New EU Cyber Law Faces Delayed Adoption as Many Nations Miss Deadline

The European Union’s new cybersecurity directive, NIS 2, which sets higher standards for companies to strengthen their cybersecurity defenses, has encountered a rough start. Many EU member states have yet to adopt the rules into national law, missing the key enforcement deadline, according to a report from the DNS Research Federation.

NIS 2, short for the Network and Information Security Directive 2, became enforceable across the bloc on Thursday, requiring companies to enhance risk management, transparency, and business continuity planning in the event of a cyberattack. However, the slow pace of adoption by EU countries means that enforcement of the directive is expected to be inconsistent.

Portugal and Bulgaria are two of the countries that have yet to begin incorporating NIS 2 into their legal frameworks, raising concerns about their cybersecurity readiness. Many other EU countries are at various stages of implementing the law, creating disparities across the region.

NIS 2 was designed to update the original NIS directive, addressing more recent cybersecurity challenges. It expands its reach to cover essential service providers, including banks, energy suppliers, health care institutions, internet providers, and waste management services. The directive also introduces stricter reporting requirements, with firms now having just 24 hours to notify authorities of a cyber breach.

The directive mandates businesses to thoroughly vet technology vendors for cyber vulnerabilities and to share information on security issues with other organizations, even if that means disclosing their own breaches. Non-compliance can result in hefty fines—up to 10 million euros ($10.9 million) or 2% of global annual revenue for essential entities, such as transport and financial firms. For important businesses, like food and chemical companies, the penalties could reach 7 million euros or 1.4% of global revenue.

The effectiveness of NIS 2 will depend heavily on consistent implementation across EU member states, according to Tim Wright, a partner and technology lawyer at Fladgate. Gaps in adoption could lead cybercriminals to target countries that lag behind or smaller vendors within the supply chain, he warned.

Businesses have been preparing for the directive’s stricter cybersecurity measures, but inconsistencies in national laws have created additional challenges, particularly for smaller organizations with fewer resources. Chris Gow, Cisco’s EU public policy lead, recommended that companies focus on identifying common security controls that can help them comply with the directive despite these discrepancies.

Carl Leonard, EMEA cybersecurity strategist at Proofpoint, emphasized that NIS 2 establishes clear risk management expectations, including leadership accountability and incident handling. The penalties, which include not only fines but also possible service suspensions and increased supervision, are meant to compel organizations responsible for critical infrastructure to take cybersecurity threats more seriously.