Six months have passed since the October 17, 2024 deadline for EU Member States to transpose the NIS2 Directive into national law. The scorecard is not encouraging. Of twenty-seven Member States, fewer than a third met the deadline. The majority — including several of the EU's largest economies — are still working through legislative processes, leaving entities in a regulatory no-man's land where European obligations exist but national enforcement mechanisms do not.
This does not mean compliance is optional. It means compliance is harder to scope precisely, and the temptation to wait for clarity is stronger than ever. That temptation is a strategic error.
The Transposition Scorecard
The NIS2 Directive (Directive 2022/2555) required all Member States to adopt and publish national measures necessary to comply with the Directive by October 17, 2024. As of September 2025, the landscape divides into three tiers.
States that transposed on or near the deadline. Belgium stands out as the early mover, having adopted its NIS2 transposition law in April 2024 — six months before the deadline. Croatia and Hungary also completed transposition before October 2024. Italy adopted its legislative decree (D.Lgs. 138/2024) in October 2024. Lithuania was similarly on schedule. These states did not have simpler regulatory environments or fewer stakeholders. They started earlier and allocated dedicated legislative resources to the task.
States with legislation in advanced stages but not yet adopted. Several Member States — including the Czech Republic, Latvia, and Poland — had draft legislation in parliamentary process by the October 2024 deadline but had not completed adoption. By September 2025, most of these have either completed or are in the final stages of adoption. The delay is measured in months, not years, and the legislative text is largely known even if not yet in force.
States with significant delays. Germany, France, Spain, the Netherlands, and several others are in this category. Germany's NIS2 transposition (the NIS2UmsuCG) stalled in 2024 amid political upheaval and a change of government. France's transposition has been complicated by the interplay between ANSSI's role and broader inter-ministerial coordination. Spain has been working through its legislative process but without the urgency that the deadline might have warranted. In these jurisdictions, entities face genuine uncertainty about the precise scope of their national obligations, reporting timelines, and supervisory structures.
The Commission published its own assessment in early 2025, and the picture was stark: the majority of Member States had failed to notify complete transposition measures by the deadline.
Why So Many States Are Late
The pattern of late transposition is not unique to NIS2. The original NIS Directive (NIS1) in 2016 saw similar delays, with some Member States transposing more than a year late. But NIS2 is a substantially more complex instrument, and the reasons for delay reflect that complexity.
Scope expansion requires inter-ministerial coordination. NIS2 dramatically expanded the scope of in-scope sectors and entities compared to NIS1. Annex I and Annex II together cover eighteen sectors. Each sector typically has its own ministry, its own existing regulatory framework, and its own views on how cybersecurity supervision should work. Transposing NIS2 is not a single ministry's job — it requires agreement across government on which authorities will supervise which sectors, how existing sectoral regulations interact with the new cybersecurity requirements, and how to resource the supervisory function.
Political transitions disrupted timelines. Germany is the clearest example. The NIS2UmsuCG was in advanced preparation under the previous government coalition, but the coalition's collapse in late 2024 and subsequent elections reset the legislative calendar. Similar dynamics, though less dramatic, affected other Member States where elections or government reshuffles consumed legislative bandwidth during the critical 2024 transposition period.
Granularity of national implementation choices. NIS2 is a directive, not a regulation. Member States have discretion on numerous implementation details: the precise entity identification mechanisms, the designation of competent authorities, the specific supervisory and enforcement powers, penalty levels within the Directive's ranges, and sector-specific implementation guidance. Each of these choices requires policy decisions, stakeholder consultation, and legal drafting. The flexibility that the directive model provides comes at the cost of transposition speed.
Capacity constraints in national cybersecurity authorities. Several Member States' competent authorities have flagged that they lack the resources to implement the supervisory regime that NIS2 contemplates. Supervising thousands of newly in-scope entities — rather than the hundreds under NIS1 — requires recruitment, training, and tooling that some authorities are still building. Legislative delay, in some cases, reflects a realistic assessment that passing the law without the supervisory capacity to enforce it would create a different kind of problem.
The Commission's Response: Infringement Proceedings
The European Commission has not treated late transposition as a minor administrative matter. In late November 2024, the Commission initiated infringement proceedings by sending letters of formal notice to twenty-three Member States that had not notified complete transposition measures. This is the first step in the EU's infringement procedure under Article 258 TFEU.
For Member States that did not remedy the situation within the two-month response period, the Commission escalated to reasoned opinions — the second step in the procedure — in early 2025. If a Member State still fails to transpose, the Commission can refer the matter to the Court of Justice of the European Union, which can impose financial penalties.
The Commission's willingness to act swiftly signals that NIS2 is a political priority. The Directive was adopted in the context of rising cyber threats to EU critical infrastructure, and the Commission is not prepared to accept indefinite delays in establishing the protective framework.
For entities monitoring this process, the practical implication is clear: transposition is coming. The question is not whether national law will arrive, but when. Planning on the assumption that transposition will simply not happen is not a defensible strategy.
What Late Transposition Means for Entities
The obligation-enforcement gap created by late transposition is the source of the most common question we hear from compliance officers: "If our Member State hasn't transposed NIS2, are we obligated to comply?"
The answer is legally nuanced but practically straightforward.
The legal position. EU directives do not, in general, create direct obligations for private entities until transposed into national law. This is the principle of no direct horizontal effect. An entity cannot be sanctioned under national NIS2 implementing legislation that does not yet exist. In this narrow sense, entities in late-transposing states do not yet face enforcement.
However, there are caveats. The NIS2 Directive includes provisions that build on or replace NIS1. Where NIS1 was transposed — which it was, in all Member States — the existing national NIS1 legislation remains in force until replaced by NIS2 transposition. Entities that were in scope under NIS1 remain subject to NIS1 obligations. Additionally, some Member States have taken the position that certain NIS2 obligations apply by virtue of the Directive's direct effect in relation to state entities, even absent transposition.
The practical position. Legal obligation aside, the risk calculus strongly favours early compliance preparation. There are three reasons.
First, when transposition occurs, it will apply immediately or with very short transition periods. Member States that are transposing late are not, in most cases, granting entities additional grace periods. If you wait for the national law to learn what you need to do, you will start implementation under time pressure that entities in early-transposing states avoided.
Second, the NIS2 requirements are known. The Directive text is final. ENISA's implementation guidance is published. The substantive measures — risk management, incident handling, supply chain security, business continuity, access control — are defined at the EU level. National transposition may add specificity, but it will not change the fundamental requirements. An entity that implements against the Directive text will need minimal adjustment when national law arrives.
Third, supervisory authorities in several late-transposing states have publicly stated that they expect entities to be preparing. Germany's BSI, France's ANSSI, and Spain's CCN-CERT have all published guidance aimed at entities preparing for NIS2, even while the national legislation is pending. The implicit message is unmistakable: we know the law is late, and we know you know the requirements. Demonstrate that you are acting.
Cross-Border Entities: Which National Law Applies?
For entities operating across multiple Member States, the uneven transposition landscape creates a specific challenge: which national law applies to your entity?
NIS2 Article 26 establishes the general principle. An entity is subject to the jurisdiction of the Member State in which it is established. For entities established in multiple Member States, the Directive provides specific rules:
-
DNS service providers, TLD name registries, domain name registration services, cloud computing services, data centre services, content delivery networks, managed security services, online marketplaces, online search engines, and social networking platforms fall under the jurisdiction of the Member State of their main establishment (as determined by the location of their head office or the establishment where decisions on cybersecurity risk management measures are taken).
-
All other entities fall under the jurisdiction of each Member State where they provide their services. An energy company operating in Germany, France, and Italy may be subject to the NIS2 legislation of all three states.
For cross-border entities, this creates practical complexity. If your primary establishment is in Belgium (transposed), but you also operate in Germany (not yet transposed) and Spain (not yet transposed), your Belgian operations are subject to the Belgian NIS2 law now, while your German and Spanish operations are in the obligation gap. This asymmetry requires differentiated compliance tracking — the same entity may face different enforcement timelines in different jurisdictions.
The pragmatic approach is to implement a single compliance programme based on the Directive's requirements, and layer jurisdiction-specific variations as national laws are adopted. Building parallel compliance programmes for each jurisdiction is neither efficient nor necessary given that the core requirements are harmonised at the EU level.
Why Compliance Preparation Cannot Wait for Transposition
Beyond the legal and practical arguments, there is a competitive dimension that receives too little attention.
Entities that delay compliance preparation will face a compressed implementation timeline when their national law finally arrives. That compression has costs: rushed procurement decisions, expensive expedited consulting engagements, controls implemented without adequate testing, and management body training conducted as a box-ticking exercise rather than genuine capability building.
Entities that begin now — even in jurisdictions that have not transposed — can approach implementation methodically. They can conduct gap assessments without time pressure. They can pilot controls, test incident reporting workflows, and build supply chain security programmes iteratively. They can train their management body (as required by NIS2 Article 20) before the regulatory pressure turns training into a compliance checkbox.
The investment in early preparation does not just reduce regulatory risk. It improves the organisation's security posture. The NIS2 measures — risk analysis, incident handling, supply chain security, business continuity, access control — are not arbitrary regulatory requirements. They are the baseline security practices that reduce the likelihood and impact of cyber incidents. An entity that implements them benefits immediately, regardless of whether national enforcement has begun.
The CISO's role in this context is to reframe the conversation internally. The question is not "are we legally required to comply today?" The question is "are we prepared for the regulatory environment that will exist within twelve months?" If the answer is no, starting now is not premature. It is overdue.
Key Takeaways
- As of September 2025, fewer than a third of EU Member States have fully transposed NIS2 into national law. Belgium, Croatia, Hungary, Italy, and Lithuania were among the first movers. Germany, France, Spain, and the Netherlands are among those with significant delays.
- Late transposition reflects genuine complexity — scope expansion, inter-ministerial coordination, political transitions, and supervisory capacity constraints — not a lack of commitment to the Directive's objectives.
- The European Commission has initiated infringement proceedings against twenty-three Member States, signalling that extended delay will not be tolerated.
- Late transposition creates an obligation-enforcement gap, but it does not create a compliance holiday. The Directive's requirements are known, supervisory authorities expect preparation, and implementation timelines upon transposition will be short.
- Cross-border entities face asymmetric enforcement timelines across jurisdictions. A single compliance programme based on the Directive text, with jurisdiction-specific layers, is the efficient approach.
- Early preparation reduces cost, improves implementation quality, and delivers security value independent of enforcement timing.