ARTICLE
27 October 2025

Navigating NIS2: What Organisations Need To Know As EU Implementation Unfolds

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
As EU Member States implement NIS2 with varying requirements and timelines, organisations operating across borders must understand their obligations and take proactive steps to stay compliant.
Worldwide Technology
Curtis McCluskey and Joseph Ndep
Curtis McCluskey’s articles from Goodwin Procter LLP are most popular:
  • with Inhouse Counsel
  • with readers working within the Media & Information industries

Following Goodwin's November 2024 analysis of the EU's updated Network and Information Systems Directive (NIS2 or the Directive), which entered into force on 18 October 2024, this update provides a snapshot of where EU Member States stand on implementation one year later. NIS2 aims to enhance the cybersecurity compliance of critical public and private sector organisations across the European Union.

EU Member States were required to transpose NIS2 into national law by 17 October 2024, updating their existing cybersecurity frameworks accordingly. So far, only 14 EU Member States have completed this process, leaving key jurisdictions — including Germany, France, Ireland, and Spain — still pending. On 7 May 2025, the European Commission issued reasoned opinions to 19 EU Member States for failing to notify full transposition, warning that unresolved cases could be referred to the Court of Justice of the European Union (CJEU). Some governments have since responded, and to date, no CJEU referrals have been made.

Although NIS2 establishes a common baseline for cybersecurity regulation across the EU, national implementation demonstrates that several EU Member States are adding their own — and, in some cases, stricter — requirements. These national variations are creating additional compliance challenges for organisations that operate across multiple EU jurisdictions.

Current Status of NIS2 Implementation Across the EU

Implementation of NIS2 has varied across EU Member States. While most have closely followed the Directive's framework, some have introduced additional obligations, such as expanding the range of covered sectors or imposing stricter governance requirements. Although these differences remain limited for now, organisations will need to track and address jurisdiction-specific rules alongside NIS2's core obligations, particularly if they operate in multiple EU Member States. Key trends observed from national implementations include:

  • Expanded sectoral scope: Italy and Slovenia have extended the list of regulated sectors beyond those set out in annexes I and II, capturing additional categories of entities.
  • Stricter governance and oversight requirements: Belgium has introduced enhanced obligations regarding internal governance and board-level cybersecurity oversight.
  • Emerging national certification or audit regimes: Germany's draft law proposes mandatory certification requirements for certain essential entities. Other jurisdictions are exploring additional supervisory mechanisms.
  • Registration procedures: Requirements and timelines for registering with competent authorities vary between EU Member States. Some have introduced online portals and staggered deadlines, which will require local monitoring.
  • Designation of regulated entities: NIS2 required EU Member States to identify and designate essential and important entities by 17 April 2025. While some countries — such as Italy and Hungary — have already begun this process, many others have yet to issue formal designations or publish their national registers.

The European Commission maintains a public NIS2 transposition tracker that reflects the current status of implementation as reported by EU Member States.

NIS2 Refresher: Scope and Compliance Obligations

NIS2 applies to a wide range of public and private sector organisations that meet certain thresholds or operate in critical sectors.

Scope of Application

NIS2 divides regulated entities into two categories: essential entities and important entities. An organisation will fall within scope if it meets the following conditions:

  • It operates in a sector listed in Annex I Sectors of High Criticality) or Annex II (Other Critical Sectors) of the Directive, as designated by the relevant national authority.
  • It qualifies as a medium-sized or larger enterprise (i.e., 50 or more employees and an annual turnover or balance sheet total exceeding €10 million).
  • It provides services or carries out activities in the EU.

However, there are some exceptions to the general scope. For example, certain types of organisations are in scope regardless of their size, such as trust service providers, top-level domain name registries, domain name system (DNS) service providers, public electronic communications networks, specific public administration bodies, and entities whose disruption could significantly affect public safety, security, or health. Additional exceptions and designations are outlined in articles 2 and 3 of the Directive.

Core Compliance Obligations

NIS2 in-scope organisations are required to comply with a set of baseline obligations designed to reduce cybersecurity risk and strengthen operational resilience. These obligations include:

  1. Registration: NIS2 does not require all entities to register. However, certain digital and online service providers — including DNS and domain name services, cloud and data centre service providers, content delivery networks, managed service and security service providers, and major online platforms — must register in a central EU database maintained by the European Union Agency for Cybersecurity (ENISA). These entities must submit detailed information to their national competent authorities, which then forward it to ENISA.
  2. EU representative appointment: An organisation that is not established in the EU but offers services there and falls within the scope of NIS2 must appoint a representative in a member state where it provides services. This representative acts as the official point of contact for competent authorities and must be authorised to receive communications and enforcement notices on behalf of the organisation. The appointment of a representative does not limit the regulators from taking direct enforcement action against the non-EU entity.
  3. Risk management measures: Organisations must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These include safeguards such as network security controls, vulnerability handling, cryptographic protections, and business continuity planning. Some EU Member States have supplemented these measures with national guidance or expanded requirements.
  4. Incident reporting: NIS2 introduces a harmonised, staged reporting regime. Organisations must submit an early warning within 24 hours of becoming aware of a significant incident, a follow-up report within 72 hours, and a final report within one month. The Directive also permits authorities to require notification to the public when justified. Additionally, the Directive has clarified the definition of "significant incident" to help reduce unnecessary reporting.
  5. Governance and training: Senior management is responsible for approving and overseeing cybersecurity measures and may be held personally liable for noncompliance. NIS2 requires regular training for the management body to ensure awareness of cybersecurity risks and responsibilities. Broader staff training, while not mandatory, aligns with general obligations to manage risk effectively.
  6. Supply chain and third-party risk management: Organisations must assess and manage risks posed by third-party providers. This includes due diligence, contractual terms governing breach reporting and escalation, and ongoing monitoring. Small providers may be indirectly affected by the supply chain obligations of their in-scope customers.
  7. Audits and supervision: Essential entities are subject to regular audits and potential spot checks. Important entities may be audited when there is evidence of noncompliance or risk.

Enforcement Outlook

An in-scope organisation is generally regulated by the member state where it is established. However, for certain services such as telecoms, online platforms, and digital infrastructure, jurisdiction is based on where services are provided or where cybersecurity operations are managed. This distinction determines which national authority is responsible for supervision and enforcement.

So far, no enforcement actions have been publicly reported under NIS2. Many EU Member States are still in the process of finalising their supervisory frameworks, registration systems, and designations of regulated entities. Enforcement activity is expected to increase once national regimes are fully established and transposition is complete.

NIS2 carries significant financial penalties for non-compliance. Essential entities face potential fines of up to €10 million or 2% of global annual turnover, while important entities may be fined up to €7 million or 1.4% of turnover. EU Member States also have the flexibility to introduce additional national penalties, meaning enforcement consequences could vary across jurisdictions.

Practical Tips for NIS2 Readiness

As NIS2 continues to take effect across EU Member States, organisations should take proactive steps to ensure compliance and strengthen their cybersecurity postures.

Here are some practical tips to help guide your organisation's readiness efforts:

  1. Confirm where your organisation operates. Identify all the EU Member States where your organisation is established or provides services. NIS2 obligations may differ depending on where your operations are based, so mapping its footprint is essential.
  2. Check whether NIS2 applies to your organisation. Assess whether your organisation falls within the NIS2 scope in each relevant country. While the Directive sets baseline criteria, local implementing laws may vary so it is important to check how your organisation's sector and size are defined under the applicable national rules.
  3. Register with the appropriate authorities. Some organisations must submit registration information to national authorities. Check whether this applies to your organisation and track member state–specific procedures and registration deadlines. Early registration will help avoid potential last-minute compliance issues.
  4. Map jurisdictional differences. Compare how each country is implementing NIS2, paying particular attention to variations in reporting obligations, security measures, and enforcement. Align your organisation's internal policies to ensure a consistent approach that remains compliant with local regulations.
  5. Review your organisation's current cybersecurity setup. Evaluate existing technical and organisational measures. Conduct targeted risk assessments to identify gaps in system security, response capabilities, and internal governance.
  6. Consider relevant certifications. Internationally recognised security certifications (e.g., International Organization for Standardization, International Electrotechnical Commission) can help demonstrate compliance and strengthen your organisation's overall security posture. Consider whether certification is appropriate for your organisation based on its sector, size, and risk profile.
  7. Evaluate your organisation's supply chain. Review your key third-party service providers to ensure their security practices meet expectations and do not introduce vulnerabilities in your organisation's network. Implement pre-contractual due diligence processes and include contractual terms for incident notification, risk sharing, and compliance. Additionally, establish ongoing monitoring to maintain oversight.
  8. Refine your organisation's incident response plan. Develop clear procedures for detecting, escalating, and reporting significant incidents within the required 24-hour, 72-hour, and one-month time frames. Test these plans through regular simulations and tabletop exercises to ensure your teams are prepared.
  9. Strengthen business continuity and recovery plans. Ensure robust continuity measures are in place, including data backups, disaster recovery, and crisis management processes. Then test and update them regularly.
  10. Build governance and awareness. Develop a consistent governance approach for your management body across jurisdictions. Provide targeted training for leadership and staff to raise awareness of NIS2 obligations and their cybersecurity risk responsibilities.

We would like to thank Geng To Law for their assistance with this insight.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Curtis McCluskey
Curtis McCluskey
Photo of Joseph Ndep
Joseph Ndep
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More