Where Things Actually Stand
The NIS2 Directive required EU member states to transpose its requirements into national law by 17 October 2024. As that deadline passed, the enterprise technology and security community is processing a complex picture: some member states met the deadline, others missed it and are continuing the transposition process on extended timelines, and enforcement activity across the EU remains uneven.
For CIOs, CISOs, and boards trying to assess their current position, the situation requires clarity rather than the ambiguity that the varied enforcement landscape can produce. The fact that enforcement has not been uniform or immediate does not mean that the risk has been deferred. It means the risk exposure varies by jurisdiction, and the organisations that have built genuine security programme improvement have a fundamentally different risk profile than those that have not, regardless of where enforcement activity is currently concentrated.
This is an honest assessment of what post-October 2024 looks like, what the typical compliance gaps are, and what the organisations that are genuinely better positioned actually did.
The Enforcement Reality
NIS2 enforcement is not a single EU-wide event. It is a set of national enforcement regimes that differ in their readiness, their approach, and their prioritisation. Member states that completed transposition on time have national authorities with enforcement powers in place. Member states that have not completed transposition are in a transitional position where some elements of enforcement may be applicable and others may not.
The practical implication for multinationals operating across member states is that compliance posture should be assessed jurisdiction by jurisdiction, not as a single EU-wide status. A company with subsidiaries in the Netherlands and Germany faces a different immediate enforcement environment than one with subsidiaries in countries where transposition is still in progress. Legal counsel with NIS2-specific expertise in each relevant jurisdiction is not optional for this analysis.
The sectors that NIS2 has designated as essential and important are the primary focus of enforcement attention. Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, and public administration constitute the essential sector list. Postal and courier services, waste management, manufacture of critical products, food production, and certain digital providers are the important sectors. If your organisation operates in these sectors, you are in the enforcement priority population.
The enforcement powers that national authorities have under NIS2 are significant. For essential entities: fines up to ten million euros or two percent of total worldwide annual turnover, whichever is higher. For important entities: fines up to seven million euros or 1.4 percent of total worldwide annual turnover. Crucially, article 32 provides national authorities with the ability to temporarily prohibit a natural person from exercising managerial responsibilities at the senior management level if repeated NIS2 violations are found. This personal liability dimension changes the risk calculation at board and executive level.
The Typical Compliance Gaps
Assessments of enterprise NIS2 compliance posture conducted in the second half of 2024 consistently reveal five categories of gap that are more common than organisations expected when they began their compliance programmes.
Supply chain security is the most widespread gap. NIS2’s article 21 requires covered entities to address security in their supply chain, including the security practices of direct suppliers and the security practices of those suppliers’ own supply chains. The assessment of third-party security posture at this depth is significantly more resource-intensive than most compliance programmes budgeted for, and the remediation of identified supply chain gaps depends on the security posture of suppliers that the covered entity does not control.
Incident reporting process maturity is the second most common gap. NIS2 requires initial notification to the relevant authority within 24 hours of becoming aware of a significant incident, followed by a detailed incident report within 72 hours. Many organisations have incident management processes that were not designed for this reporting cadence and that do not have the authority escalation and external communication workflows that regulatory notification requires. The gap is typically not in security incident detection capability but in the governance process for escalating a detected incident to the point where a regulatory notification decision is made.
Management body responsibility is the third gap, and the one with the most significant legal implications. NIS2’s article 20 requires that management bodies of covered entities approve cybersecurity risk management measures and oversee their implementation. Management body members are required to follow training. In practice, many boards have delegated NIS2 compliance to the CISO function and have not engaged with their own obligations under article 20. This delegation does not satisfy the directive’s requirement; the management body responsibility is not delegable.
Technical security measures implementation is the fourth gap. The specific measures required by NIS2 article 21 include policies and procedures for risk analysis, incident handling, business continuity, supply chain security, network and information systems security, policies on the use of cryptography, access control, and multi-factor authentication. The completeness of these implementations in many organisations is lower than the self-assessment scores in compliance programme reporting suggest, because the self-assessments are based on policy existence rather than implementation maturity.
Cross-border reporting complexity is the fifth gap, specific to multinationals. When an incident affects operations in multiple member states, the reporting obligations may apply in multiple jurisdictions simultaneously with different national authority contacts and potentially different notification timelines. The cross-border incident response process that satisfies NIS2 requirements across multiple jurisdictions is a non-trivial programme design challenge.
What the Organisations in Better Positions Actually Did
The organisations that emerge from the October 2024 transposition period with a defensible NIS2 compliance posture and a genuinely improved security programme did not do different things from those that did not. They did the same things with different conviction and a different level of board ownership.
The defining characteristic of the better-positioned organisations is that the NIS2 programme was owned at board level with genuine engagement, not delegated to the CISO and occasionally briefed to the board. When the management body obligation in article 20 was understood and taken seriously from the programme’s inception, the governance infrastructure that article 20 requires was built as part of the programme design rather than retrofitted at the end. This board-level ownership also produced the resourcing decisions that made genuine security programme improvement possible alongside the compliance documentation work.
The second characteristic is that the supply chain security programme was started early and scoped honestly. Organisations that assessed their supply chain security gap in 2023, when they had enough time to prioritise suppliers for assessment and work with their most critical suppliers on remediation, are in a better position than organisations that started the supply chain work in 2024 and discovered too late that the scope was larger than available time and resource could address.
The gap between compliance documentation and implementation maturity is where the programmes that started with the right intention but insufficient time tend to end up. The October deadline has created an incentive to complete the documentation that satisfies a first enforcement review, with the expectation that implementation will continue after the deadline. This is a defensible short-term position if the implementation roadmap is genuine and the risk documentation is honest about the current gaps.
The programmes that have no credible path from current state to genuine implementation maturity are the ones with the most significant remaining exposure. The enforcement timeline is uncertain; the risk is not.