News
The Network and Information Security Directive 2 (NIS2) represents a significant strengthening of cybersecurity defences across the EU. It expands the scope of covered entities and introduces stricter requirements for cybersecurity practices and incident reporting in response to growing cyber threats.
NIS2 emerged from recognition of evolving threats to regional, national and supranational infrastructure, informed by surveys of collective defences across Member States. This highly anticipated update replaces the NIS1 directive (in place since 2016) and passed into EU law on 16 January 2023.
The Transposition Challenge
Member States were given until 17 October 2024 to transpose NIS2 into national law. Only four met this deadline. The passage into national legal frameworks has been sporadic at best.
Ireland, yet to comply, pre-paid a €4.5 million fine in July 2024 for failing to meet the October deadline. When asked during a recent Parliamentary Questions session to confirm when Irish transposition legislation (the National Cybersecurity Act) would be completed, the responsible minister's response suggested considerable uncertainty about timing.
Working from the Source
Recognising NIS2's importance, many IT professionals have been referring to the EU Official Journal document to inform strategic decisions and investments whilst awaiting transposition in their Member States. We expect some additions during the legislative process, but assume the detail and intent will remain relatively unchanged.
A set of checklists derived directly from the directive and its accompanying implementing technical standards has been available within calQrisk software for some time, enabling organisations to begin preparing for compliance.
The Implementation Challenge
Fully implementing NIS2 and establishing controls to maintain and regularly verify compliance is not a simple process. It requires coordinated effort between IT and operational technology personnel. However, conducting a gap analysis against the requirements may be all that's needed to inform the body of work many organisations must undertake to achieve compliance.
The hard questions in any implementation plan are the "all and always" ones: Do all people always do things the way the process or control says they must be done? Are all systems and equipment always fit for purpose?
A Pan-European Concern?
Ireland is not the only EU nation that has failed to complete transposition. At the time of writing, only 11 of the 27 Member States are over the line - and three of those only after the European Commission issued a "reasoned opinion" (a formal request to comply with EU law) to 19 Member States on 7 May 2025.
Could there be a pan-European concern that passing this legislation makes legally binding the need to update and upgrade legacy systems, equipment and skills at potentially enormous cost? Identifying the issues is only the first step in the process - there is much work to be done.
Preparing for Compliance
Organisations should not wait for national transposition to complete before beginning their NIS2 preparation. The directive's requirements are clear, and early preparation will ease the transition when national legislation finally arrives.
Start by conducting a thorough gap analysis, identifying which requirements apply to your organisation, assessing current capabilities against those requirements, and developing a realistic implementation plan with appropriate resources and timelines.
Published on
June 18, 2025
