NIS 2 (Directive (EU) 2022/2555) is the European Union’s updated framework for cybersecurity, replacing the original NIS Directive (2016). It is designed to enhance cybersecurity across the European Union by establishing a high common level of security for network and information systems. This directive expands the scope of covered entities to include more industries. Companies must implement stronger risk management measures, report incidents, and comply with minimum cybersecurity standards. National authorities are given greater enforcement powers, and the ability to impose significant fines for non-compliance.

Under NIS 2, essential and important entities must adopt appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These measures aim to protect network and information systems, as well as to prevent or minimise the impact of incidents on service recipients and interconnected services.

The directive mandates an “all-hazards” approach, meaning that entities must be prepared to address a wide range of threats, from cyberattacks to physical disruptions, ensuring comprehensive protection and resilience in their operations.

16 March 2026 Update 

The widespread habit of describing NIS2 as a failure merely because several Member States did not complete transposition by 17 October 2024, calls for a more careful and balanced evaluation. It mistakes punctuality for substance and confuses delay in legislative completion with failure of regulatory transformation.

In Union law, a missed transposition deadline is indeed a breach of obligation and may trigger enforcement consequences, but it does not mean that the legislative project itself is unsuccessful. That conclusion becomes even less sustainable when one examines what NIS2 actually required: The reconstruction of national cybersecurity law, national supervisory architecture, incident reporting systems, public-private compliance structures, and board level accountability across the legal orders of twenty seven Member States at the same time, accompanied by the unprecedented expansion of the regulatory perimeter to include hundreds of thousands of entities required to comply with cybersecurity obligations and the new reporting obligations for the first time.

The first dramatic change was conceptual. NIS2 establishes a Union-wide strategic governance framework for cybersecurity and digital resilience, a legal framework covering important and critical entities across the European Union. This means that the transposition required changes affecting energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT services, public administration, space, postal services, waste management, chemicals, food, manufacturing, research, and other critical parts of the economy.

Once the directive is understood in those terms, the narrative of “failure because of delay” collapses. We cannot evaluate the success of a civil code, a banking union measure, or a major constitutional reform by asking only whether every implementing act appeared on time. We must ask whether the reform altered the legal order in the intended direction. NIS2 unquestionably did that.

The second dramatic change was institutional. A directive of this kind could not be transposed by copying and pasting Union text into national statute books. It required Member States to designate or establish competent authorities, single points of contact, incident response capacity, supervision models, reporting channels, sanctions frameworks, registration mechanisms, and cross border cooperation arrangements.

Each Member State had to decide which ministry, regulator, cyber authority, sectoral supervisor, or combined structure would exercise powers over essential and important entities. How these powers would interact with preexisting sectoral laws. How confidential reporting would be handled. How information would be exchanged with ENISA and peer authorities. How national constitutional and administrative law constraints would be respected.

The third dramatic change was the move from selective coverage to systemic coverage. Under NIS1, the legal architecture depended heavily on national discretion, which produced significant divergence. NIS2 was intended to remove those divergences and to ensure a higher, more uniform level of resilience across the internal market. That objective alone made transposition difficult, because national legislators had to revisit prior assumptions about what counts as essential, which sectors merit public-law obligations, and how thresholds are set.

The Directive’s distinction between essential entities and important entities is central. It required a systematic methodology for identifying entities, classifying them, subjecting them to differentiated supervisory treatment, and integrating them into a coherent compliance universe. This is a question of replacing a fragmented legal map with a more disciplined Union wide taxonomy of criticality.

The fourth dramatic change was normative intensity. NIS2 mandates concrete strategy, governance, and cybersecurity risk management measures based on an all-hazards approach. This includes policies, incident handling, business continuity including backup management and disaster recovery, crisis management, supply chain security, secure acquisition and development, vulnerability handling, effectiveness assessment, cyber hygiene and training, cryptography and encryption, access control, human resources security, asset management, and much more.

This is a decisive shift from cybersecurity as a technical function to cybersecurity as a structured strategic compliance obligation. National transposition demanded sector sensitive legislative language, definitions aligned with domestic law, implementing or secondary legislation, supervisory guidance, and administrative readiness to assess compliance against these standards. A legislature can transpose a narrow duty quickly, but it cannot absorb and domesticate an all-hazards risk regime of this breadth without substantial legal work. The dramatic reality is that NIS2 required Member States to legislate for resilience, continuity, and accountability at an unprecedented level of granularity.

The fifth dramatic change was the elevation of management body responsibility. This element alone marks NIS2 as a landmark in global cyber regulation. The Directive requires Member States to ensure that management bodies of essential and important entities approve the cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements by the entities. It further requires training for members of management bodies. This is a major development.

Such a transformation cannot be transposed mechanically. National lawmakers had to decide how to articulate liability, which corporate bodies were covered under domestic company law, how the rule would interact with directors’ duties, public sector governance models, regulated industry governance rules, labour law, and administrative sanction regimes. In many jurisdictions this meant building a bridge between cybersecurity law and corporate governance law that had not previously existed in a fully explicit form. That alone is a historic success.

The sixth dramatic change was procedural acceleration. NIS2 created a reporting architecture that is materially more demanding and operationally more mature than many legacy notification frameworks. Significant incidents require an early warning within 24 hours of becoming aware, a fuller incident notification within 72 hours, and subsequent reporting as the matter develops. The regime includes cross border impact analysis and communication with affected recipients of services.

This is a major legal and operational shift, because incident notification is not simply the sending of a notice. It presupposes internal detection capability, legal triage, management escalation, record keeping, interaction with CSIRTs or competent authorities, harmonisation with data protection reporting where personal data are involved, and defensible internal procedures for assessing materiality and significance. To transpose such obligations, states had to create receiving authorities, legal standards, sanctions, procedural channels, and in many cases secure national portals and coordination rules. The resulting apparatus is evidence that the Union moved beyond rhetorical cybersecurity policy into enforceable operational law. It is analytically perverse to reduce that achievement to the calendar question alone.

The seventh dramatic change was the treatment of supply chain dependency. NIS2 expressly requires consideration of supply chain security and the security related aspects of relationships between entities and their direct suppliers or service providers. It also links national compliance to Union level coordinated security risk assessments of critical supply chains. This is a profound recognition of modern cyber reality. Vulnerability often enters through outsourcing, software dependencies, managed service providers, cloud arrangements, maintenance chains, and procurement architectures rather than through a direct frontal assault on the target itself.

Legally, that means Member States had to build a framework in which regulated entities assess external dependencies, contractual risk allocation, secure development procedures, supplier quality, and vulnerabilities embedded outside the formal perimeter of the enterprise. This is not easy legislation. It requires translating a theory of risk into enforceable obligations without collapsing into vagueness or disproportion. The fact that Europe attempted to do so, across a full Union framework, is a success of extraordinary significance.

The eighth dramatic change was cultural. NIS2 treats cyber hygiene, awareness, and training as part of the compliance fabric. The Directive explicitly references basic cyber hygiene practices and cybersecurity training among the required measures and also reflects a broader concern with user awareness, phishing, social engineering, updates, configuration, segmentation, and access management.

In other words, the Directive rejects the false legal imagination that all cybersecurity problems can be solved through specialised technology while the wider organisation remains passive. It recognises that resilience depends on behaviour, culture, procurement, governance, business continuity, and internal discipline. National transposition required more than the enactment of technical norms. It required the legal normalisation of cyber preparedness as a routine expectation of organisational conduct.

The ninth dramatic change was the integration of cyber resilience with critical entity resilience under the Critical Entities Resilience Directive (CER). This matters because NIS2 was never operating in isolation. The CER Directive required Member States, by the same 17 October 2024 deadline, to adopt and publish the measures necessary to comply.

CER was itself a major shift away from a narrow infrastructure protection paradigm toward a broader resilience framework, recognising that critical entities provide essential services indispensable to vital societal functions and economic activities, and that interdependencies can produce cascading and long term effects. It sought harmonised minimum rules, identification of critical entities, support and supervision measures, and a more coherent approach across sectors. The major legal trouble lies precisely here. Member States were transposing two demanding directives the same time. Europe was attempting simultaneous cyber governance and resilience governance reconstruction.

The missed deadline should be treated as a serious but secondary phenomenon. It is serious because Union directives bind as to the result to be achieved, and timely transposition is part of compliance. But it is secondary because the proper measure of NIS2’s significance lies in its transformative legal effects. It replaced a narrow fragmented predecessor with a broad and more disciplined framework. NIS2 is the largest coordinated legal reconstruction of cybersecurity governance ever attempted anywhere in the world.

NIS2 succeeded precisely because it forced Europe to confront realities that could no longer be postponed. It compelled governments to admit that fragmented standards were no longer tolerable. It compelled boards to enter the realm of cyber accountability. It compelled regulators to build supervisory capacity. It compelled essential and important entities to move from vague awareness to concrete risk management. And because it did all this across an integrated economic and political union, its significance is global. By scale, by ambition, by depth of organisational impact, and by the breadth of the sectors covered, NIS2 is the most consequential cybersecurity law in the world.