The Network and Information Security 2 (NIS 2) Directive establishes more rigorous cybersecurity requirements for organisations in EU Member States,with a long passed transposition deadline of October 2024. This whitepaper provides an analysis as of June 2025 of the current regulatory landscape of countries that have transposed NIS2, touching upon key aspects such as sector definition, identification of entities, registration requirements, and security measures, as well as management accountability and government oversight.
Across the EU and the EEA, countries display varied transpositions of the NIS2 Directive, with the following notable highlights:
The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures. Government oversight and audit mechanisms vary. In most countries essential entities require audits by a government accredited auditor. Frequency varies between yearly and every 5 years.
In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following up on the transpositions and trying to define a common ground to reach a workable level of compliance.
Most of the NIS2 laws are expected in 2025, but some only by late 2026. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.