Six months past the deadline for adopting the EU’s NIS2 Directive, 13 member states remain non-compliant, leaving critical sectors like pharmaceuticals, energy, and digital infrastructure exposed to escalating cyber threats, according to Euractiv.
The delays, described by Dutch MEP Bart Groothuis as “incomprehensible and irresponsible,” underscore systemic challenges in harmonising cybersecurity standards across the bloc.
As of April 2025, only seven EU countries–Belgium, Croatia, Italy, Lithuania, Romania, Slovakia, and Greece–have fully transposed the NIS2 Directive into national law. A further seven, including Austria and Poland, have partial measures in place, whereas Germany, France, and others lag significantly.
Meanwhile, Malta and Finland recently finalised legislation but await formal Commission notification, leaving them unaccounted in compliance tallies. Key obstacles include political instability, resource shortages, and business concerns.
Smaller nations like Ireland and Greece lack cybersecurity expertise and funding, particularly for sectors like water utilities, which face compliance costs upwards of €500,000. Fears that stringent requirements–such as 24-hour incident reporting and supply chain vetting–could strain competitiveness persist, despite penalties of up to €10 million or 2% of global revenue for non-compliance.
Rising vulnerabilities, industry anxiety
The delays have left critical entities, including energy grids and transport networks, at heightened risk. Groothuis warned that every day of inaction “increases our vulnerability” to attacks, citing recent incidents like Baltic Sea undersea cable sabotage. Industry groups, including EurEau and BSA, lament fragmented implementation, with water suppliers and SMEs struggling to navigate divergent national rules.
The European Commission has escalated pressure, issuing formal notices to laggard states in November 2024 and threatening infringement procedures. However, responses remain uneven: the Netherlands aims to enforce rules by Q3 2025, while Portugal and Bulgaria have yet to begin transposition.
The NIS2 Directive, designed to replace the ineffective 2016 NIS1 framework, mandates stringent risk assessments, executive accountability, and cross-border crisis coordination. Its sluggish adoption risks undermining the EU’s ability to counter hybrid threats, particularly as ransomware attacks surged by 47% in 2024.
Sebastijan Čutura of the European Cyber Security Organisation (ECSO) stressed that harmonisation required “political will, not just technical fixes,” urging member states to prioritise compromise over bureaucratic inertia. With the EU Cybersecurity Certification Scheme (EUCS) also stalled by sovereignty disputes, the bloc’s fragmented approach risks ceding ground to global competitors.
