This comprehensive publication examines the current state of NIS2 implementation across member states and affected organisations, providing insights into adoption progress and readiness levels. 

This White Paper arrives at a critical juncture, as the majority of EU member states have yet to transpose the NIS2 Directive, despite the October 17, 2024 deadline. Our research provides a comprehensive analysis of:

• The varying approaches to implementation across EU countries in key cybersecurity areas
• Results from our Europe-wide survey of cybersecurity practitioners on organizational preparedness
• Detailed case studies of sectoral implementation

The findings emphasise the critical need for countries to harmonise their approaches across Europe to address the current fragmentation. The document includes key takeaways from our analysis of national and companies implementation approaches, along with actionable recommendations for institutional stakeholders to enhance the implementation process.

Key takeaways: 

1. Disproportionate Impact on Medium Sized Enterprises, Multinational Companies, Sectors with Lower Cybersecurity Maturity Level and Newly Introduced Entities in the Scope: the financial impact of implementation is particularly acute when considering both the technology investments and the needed changes in the processes combined with the lack of experience from being part of NIS1 and the need to follow varying requirements from multiple national authorities.
2.  NIS2 Scope & Classification Disharmony: while NIS2 provides a foundational two-tier classification system, Member States are adopting varying approaches in entity classification ranging from single tier to three-tier systems.
3. International Security Framework Diversity: Countries are taking distinctly different approaches to incorporating recognised frameworks – from direct references to specific frameworks in guidance documents to creating hybrid national standards that blend multiple frameworks.
4. NIS2 incident reporting – timeline and classification variances. Member States are adopting significantly different notification timeframes, with some requiring initial incident reports within 6 hours compared to NIS2’s baseline 24-hour requirement.
5. Budget Readiness –investment gap in organisational preparedness: survey data indicates that approximately 75% of organisations have not allocated dedicated financial resources for NIS2 implementation.
6.  Management engagement –  critical Gap Between regulatory requirements and current practice: survey data shows that 34% of organisations indicate no upper management involvement in the NIS2 Implementation.