What is the NIS2 Directive and who does it apply to?: NIS2 (Directive (EU) 2022/2555) is the EU's core cybersecurity law. It applies to essential entities (energy, transport, health, digital infrastructure, etc.) and important entities (manufacturing, postal, chemicals, food, etc.) above 50 employees or €10m turnover in 27 EU member states.Source: EUR-Lex
What are the NIS2 fines for non-compliance?: Essential entities face fines of up to €10m or 2% of global annual turnover, whichever is higher. Important entities face up to €7m or 1.4% of global annual turnover.Source: Directive (EU) 2022/2555 Article 34
Which EU countries have not yet implemented NIS2?: As of April 2026, 19 member states remain under European Commission reasoned opinions for partial or no transposition. Only 14 of 27 had fully transposed by mid-2025; Germany, the Netherlands, and Croatia were among the early movers.Source: ENISA
How does NIS2 affect company boards and executives?: NIS2 introduces individual liability for senior management: boards must approve cybersecurity risk-management measures and can be held personally liable for violations. Executives may face temporary bans from management roles if an essential entity breaches its obligations.Source: Directive (EU) 2022/2555 Article 20
How long do organisations have to report a cyber incident under NIS2?: Organisations must send an early warning to their national competent authority within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours, and a final report within one month.Source: Directive (EU) 2022/2555 Article 23

Background

The Network and Information Security Directive 2 (NIS2, Directive (EU) 2022/2555) entered into force on 16 January 2023, replacing the original NIS Directive (2016) with a substantially expanded scope. Member states faced a transposition deadline of 17 October 2024. The Directive covers essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, and research), targeting organisations above 50 employees or €10m turnover in those sectors.

Key obligations include: 24-hour early warning and 72-hour full notification of significant incidents to the national competent authority; board-level accountability for cybersecurity risk management with individual liability for executives; supply-chain risk management requirements; minimum technical controls including MFA, encryption, and access management; and registration of domain-name registrars. Fine ceilings are €10m or 2% of global annual turnover (whichever is higher) for essential entities, and €7m or 1.4% for important entities — materially above NIS1 maxima.

By mid-2025, only 14 of 27 member states had fully transposed NIS2. The European Commission opened infringement proceedings against the remaining 13 in autumn 2025, escalating to reasoned opinions against 19 member states by April 2026. Germany, the Netherlands, Croatia, and Hungary transposed early or on time; France, Poland, and Spain were among the late cohort. The Directive's reach into supply chains, its board-accountability clause, and its fine ceiling at global revenue have made it the dominant compliance frame for European cybersecurity programmes.

NIS2's enforcement trajectory sharpened in April 2026 when ENISA released National Capabilities Assessment Framework 2.0 (NCAF 2.0) on 22 April — a structured maturity-scoring tool that lets member states benchmark their compliance position against NIS2 requirements . With 19 member states still under European Commission reasoned opinions for partial transposition, NCAF 2.0 signals a shift from political pressure to measurement-and-accountability. NCSC guidance on Incident Response and access management has been cited by regulators as the practical baseline that boards must now achieve. For CISOs operating in EU markets, NIS2 compliance is no longer a 2024 deadline story — it is an active enforcement and capability-benchmarking cycle.

Source Material

NIS2 Directive — ENISA Directive (EU) 2022/2555 — NIS2

How the World Sees Them

European Commission

Opened infringement proceedings against 13 member states in autumn 2025; escalated to reasoned opinions against 19 by April 2026. NCAF 2.0 is the measurement instrument for the next enforcement phase.

Germany / Netherlands

Early transposers; German NIS2 law published December 2025 with March 2026 registration deadline. Only around one-third of covered entities had registered by the deadline. {{EVREF:/t/cyber-threats-and-defences/1/eu-cra-guidance-german-nis2-missed}}

Business community (Lloyd's, BSI Group)

Supply-chain and board-liability clauses drive demand for cyber-insurance coverage and compliance certification. Fine ceiling at global revenue has made NIS2 a board-level agenda item, not an IT one.

Late-transposing states (France, Poland, Spain)

Face escalating legal and reputational risk. Reasoned opinions are the penultimate step before referral to the Court of Justice of the EU, which can impose financial penalties.