The NIS2 Directive (Network and Information Security Directive 2) is one of the European Union’s most ambitious initiatives to harmonize and strengthen cybersecurity across the bloc.

Since January 16, 2023, the directive has been in force with the goal of improving the resilience of organizations operating in critical sectors. Member States were required to transpose the directive into their national legislation by October 17, 2024. However, as of November 28, 2024, the European Commission identified that 23 Member States, including the Netherlands, had failed to meet this deadline.

This raises important questions: what are the consequences for organizations in these countries? Are registration and incident reporting obligations enforceable?

This article explores the legal implications of delayed implementation of the NIS2 Directive.

The status of implementation

On November 28, 2024, the European Commission announced infringement proceedings against 23 Member States for failing to transpose the NIS2 Directive into their national laws on time.

These Member States include: Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, and Sweden.

These delays have resulted in significant legal uncertainty. Belgium and Croatia are among the few Member States that managed to complete their transposition within the stipulated timeframe.

Registration and reporting obligations

The NIS2 Directive imposes several obligations on organisations in critical sectors. Two key obligations include:

Incident reporting obligation (Article 23)

Organizations must report significant incidents that impact the security of their network and information systems to the competent authorities or Computer Security Incident Response Teams (CSIRTs). An ‘early warning’ must be made within 24 hours of becoming aware of the incident, with full notification (72 hours), further updates and a final report (one month) to follow as more details become available.

These obligations become enforceable only after a Member State has transposed the directive into its national legislation.

Legal reality in countries without implementation

Until a Member State implements the NIS2 Directive, there is no legal basis to compel organizations to register or report incidents. This means that organisations based in these countries are formally not required to register with a supervisory authority or to report significant incidents.

This is rooted in the legal principle that EU directives are only binding on individuals and organisations once they are transposed into national law. The European Commission has confirmed this principle, stating that “directives […] must be transposed into national legislation by EU countries before they can be enforced.”

Consequently, in the absence of national implementation, organizations in these countries have no direct obligations under the NIS2 Directive.

The absence of national implementation of the NIS2 Directive does not entirely negate its impact. While organizations are not directly obligated to comply with registration or reporting requirements, “positive obligations” on Member States to act in certain circumstances may still hold weight under EU law. This can occur through the principles of the effet utile doctrine, which ensures the effective application of EU law, even if it has not been fully transposed.

The NIS2 Directive places an emphasis on Member States’ responsibilities to coordinate, assist, and respond to significant cybersecurity incidents. For example:

• Coordination and support: Even without full national transposition, Member States are required to facilitate incident response, including providing assistance to affected organisations, under the principles outlined in the directive’s framework.
• Establishment of CSIRTs (Computer Security Incident Response Teams): Member States are mandated to maintain operational CSIRTs capable of managing and mitigating significant incidents. These teams must operate regardless of whether the directive is transposed, as many Member States already have pre-existing obligations under the original NIS Directive (2016).

Proactive steps organizations can take

While organisations in Member States without implementation laws currently face no enforceable obligations, this period of legal “breathing space” is not an excuse to remain unprepared. The implementation of the directive is inevitable. Organisations should take the following steps to enhance their cybersecurity posture and prepare for compliance:

• Strengthen security measures: Conduct internal risk assessments and implement technical and organisational measures to secure network and information systems in line with Article 21 of the directive.
• Develop incident management procedures: Establish internal protocols for managing and reporting significant incidents, as required under Article 23 of the directive.
• Engage leadership in cybersecurity: Ensure board members are aware of their responsibilities regarding cybersecurity and receive the necessary training to oversee the implementation of security measures effectively.

Conclusion

In Member States that have yet to implement the NIS2 Directive, registration and reporting obligations are not currently enforceable.

However, organizations should not mistake this delay for a lack of accountability.

By proactively strengthening cybersecurity measures and establishing compliance frameworks, organizations can safeguard their operations, protect their reputations, and ensure readiness for the regulatory landscape ahead.

See also: Navigating cybersecurity compliance: NIS2 UK/US stakeholder impact and NIS2 is here: What you need to know about Europe’s new cybersecurity regime.