Navigating the NIS2 Maze: European Businesses Confront a Patchwork of Cyber Rules

The European Union’s digital and operational landscape is in the throes of a significant transformation, a period marked by both unprecedented opportunity and escalating cyber threats. At the heart of this evolution stands the Network and Information Systems Directive 2 (NIS2), a landmark piece of legislation designed to fortify the cybersecurity resilience of critical infrastructure and essential services across the bloc. Replacing its predecessor, NIS1, the new directive aims to create a more harmonized and robust cybersecurity framework. However, as businesses across Europe grapple with its implications, a complex picture is emerging—one characterized by inconsistent implementation across national borders, a dramatically expanded scope of covered entities, and urgent calls for clearer, more unified guidelines. This article delves into the confusion and legal uncertainty plaguing European businesses, explores the ramifications of NIS2’s rapid expansion, and examines the critical need for harmonized approaches, particularly concerning incident reporting, supply chain security, and cross-border compliance. For organizations striving to maintain operational resilience in this evolving regulatory environment, understanding these challenges is not merely beneficial—it is a strategic imperative.

The journey towards a unified cybersecurity posture under NIS2 has, thus far, been anything but smooth. A primary source of consternation for European businesses is the inconsistent and often delayed transposition of the directive into national law by EU member states. The original deadline of October 17, 2024, for member states to integrate NIS2 into their respective legal frameworks has been missed by a significant number, leading to a fragmented regulatory landscape that breeds confusion and legal uncertainty. As of late November 2024, the European Commission had already initiated infringement procedures against 23 member states for failing to meet their transposition obligations, underscoring the widespread nature of these delays.

This patchwork of progress, or lack thereof, creates a challenging operational environment, particularly for pan-European organizations. Instead of navigating a single, coherent set of rules, businesses find themselves contending with a mosaic of national interpretations, timelines, and enforcement priorities. For instance, while countries like Belgium, Croatia, Hungary, and Italy reportedly met their obligations in a timely manner, others, including major economies like France and Germany, announced or experienced delays, pushing full implementation into 2025. Germany, for example, has even signaled an intention to narrow the scope of its national NIS2 regulation compared to the EU directive, further complicating the compliance calculus for businesses operating within its borders and across the EU.

The divergence extends beyond mere timelines. The interpretation of key NIS2 provisions can vary from one member state to another. A notable example highlighted by industry analysts is France’s decision to explicitly include local authorities within its national NIS2 scope, a stipulation not mirrored in Germany’s approach. Such discrepancies force multinational companies to adopt a country-by-country compliance strategy, significantly increasing administrative burdens and legal costs. This situation is a far cry from the harmonized cybersecurity framework envisioned by the directive’s architects.

The impact of this regulatory fragmentation is palpable. A stark gap has emerged between the initial confidence expressed by many businesses regarding their ability to meet NIS2 requirements and the complex reality of the current situation. Early surveys in mid-2024 indicated that a large majority of businesses believed they could achieve compliance; however, the actual compliance rates were drastically lower. This disparity can be attributed, in part, to an underestimation of the directive’s complexities, exacerbated by the ongoing delays and inconsistencies in national legislation. Many organizations reported a lack of confidence in their understanding of NIS2’s specific requirements and cited insufficient leadership support as a barrier to effective preparation. The prevailing uncertainty makes it difficult for businesses to allocate resources effectively, develop robust compliance strategies, and ensure they are not inadvertently falling foul of differing national rules. The overarching consequence is a state of heightened legal risk and potential instability, undermining the very resilience NIS2 seeks to foster.

Compounding the challenges posed by inconsistent implementation is the sheer scale of NIS2’s expanded scope. The directive dramatically increases the number of entities and sectors deemed critical or important, bringing a vast new cohort of organizations under its regulatory purview. While NIS1 primarily focused on a relatively limited set of 'operators of essential services'—estimated to be around 500 entities in a country like France—NIS2 casts a much wider net. Projections suggest that this number could skyrocket to over 15,000 entities in France alone, a thirty-fold increase, with similar expansions anticipated across other EU member states. This monumental growth means that many businesses previously outside the scope of EU-level cybersecurity mandates now find themselves confronting complex new obligations.

The directive now encompasses 18 sectors, categorized into 'essential entities' and 'important entities,' each subject to varying degrees of regulatory oversight. The 'essential entities' category, which faces the strictest requirements including potential on-site inspections and independent security audits, has been broadened. It not only includes traditional sectors like energy, transport, banking, financial market infrastructures, health, drinking water, and digital infrastructure, but also extends to new areas such as public administration, providers of public electronic communications networks or services, wastewater management, manufacturers of certain critical products (e.g., pharmaceuticals), and even operators involved in hydrogen production, storage, and transmission. Furthermore, technology providers such as cloud computing services and data centre service providers, some of which faced lighter-touch regulation under NIS1, are now classified as essential.

The 'important entities' category also brings new sectors into the fold, including postal and courier services, waste management, manufacturing of critical products like medical devices and computers, food production and processing, chemical manufacturing and distribution, and providers of online marketplaces, online search engines, and social networking service platforms. This expansion means that a diverse range of medium-sized and even some smaller companies, if they meet certain criteria or operate in these newly designated sectors, must now navigate the intricacies of NIS2 compliance.

The deadline for EU countries to establish and publish their lists of identified essential and important entities within their jurisdiction is April 17, 2025. However, the sheer volume of newly covered entities presents a significant challenge for both the businesses themselves and the national competent authorities tasked with oversight and enforcement. Many of these newly in-scope organizations, particularly small and medium-sized enterprises (SMEs) that may lack dedicated cybersecurity teams or extensive resources, face a steep learning curve in understanding and implementing the required technical, operational, and organizational measures. These measures are comprehensive, ranging from policies on risk analysis and information system security, incident handling, and business continuity, to specific requirements for supply chain security, vulnerability handling and disclosure, and the use of cryptography and encryption.

The rapid expansion necessitates a significant upscaling of cybersecurity awareness, expertise, and investment across a much broader segment of the European economy. For many, this will require a fundamental shift in how they perceive and manage cyber risk, moving it from a purely IT concern to a core boardroom-level responsibility, especially given the provisions for personal liability of management bodies under NIS2.

Given the dual challenges of inconsistent national transpositions and a vastly expanded regulatory net, the calls from European businesses and industry bodies for greater harmonization in NIS2 guidelines are growing louder and more urgent. While NIS2 itself aims to achieve a higher common level of cybersecurity across the EU, its effectiveness hinges on consistent interpretation and application. The current fragmentation risks undermining this core objective, creating an uneven playing field and potentially leaving critical vulnerabilities unaddressed. Harmonization is particularly crucial in three key areas: incident reporting, supply chain security, and the broader complexities of cross-border compliance.

Incident Reporting: NIS2 introduces more stringent and detailed incident reporting obligations. In-scope entities must notify their national Computer Security Incident Response Teams (CSIRTs) or competent authorities of any incident having a "significant impact" on their services. The directive outlines a multi-stage reporting process: an initial notification or "early warning" within 24 hours of becoming aware of a significant incident, a more detailed incident notification within 72 hours, and a final report within one month. However, what constitutes a "significant impact" can be open to interpretation, and without clear, harmonized EU-level guidance on thresholds, triggers, and reporting formats, businesses face uncertainty. Differing national interpretations could lead to over-reporting in some jurisdictions and under-reporting in others, hampering the ability of authorities to gain an accurate EU-wide situational awareness of cyber threats. Businesses are therefore seeking standardized templates, clearer definitions of significance, and streamlined reporting channels to reduce administrative burdens and ensure consistency.

Supply Chain Security: NIS2 places a significant emphasis on managing cybersecurity risks within supply chains, a critical vector for cyberattacks. Entities are required to take measures to ensure the security of their network and information systems, which includes addressing vulnerabilities specific to each direct supplier and service provider. They must also assess the overall quality of products and cybersecurity practices of their suppliers, including their secure development procedures. This is a complex undertaking, especially for organizations with extensive and global supply chains. The lack of harmonized guidelines on how to conduct these assessments, what constitutes adequate supplier cybersecurity practices, and how to manage risks associated with third-country suppliers creates significant operational challenges. Businesses are calling for common frameworks, best practice guides, and potentially certification schemes that can help them evaluate and manage supply chain risks more effectively and consistently across the EU.

Cross-Border Compliance: For the many organizations that operate across multiple EU member states, the lack of harmonization in national NIS2 implementations presents a formidable compliance hurdle. Navigating differing national requirements for risk management measures, security audits, oversight regimes, and even penalty structures can be a resource-intensive nightmare. The directive includes provisions for entities not established in the EU but offering services within it to designate a representative. However, for EU-based companies with a multinational footprint, the ideal scenario is one where compliance with the NIS2 requirements in one member state largely satisfies the requirements in others, minimizing redundant efforts. Harmonized guidelines on how national authorities will cooperate on supervising entities with cross-border operations, and how enforcement actions will be coordinated, are essential to provide legal certainty and reduce the compliance burden.

Without a concerted effort towards greater harmonization, the promise of NIS2 to create a truly resilient and secure digital single market risks being diluted. Clear, practical, and consistently applied guidelines are not just desirable; they are fundamental to enabling businesses to meet their obligations effectively and contribute to the EU’s collective cybersecurity.

The NIS2 Directive represents a pivotal moment for cybersecurity in the European Union, signaling a clear intent to elevate resilience across a vast array of critical sectors. Its ambitious expansion in scope and strengthened security obligations are, in principle, vital steps in confronting an increasingly sophisticated threat landscape. However, the path to achieving these goals is currently fraught with challenges. The confusion and legal uncertainty stemming from inconsistent and delayed national implementations, coupled with the sheer scale of newly covered entities, are placing considerable strain on European businesses. The urgent calls for harmonized guidelines—particularly concerning incident reporting, supply chain security, and cross-border compliance—highlight the critical need for greater clarity and coherence.

For organizations navigating this complex terrain, a proactive and informed approach is paramount. Waiting for perfect regulatory clarity is not a viable strategy. Instead, businesses must leverage the information available, engage with industry peers, and draw on expert guidance to build robust cybersecurity frameworks that align with the core tenets of NIS2. This includes fostering a strong cybersecurity culture from the boardroom down, investing in comprehensive risk assessments, strengthening supply chain due diligence, and preparing for more rigorous incident reporting. While the journey towards a fully harmonized and seamlessly implemented NIS2 framework may be ongoing, the directive’s overarching message is clear: cybersecurity resilience is no longer a niche concern but a fundamental pillar of business continuity and strategic survival in the digital age. As member states work to align their national laws and EU bodies strive to provide further clarification, the onus remains on businesses to take decisive action, transforming compliance obligations into opportunities to build a more secure and resilient future