The European Commission (EC) has initiated infringement proceedings against 23 member states for missing the deadline to transpose the NIS2 Directive into national law. The regulation, which came into force on 17 October, was written to strengthen the resilience of cybersecurity infrastructure across the EU against attempted breaches. Implementation of the directive, however, has been patchy, with the EC now sending formal notices to enforce NIS2 to member states including Bulgaria, Germany, France and Sweden
The NIS2 Directive, adopted in December 2022, builds on the original EU cybersecurity framework established by Directive (EU) 2016/1148 and broadens the scope of cybersecurity requirements to cover sectors critical to daily life and economic stability. The directive applies to industries such as energy, health, transport, banking, wastewater, public administration, and digital infrastructure. It also targets digital services, public electronic communications, trust services, and even space-related operations. The aim is to ensure that essential and important entities adopt strong cybersecurity measures.
Key requirements for compliance
According to NIS2, member states must identify these organisations by April 2025. Candidates include large organisations in sectors such as energy, healthcare, and transport as well as medium-sized companies in industries like digital services and food production.
Regardless of classification, organisations must manage cybersecurity risks through technical, operational, and organisational measures. These include business continuity plans, incident handling protocols, supply chain security, and cryptography. Significant cybersecurity incidents must be reported to relevant authorities or Computer Security Incident Response Teams (CSIRTs) within 24 hours.
To improve coordination, the directive requires EU member states to establish national authorities, single points of contact, and CSIRTs. A new European Cyber Crises Liaison Organisation Network (EU-CyCLONe) has also been established to manage large-scale cybersecurity incidents across borders.
These measures aim to standardise responses to cyber threats and strengthen the EU’s overall digital resilience. The Commission has stressed that full implementation is critical to reducing fragmentation and achieving a high level of security across the bloc.
Next steps in the process
The 23 member states targeted in the infringement process have until mid-January 2025 to provide updates or demonstrate compliance. If responses are unsatisfactory, the Commission may issue reasoned opinions, escalating the matter before potentially referring it to the European Court of Justice.
The NIS2 Directive is part of the EU’s broader effort to safeguard its digital economy and critical services against cyber threats. As threats grow more sophisticated, the directive represents an essential tool for building cybersecurity resilience across public and private sectors.
Other initiatives supporting EU cybersecurity
Complementing the NIS2 Directive, the Cyber Resilience Act proposes setting cybersecurity standards for products with digital elements, such as software and connected devices. The regulation requires manufacturers to conduct risk assessments before placing products on the market and to notify the European Union Agency for Cybersecurity (ENISA) of security incidents within 24 hours. Non-compliance may result in financial penalties, underlining the EU’s intention to ensure accountability.
Similarly, the Digital Operational Resilience Act (DORA) focuses on safeguarding the financial sector from ICT-related risks. Enforceable from 17 January 2025, DORA obligates financial institutions to establish robust systems to manage and recover from cyber disruptions. This regulation applies uniformly across member states to ensure consistency and protect the financial sector from evolving threats.