When the EU’s Network and Information Security Directive 2.0 (NIS2) came into force, it set an ambitious deadline. EU member states had until 17 October 2024 to transpose its requirements into national law. That deadline passed with much of Europe still catching up. Today, the picture looks dramatically different and far more consequential.

NIS2 is no longer a compliance horizon. It is an active enforcement reality.

What NIS2 Set Out to Do

NIS2 replaced its predecessor, NIS1 (Directive 2016/1148), which had been the EU’s first comprehensive attempt to secure network and information systems across the union. As technology evolved and cyber threats grew in complexity, NIS1 proved insufficient. NIS2 was designed to resolve its shortcomings by expanding scope, tightening standards, and bringing more sectors under regulatory oversight.

The directive establishes a unified legal framework across 18 critical sectors, including energy, healthcare, finance, transport, digital infrastructure, and managed service providers. It divides in-scope entities into two categories, “essential” and “important”, which have differing levels of supervisory intensity applied to each. Both categories face obligations around risk management, incident reporting and handling, supply chain security, and governance accountability.

The Transposition Picture

At the October 2024 deadline, most member states had not completed transposition. The European Commission responded with formal legal warnings giving non-compliant states a final opportunity to align before potential referral to the Court of Justice of the EU.

As of early 2026, 21 out of 27 EU member states have transposed NIS2 into national law. Key milestones include Germany completing its implementation in December 2025 (amending its existing BSI Act rather than creating standalone legislation), Sweden’s Cyber Security Act taking effect in January 2026, Portugal’s final draft entering into force in April 2026, and Poland’s amended Act on the National Cybersecurity System entering into force in April 2026. France, Ireland, Luxembourg, and Spain are in the final stages of adoption.

Each member state’s implementing legislation introduces its own variations in penalties, enforcement procedures, incident reporting timelines, and sector-specific requirements. Germany, for instance, requires entities to immediately notify affected individuals of a cyber incident when directed to do so by regulators. This divergence creates disproportionate compliance burdens for organisations operating across multiple EU jurisdictions, which must track and meet different national rules rather than a single uniform standard.

Enforcement Has Begun

The more significant development is that regulators have moved from guidance to action. Enforcement is now active in Germany, France, and the Netherlands, with regulators conducting audits and applying fines. Supervisory authorities across the EU are ramping up oversight, and the expectation is that 2026 will see the first wave of significant enforcement actions across the bloc.

For organisations that treated NIS2 preparation as a future planning exercise, that window has closed. The leading audit failure point identified so far is credential and access management gaps such as inadequate multifactor authentication, poor privileged access controls, and insufficient audit trails. These are not the most technically complex requirements in NIS2. They are simply the most documentable and the most immediately verifiable by inspectors.

The January 2026 Package

The most consequential recent development is one that the original NIS2 framework could not have anticipated: the directive itself is already being revised.

On 20 January 2026, the European Commission published a proposal to amend NIS2 as part of a broader EU cybersecurity reform package (also comprising a revised Cybersecurity Act, known as CSA2). The amendments were driven by lessons from early implementing member states. One of such lessons was that NIS2’s breadth of scope and divergence in national transposition had created legal uncertainty and disproportionate compliance costs, particularly for smaller entities.

The proposed changes are targeted rather than wholesale. Key developments include:

Ransomware reporting obligations. Under the proposal, when a significant incident involves ransomware, entities must, if asked by regulators or Computer Security Incident Response Teams, disclose whether a ransom demand was made, by whom, and whether it was paid, including the amount, payment method, and recipient details. This is a notable shift that brings ransom payment disclosures into the regulatory framework in a structured way, and entities will need to update their incident response plans accordingly.

Harmonised EU-level data collection. The amendments introduce a framework for more consistent collection of ransomware attack data across the EU, including attack vectors and mitigation measures. The goal is to reduce the current fragmentation where each member state collects different information in different ways.

Expanded extraterritorial reach. NIS2 already required digital service providers without EU establishment to appoint an EU representative if they serve EU-based clients. The proposal would extend this requirement to any essential or important entity, regardless of sector, that is not established in the EU but offers services within it. The precise scope of this expansion remains subject to refinement in the legislative process, but the directive is set to increase its extraterritorial impact.

Scope adjustments. The proposal narrows the reach of NIS2 in some areas while expanding it in others. Operators of submarine data transmission infrastructure will be brought within scope. Entities involved in the distribution of chemicals will be removed, though manufacturers and producers remain covered. Micro and small DNS service providers will also be removed from scope.

An expanded ENISA. The EU’s cybersecurity agency, ENISA, will take on a significantly larger operational role. Its budget will increase by more than 75%, and its mandate will expand to include coordinating EU-level security risk assessments, maintaining the European Vulnerability Database, managing the EU Cybersecurity Reserve, and running a ransomware assistance service in cooperation with Europol. ENISA will also serve as a central incident reporting platform. This move signals greater EU-level coordination of cybersecurity governance.

The amendment proposal will now proceed through ordinary EU legislative procedure. Negotiations between the European Parliament and Council are expected through 2026, with political agreement targeted for early 2027. Once adopted, member states will have one year to transpose the amendments.

The Compliance Calculus

For organisations within scope, the practical message is straightforward. NIS2 is being enforced now in key jurisdictions, amendments are in motion, and the compliance baseline is going to keep moving. A phased approach addressing the core obligations consistent across all member states first, then adapting to jurisdiction-specific requirements as national laws mature is the most defensible posture while the legislative landscape settles.

What regulators are looking for in early audits is not perfection. They are looking for evidence of governance: documented risk assessments, tested incident response plans, structured access controls, and demonstrable accountability at leadership level. Organisations that can show a credible compliance programme, even an incomplete one, are in a far stronger position than those who waited for the directive to be “finalised” before acting.