Critical sectors in eight EU nations yet to implement cybersecurity regulations

Critical sectors in eight EU nations yet to implement cybersecurity regulations

As of October 2023, nearly a year after the EU deadline for the transposition of the Network and Information Security Directive 2 (NIS2), eight EU member states have not yet adopted the required cybersecurity rules for critical sectors. These countries are:

• Ireland
• Spain
• France
• Bulgaria
• Luxembourg
• The Netherlands
• Portugal
• Sweden

The European Commission has issued warnings to these states for missing the deadline to implement NIS2, a directive aimed at strengthening cybersecurity rules across critical infrastructure and essential services in the EU.

Slow and Divergent Transposition Across the EU

The transposition of NIS2 across the EU has been slow and divergent, with many member states still having draft legislation or varying national requirements. This fragmentation and compliance complexity pose challenges for organisations operating in multiple jurisdictions.

By October 2024, only four member states had met the transposition deadline. As of mid-February 2025, only nine had formally transposed the directive into national law.

Infringement Procedure and Potential Legal Action

The EU Commission is currently monitoring member states' replies regarding the implementation of NIS2. The infringement procedure gives the countries two months to take the necessary measures to comply with the directive. If a satisfactory response is not received, the Commission may propose further steps, including referring the case to the EU Court of Justice.

Consequences of Non-Compliance

Non-compliance with these requirements can result in fines up to €10 million, or 2% of worldwide revenue, whichever is higher. The Commission, in its efforts to ease pressure on enterprises, particularly Small and Medium-sized Enterprises (SMEs), is expected to address cyber rules as part of an "omnibus" simplification package to be presented in December. This package aims to identify and reduce reporting obligations in existing digital legislation, including cyber rules.

Understanding NIS2

Under NIS2, companies are required to issue a warning within 24 hours and deliver an incident report within 72 hours in case of serious operational disruptions. The directive applies to critical sectors such as energy, transport, banking, water, and digital infrastructures. The aim is to protect these entities against major cyber incidents.

The EU executive initiated an infringement procedure in May 2022 against 19 member states for failing to adopt the rules. The aim is to ensure a unified approach to cybersecurity across the EU, thereby enhancing the resilience of critical infrastructure and essential services.

[1] European Commission (2023). Press release: Eight EU member states yet to adopt NIS2 cybersecurity rules. [2] European Commission (2023). Factsheet: NIS2 transposition progress across the EU. [3] European Commission (2023). Country-specific recommendations: NIS2 transposition progress. [4] European Commission (2025). NIS2 transposition update: Progress and challenges. [5] European Commission (2025). Infringement proceedings against Germany for delay in adopting NIS2.

1. The slow and divergent transposition of the Network and Information Security Directive 2 (NIS2) across the EU, as shown by the fact that eight member states have yet to adopt the required cybersecurity rules for critical sectors, underscores the importance of addressing technology and cybersecurity challenges with urgency and consistency.
2. The European Commission's infringement procedure, which gives countries two months to comply with the NIS2 directive, demonstrates the importance of technology and cybersecurity regulations for the resilience of critical infrastructure and essential services in the EU, and the potential legal consequences for those who fail to meet these requirements.

Read also: