state to convert them into local laws. This not only takes extra time but can also mean that the application of directives ends up being slightly different in each member state.
The deadline for NIS2 transposition was October 17 2024.
Read more on NIS2 deadlines: NIS2 Confusion: Concerns Over Readiness as Deadline Reached
Back in May 2025, the European Commission officially contacted 19 member states about delays to the process. It warned that they had two months to “respond and take the necessary measures” or it “may” refer the cases to the Court of Justice of the European Union (CJEU).
It remains to be seen whether the eight holdouts will face further legal action.
Even countries that have signed the directive into law are finding compliance patchy at best. An Enisa report published in March pointed to six critical infrastructure sectors that are facing particularly acute challenges.
It highlighted IT service management, space, public administration, maritime, health and gas as being “within the NIS360 risk zone.”
On the other hand, the electricity, telecoms and banking sectors were lauded as the three most mature, having benefited from “significant regulatory oversight” as well as funding and investment, political focus and public-private partnerships.
Except for those with a presence in Europe, most British companies don’t need to follow NIS2. However, a Green Raven study from November 2024 revealed that a sizeable minority (22%) claimed not to know whether the new directive applies to their business.
Worse, 10% of respondents who confirmed that NIS2 applies to their organization admitted that they weren’t compliant as of the October 17 deadline.
The UK’s own NIS2 variant, the Cyber Security and Resilience Bill, is expected to progress through parliament later this year.
DORA also Causing Problems
It’s not just NIS2 that is causing compliance headaches for the European Commission. Some 96% of financial companies in the region admitted their current level of data resilience falls short of DORA compliance, according to a Veeam report published last month.
A fifth (20%) said they have yet to secure the necessary budget to meet DORA requirements.
For both DORA and NIS2, in-scope organizations face non-compliance fines of up to €10m ($7.4m) or 2% of worldwide revenue, whichever is higher.
No tags.
