The European Union’s ("EU") NIS2 Directive (Directive (EU) 2022/2555) capitalizes on the success of its predecessor, NIS, the first horizontal minimum harmonization cyber security and resilience frameworks at the EU level. NIS2 significantly expands the original NIS Directive, introducing stricter obligations for a broader range of sectors. The final text, adopted on December 14, 2022, sets out enhanced risk management and government requirements, mandatory incident notification obligations, and robust enforcement mechanisms – including significant penalties for non-compliance.
With cyber risks high on the political agenda, and a major source of concern for private organizations, one would have expected the national implementation to be swift. This is far from the case, however, and delays are prompting concerns from the EU and private sector.
Implementation Deadline Long Passed, Still Many Bad Students
NIS2 entered into force on January 16, 2023, and as it is a directive, it requires Member States to transpose the regulations into national laws. The deadline for doing so was October 17, 2024, but only four Member States were in compliance by that date.
Impatient, and recognizing the urgency of collective implementation to improve resilience and incident response capacities of entities in the EU, the European Commission ("EC") issued reasoned opinions on May 7, 2025, to 19 Member States that had not completed their transposition efforts. Reasoned opinions are the second step in EU infringement procedures. With the July 2, 2025, deadline approaching, targeted Member States only have a few of days left to fully implement NIS2 or to provide the EC with a firm timetable.
Absent of satisfactory response, the EC may submit the cases to the Court of Justice of the European Union. Infringement procedures can lead to financial penalties and increased regulatory scrutiny. But these delays and fragmented approaches create a lot of legal uncertainties for businesses directly subject to NIS2, or to those other actors in the supply chain to whom NIS2 applies by contract.
State of Play Across Selected EU Member States
Belgium
Transposition Status: Complete
- The Law of April 26, 2024, established a framework for the cybersecurity of networks and information systems of general interest for public security by transposing NIS2 in Belgium. It entered into force on October 18, 2024.
- Entities within the scope (those services falling into the digital sectors of the annexes) had to register with the competent authority (Centre for Cybersecurity Belgium) by December 18, 2024, or by March 18, 2025, for all others.
Italy
Transposition Status: Complete
- Legislative Decree n. 138, published in the Official Italian Gazette on October 1, 2024, transposed NIS2 in Italy. It entered into force on October 16, 2024, with digital sector entities under the scope (listed in Art. 42 of the Italian Decree) having to register with the competent authority (Italian National Cybersecurity Agency) by January 17, 2025, and by February 28, 2025, for all others.
France
Transposition Status: Final legislative stage approaching.
- The draft law was adopted by the Senate on March 12, 2025. Therefore, the legislative process is now in its final stage. The examination by the National Assembly is expected to take place before the end of summer, marking the last step before the law is formally adopted.
The Netherlands
Transposition Status: Draft legislation is published.
- The proposed Cybersecurity Act (Cyberbeveiligingswet) was submitted to Parliament on June 2, 2025. Upon approval, it will proceed to the Senate. While the date of adoption remains uncertain, pending the advance of the legislative process, the expected entry into force will be June 2026.
Spain
Transposition Status: Draft legislation is published.
- The Preliminary Draft Law on the Protection and Resilience of Critical Entities was approved by the Council of Ministers on May 27, 2025. The legislative process is expected to advance further over the next few months.
Germany
Transposition Status: Delayed due to political transition.
- Legislative work began in the fall of 2024, but it was interrupted by the dissolution of the federal government in November of that year. A new federal government took office in May 2025 and pledged to publish a revised implementation draft within 100 days.
What Next? Legal and Strategic Consequences of Delay
The European Commission’s reasoned opinions are not just procedural: they underscore the risks of legislative fragmentation in the EU’s cybersecurity framework, uneven preparedness, legal uncertainties, and patchwork of baseline security standards. Businesses operating in affected sectors should closely monitor national developments, ensure internal alignment with NIS2 requirements globally by undertaking gap assessments, and prepare for fast-moving implementation’ timelines.
