Let's begin today's post with a reality check. The NIS2 Directive came into force in January 2023, with a transposition deadline of 17 October 2024. That deadline is now well past. And yet the landscape remains fractured. As of early 2026, only around 14 EU Member States have completed transposition. The European Commission has sent reasoned opinions to 19 Member States for failing to complete the process, warning that cases could be referred to the Court of Justice. Germany — home to an estimated 30,000 affected companies — only enacted its national law in December 2025. France, Ireland, and Spain are still working through their legislative processes.

For the organisations caught in the middle, this creates a uniquely uncomfortable situation: you are legally obligated under a directive whose national implementing rules may not yet be fully in force in your jurisdiction, while regulators in other Member States where you operate are already auditing. Welcome to NIS2.

• 14 Member States with completed transposition as of early 2026

• 19 States that received Commission reasoned opinions for non-transposition

• ~75% of surveyed organisations lacked a dedicated NIS2 implementation budget (ECSO, 2025)

"Compliance isn't a project with a finish line. It's an operational posture that your board has to own. That shift in mindset is the hardest implementation challenge of all."

The transposition maze

Here is the core structural problem that most guides understate: NIS2 is a directive, not a regulation. Every Member State transposes it into national law with their own interpretations, extensions, and deviations. This is not a theoretical concern — it is already causing real operational pain for any organisation with presence in more than one EU country.

Belgium has introduced a mandatory coordinated vulnerability disclosure policy. Italy has extended the list of regulated sectors beyond NIS2's Annexes to include legal services for large retailers and cultural sector entities. Greece requires structured risk-based assessments with mandatory annual reviews and compliance declarations. Hungary operates a dual legal framework requiring organisations to engage certified external auditors within 120 days of registration.

For a mid-sized logistics company operating across six Member States, this means six potentially distinct compliance frameworks sitting on top of the common NIS2 baseline. Telecommunications companies, cloud providers, and managed service providers face even more complexity: depending on their service type, they may be subject to the law of their "main establishment" or, conversely, the laws of every Member State where they provide services.

What to do about it

Practitioner Actions

• Build a jurisdiction matrix. Map every country where you have operations, data processing, or service delivery against that country's transposition status and any deviations from the baseline directive. Update this quarterly — it is genuinely changing.

• Do not treat the NIS2 baseline as your ceiling. Several Member States have already exceeded it. Calibrate to the most stringent jurisdiction in which you operate as your default standard.

• Identify your "main establishment" jurisdiction early. Cloud providers and data centre operators face different jurisdictional assignment rules than other entity types — get legal clarity on this before regulators assign it for you.

• Track the EU Digital Omnibus proposal carefully. In January 2026, the European Commission proposed targeted NIS2 amendments to increase legal clarity and simplify compliance for around 28,700 companies, including smaller entities. These are not yet in force but will reshape obligations when they are.

  
  

Understanding the scope

NIS2 dramatically expanded scope compared to its predecessor. It now covers 18 critical sectors, including — newly — postal and courier services, food production, chemicals, waste management, and manufacturing of medical devices, electronics, and machinery. The "size-cap rule" means all medium and large enterprises operating in these sectors are in scope automatically, without needing to be formally designated.

The problem is that "medium" has a specific EU definition (50+ employees, or €10M+ turnover), and in practice many organisations genuinely do not know whether they qualify. I regularly encounter companies that assumed they were out of scope because they considered themselves "small" by industry norms, only to discover they crossed the threshold years ago. Others are in scope because a subsidiary or business unit crosses the threshold even if the parent does not.

Then there is the supply chain cascade. Even if your organisation does not directly meet the criteria, if you are a direct supplier to an entity that is in scope, expect to face contractual requirements flowing down to you. NIS2 explicitly requires in-scope entities to address supply chain security — and the only practical way to do that is to push requirements into contracts with suppliers.

What to do about it?

Practitioner Actions

• Conduct a formal scoping exercise using the actual sector definitions in NIS2 Annexes I and II, not a cursory self-assessment. Include all subsidiaries, joint ventures, and entities where you have significant operational control.

• Check your national competent authority's (NCA) registration portal. Several Member States — Italy, Hungary, and Greece among them — have already begun registration processes and expect entities to self-register. Germany's BSI portal activated for registration at the start of 2026.

• If you are a supplier to regulated entities, conduct a proactive contractual audit. NIS2-driven security clauses are appearing in procurement and outsourcing contracts across the EU. Getting ahead of these discussions — rather than having requirements dictated to you — preserves commercial leverage.

  
  

The Incident Reporting Clock Is Unforgiving

Of all NIS2's operational requirements, the tiered incident reporting timeline is the one that causes the most anxiety in organisations that have genuinely thought it through — and the most complacency in those that have not.

The structure is: a 24-hour early warning for significant incidents, a 72-hour detailed notification including an initial assessment of severity and impact, and a final report within one month. That 24-hour window is extraordinarily tight. It assumes you can detect a significant incident, classify it correctly, reach the responsible executive, and submit a structured notification to your national CSIRT — all within a working day, which may well begin at 2am on a Sunday.

In reality, most organisations cannot reliably do any of these things at speed. Incident detection is often measured in weeks, not hours. Classification of "significance" — whether an incident has caused or is capable of causing severe disruption, financial loss, or harm to other parties — requires judgement calls that legal and technical teams will disagree on under pressure. And the notification process itself requires knowing which authority to notify, in which jurisdiction, in what format.

ENISA's June 2025 guidance document — stretching to nearly 200 pages — provides helpful but demanding technical standards for incident response. The expectation is clear: regulators want substantive, evidence-based reporting, not boilerplate notifications.

What to do about it?

Practitioner Actions

• Run a tabletop exercise specifically calibrated to the 24-hour notification timeline. You need to know, today, who makes the call that an incident is "significant," who has delegated authority if that person is unavailable, and how the notification reaches the right authority. This cannot be figured out during an incident.

• Pre-draft your notification templates. Populating a structured incident notification form under pressure, in a potentially unfamiliar national language, with incomplete information, is genuinely difficult. Having templates pre-approved by legal and communications reduces this to a gap-fill exercise.

• Invest in detection before reporting. You cannot report what you have not detected. SIEM tuning, endpoint detection coverage, and OT/IT network visibility are upstream prerequisites to meeting the reporting timeline.

• Monitor the EU Digital Omnibus proposals: the Commission has signalled the introduction of a single streamlined incident notification portal that will consolidate NIS2, GDPR, the Cyber Resilience Act, and DORA reporting. Designing your processes around multi-portal submission now is building technical debt.

"A 24-hour early warning window assumes you have already solved detection, classification, escalation, and authority routing. Most organisations have not solved any of these things at speed."

Board accountability is real

NIS2 introduced something genuinely new in EU cybersecurity law: direct personal liability for senior management. Management bodies must approve and oversee cybersecurity risk management measures. They must undergo cybersecurity training. And critically, in cases of serious non-compliance, individual executives can face fines, legal action, or temporary bans from management roles.

This is not a theoretical sanction inserted to look tough. The legislative intent is precisely to end the pattern of boards approving cybersecurity budgets on the basis of reassuring slide decks without substantively understanding or overseeing the underlying programme. The NIS2 Implementing Regulation and ENISA guidance are explicit: cybersecurity risk management is a board-level governance matter.

The practical challenge is that most boards are not equipped for this. A survey of 155 organisations across 23 countries published by ECSO in early 2025 found that one-third of organisations reported no management involvement in NIS2 implementation despite the personal liability provisions. The gap between the directive's intent and organisational reality is substantial.

The enforcement asymmetry to understand: essential entities face fines of up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to €7 million or 1.4% of global turnover. These are not symbolic numbers — they are calibrated to GDPR-level consequences.

What to do about it?

Practitioner Actions

• Get a board resolution on NIS2. This should formally acknowledge the entity's in-scope status, approve the cybersecurity risk management framework, and assign oversight responsibilities. It creates accountability, evidences governance, and changes the conversation from IT project to board matter.

• Deliver structured board training — not a vendor pitch, but a 90-minute facilitated session on what NIS2 requires of management, what "appropriate and proportionate" risk management means in your sector, and what personal liability actually entails. Use the ENISA cybersecurity roles and skills guidance published in June 2025 as a reference framework for the skills required at different levels.

• Establish a governance cadence. Quarterly board-level reporting on cybersecurity posture, incident status, and compliance programme progress is not optional under NIS2 — it is the mechanism by which management exercises its oversight obligation.

  
  

Supply chain security: The hardest operational bit

NIS2 Article 21 requires entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." That sentence — deceptively brief in the directive's text — translates into one of the most operationally demanding programmes most organisations will undertake.

The practical interpretation, reinforced by the ENISA guidance and the NIS2 Implementing Regulation, requires entities to: maintain a supply chain security policy setting minimum requirements for all suppliers; conduct risk assessments of suppliers that could impact their network and information systems; embed cybersecurity obligations into supplier contracts including incident reporting requirements, audit rights, and breach accountability; and monitor supplier compliance on an ongoing basis.

For a large energy company or hospital network, this may mean hundreds or thousands of suppliers spanning cloud platforms, SCADA system vendors, managed service providers, and facility maintenance contractors. As Deloitte's NIS2 supply chain analysis noted, upgrading supplier contracts to embed these requirements is one of the most underestimated aspects of compliance — it requires security, legal, and procurement teams to work in sustained coordination, renegotiating terms with suppliers who may have limited interest in compliance uplift.

The supply chain obligations also create a practical tension: NIS2 technically scopes supply chain requirements to suppliers whose compromise could affect the entity's network and information systems. Suppliers providing physical materials or infrastructure that support critical services may be technically outside this definition. But given that a compromised physical supplier can absolutely disrupt critical services, treating this as a compliance escape route is operationally reckless.

What to do about it?

Practitioner Actions

• Build a tiered supplier taxonomy. Not all suppliers present equal risk. Tier 1 (direct access to your NIS systems), Tier 2 (significant operational dependency), and Tier 3 (general commercial suppliers) require materially different treatment. Concentrating your assessment effort on Tier 1 suppliers first is the only scalable approach.

• Develop a standard supplier security questionnaire aligned to the NIS2 Implementing Regulation's risk management requirements. Use this as the baseline for all new procurement and for renegotiating existing contracts. Accept that high-risk suppliers will push back — and plan for the commercial negotiation this entails.

• Include incident notification obligations in supplier contracts explicitly: require suppliers to notify you within the same timeline as NIS2 requires you to notify your national authority. This is not the industry norm — yet. But it is the only way to meet your own 24-hour early warning obligation when the incident originates in your supply chain.

• Scrutinise your cloud, SaaS, and managed service provider relationships carefully. These are almost certainly your highest-risk Tier 1 suppliers, and many have NIS2 obligations of their own. Use their compliance posture as a criterion in procurement decisions.

  
  

The budget and skill gap is structural

Nearly three-quarters of organisations surveyed by ECSO in early 2025 lacked a dedicated NIS2 implementation budget. This is not just a readiness problem — it is an indication of how many organisations have not yet made the foundational decision to treat NIS2 compliance as a programme requiring resource commitment, rather than a project to be handled alongside existing workloads.

Information security now represents 9% of EU IT investments — a meaningful increase from prior years, according to ENISA's investment tracking data. But the new sectors brought into NIS2 scope — food production, chemicals, postal services, manufacturing — are typically starting from low cybersecurity maturity baselines. For these organisations, meeting "appropriate and proportionate" standards is not an incremental improvement; it is a step-change in organisational capability that requires sustained investment over multiple years.

ENISA's June 2025 cybersecurity roles and skills guidance explicitly acknowledged this, mapping the internal expertise required for NIS2 compliance and emphasising that it demands cross-functional teams spanning IT, cybersecurity, legal, risk, and operations. For most newly-in-scope entities, this cross-functional capability simply does not exist in its current form.

A realistic NIS2 compliance programme — including asset inventory, gap assessment, policy development, technical controls uplift, supply chain review, incident response capability building, and board training — takes a minimum of 12 months even in well-resourced organisations. For under-resourced ones, it takes longer, and the quality of the output reflects the resource investment.

What to do about it?

Practitioner Actions

• Commission a formal gap assessment as your first project deliverable, not a vendor-led maturity assessment. Understand precisely what you have, what you are missing, and what it will realistically cost to close the gaps. This is the basis for a credible budget request to the board.

• Use risk-based prioritisation. ENISA guidance published in June 2025 runs to nearly 200 pages of security measures. No organisation implements everything at once. Prioritise the controls that address the greatest enforcement risk first: incident detection and response, access management including MFA on internet-facing systems, and supply chain security. Document your prioritisation rationale — it is your defence if a regulator asks why you started where you did.

• Consider managed services for targeted capability gaps, but maintain internal ownership of the programme. Outsourcing incident response capability or security operations is pragmatic. Outsourcing accountability for NIS2 compliance is not — management liability is non-delegable.

• Leverage existing frameworks. If you are already certified against ISO 27001 or are aligned to NIST CSF, you have a significant head start. ENISA has committed to aligning its guidance with international standards, and many of the technical controls overlap. Map your existing controls before building new ones.

  
  

The next steps

NIS2 implementation in 2026 is simultaneously more urgent and more complex than most organisations anticipated. Urgency because regulators in transposed jurisdictions are beginning audit activity — Greece has announced audits from Q4 2025, and enforcement postures in Belgium, Italy, and the Baltic states are hardening. Complexity because the fragmented transposition landscape means your obligations in Brussels differ from your obligations in Berlin or Dublin.

The one thing I have seen consistently separate organisations that are handling this well from those that are not: the ones doing well started early, got board buy-in before it was convenient, and treated NIS2 as an operational transformation rather than a compliance checkbox exercise. They are using the directive as an opportunity to fix things that were already broken — detection gaps, shadow IT sprawl, supplier relationships with no security clauses, incident response plans that had never been tested.

The organisations struggling are the ones that are waiting for their national law to be finalised, or waiting for the regulator to publish more detailed guidance, or waiting for a vendor solution that will handle everything. The waiting strategy does not work here. The baseline obligations are clear. The enforcement trajectory is clear. The personal liability provisions are clear.

My practical advice: start with a scoping confirmation, get board resolution, run a focused gap assessment against the NIS2 Implementing Regulation's technical requirements, and build your incident response capability in parallel. Do not try to eat the entire directive at once. Prioritise the areas of greatest enforcement risk, document your reasoning, and demonstrate continuous progress. That combination — structured programme, evidence-based prioritisation, board-level accountability — is what regulators are looking for, and it is also what genuinely makes your organisation more resilient.

NIS2 is not finished being written. With the Digital Omnibus amendments proposed in January 2026 and Member States continuing to diverge in their national implementations, the landscape will evolve. Build your programme to be durable, not just compliant with the current text. The organisations that do this well will find that the investment pays dividends far beyond regulatory compliance.

Additional resources

NIS2 Master checklist for OT operators 
NIS2 compliance blueprint
Get NIS2 compliant in under 5 weeks
NIS2 compliance framework: A practical guide for OT / ICS / IIoT owners and operators