{"id":179048,"date":"2026-01-16T14:38:00","date_gmt":"2026-01-16T19:38:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/16\/european-states-spin-wheels-on-cybersecurity-directive\/"},"modified":"2026-01-16T14:55:08","modified_gmt":"2026-01-16T19:55:08","slug":"european-states-spin-wheels-on-cybersecurity-directive","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/16\/european-states-spin-wheels-on-cybersecurity-directive\/","title":{"rendered":"European States Spin Wheels on Cybersecurity Directive"},"content":{"rendered":"

European States Spin Wheels on Cybersecurity Directive<\/a><\/p>\n

https:\/\/www.bankinfosecurity.com\/european-states-spin-wheels-on-cybersecurity-directive-a-30542<\/a><\/p>\n

Publish Date: 2026-01-16 14:38:00<\/a><\/p>\n

Source Domain: www.bankinfosecurity.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

NIS2 Directive Lags in Adoption and Implementation<\/p>\n

David Meyer \u2022
\n January 16, 2026 \u00a0 \u00a0 <\/p>\n

Image: shuttersv\/Shutterstock <\/p>\n

Uptake by European Union member countries of a measure intended to beef up continental cybersecurity has hardly been enthusiastic. 15 months after EU nation-states were supposed to have implemented the Network and Information Security 2 Directive, fewer than two-thirds have done so fully. Key players such as France and Ireland haven\u2019t even passed the necessary national legislation.See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
\nExperts are divided over the effect this situation has on Europe\u2019s defensive capabilities at a time when the continent faces severe threats. Only on Wednesday, the Polish prime minister accused Russia of a wave of December cyberattacks on the country’s energy grid.
\n Either way, variations in NIS2 implementation – in terms of timing and the details of the implementing legislation – is proving tricky for the businesses meant to follow the letter of the law.
\n“Companies operating across borders face a level of uncertainty as they might have to plan compliance efforts in one country while navigating different requirements in another country,” said Simona Kaneva, the policy analysis and outreach manager at the European Cyber Security Organisation, a non-profit that provides coordination between private and public sectors across Europe.
\nUncertainty was one of the big problems that NIS2 was supposed to fix.
\nThe first NIS Directive, adopted in 2016, aimed to the standardize the security practices of essential services in sectors such as energy and transport, and digital services such as search and cloud. It was the first trading bloc-wide cybersecurity legislation and it wasn\u2019t very clear about things like which services were to be classified as essential, leading to uneven implementation at the national level. A 2020 report from the European Union Agency for Cybersecurity found that 35% of surveyed organizations were confused about NIS\u2019s requirements.
\nTo clear up that confusion, and also to address the evolving nature of the threat, 2022\u2019s NIS2 removed the distinction between “essential” and “digital” services in favor of applying the law to any organization that provides “essential or important services.” The split between “essential” and “important” is a function of headcount and revenue thresholds, as well as the sector in which the entity operates – for example, large energy and digital infrastructure providers are essential, whereas medium-sized chemicals and manufacturing firms are important.
\nOverall, NIS2 covers sectors that escaped the first directive, such as waste management, postal services and social platforms. The newer law forces EU countries to adopt national cybersecurity strategies with policies for things like supply chain security, while boosting coordination between their Computer Security Incident Response Teams. It establishes a European cyber crisis liaison organization network. The national authorities established under the first NIS now have much stronger roles in overseeing organizations\u2019 security practices.
\nIncident reporting requirements have been clarified and tightened. And, whereas the first NIS allowed countries to set their own penalties for non-compliance, NIS establishes penalties ranging from compliance orders to fines that can stretch as far as 2% of global annual revenue. Crucially, it also introduces criminal sanctions for board members.
\nBut, NIS2 is still a directive. Unlike EU regulations such as the General Data Protection Regulation, which force member states to all implement one unified law, EU directives set only minimum levels of harmonization, allowing countries considerable leeway in the way they interpret the law beyond those baseline requirements.
\nTake the matter of board-level liability. Germany\u2019s implementing law, which was passed in December and is yet to take effect, only refers to the executive branch of a company\u2019s board. Belgium\u2019s law specifies that liability extends to both executive and supervisory boards.
\nAccording to lawyer Alex van der Wolk, co-chair of Morrison Foerster\u2019s global cyber practice, the headcount threshold for falling under NIS2\u2019s requirements is another point of divergence – some countries, such as Germany, have chosen to only take the headcount of a company\u2019s local entity into account, while others opt to focus on the company\u2019s overall EU group headcount. NIS2 allows for both approaches.
\nIn Belgium, where the government transposed NIS2 into local law in April 2024, months ahead of the largely-missed October implementation deadline, the national regulator has had time to formulate very detailed guidance for organizations. This guidance specifies that when a group\u2019s internal IT services are provided by a separate company within that group, that company could distinctly fall under NIS2\u2019s requirements because it provides managed services, even if they are only internal-facing. “Other member states are silent on that,” said van der Wolk.
\n“You see a pretty decent baseline of harmonization” in countries\u2019 interpretations of the directive, he added. “The deviations are in the details.”
\nGiven the nature of EU directives, it is far from unusual for their implementation to have different paces and styles across countries, experts emphasized. “Some of the reasons behind delaying the transposition include elections and subsequent government changes, as well as the nature of each country\u2019s legislative structures,” said Kaneva.
\nAs for the effect on NIS2\u2019s overall mission, van der Wolk pointed out that the impact on companies is limited by the fact that the first NIS already established the necessary national authorities and most of the structures for international cooperation.
\nSome see a potentially serious impact on Europe\u2019s cybersecurity stance. “It\u2019s definitely a problem, not least because offensive cyber operations are now a standard tool of statecraft,” said cybersecurity researcher and consultant Lukasz Olejnik. “Lack of NIS2 operationalization may be a helpful measure for external actors seeking to interfere with systems of EU states, particularly Western Europe. Russian cyberthreat actors may be the direct benefactors for the time being.”
\n“The NIS2 Directive aims to ensure a high level of cybersecurity across the EU,” said a spokesperson for the European Commission. “We therefore encourage all member states to transpose and implement NIS2 swiftly.”
\nThere are even debates in Brussels now about whether a future NIS3 should be a directive or a more harmonized regulation, Kaneva confirmed when asked about such discussions, but stressed that ECSO has no position on this matter.
\nAccording to the Commission, the current state of NIS2 implementation is as follows: <\/p>\n

17 member states have notified complete transposition: Belgium, Italy, Croatia, Greece, Lithuania, Malta, Romania, Slovakia, Cyprus, Denmark, Slovenia, Latvia, Czechia, Hungary, Portugal, Austria and Estonia;
\n3 member states have notified partial transposition: Germany, Finland and Poland;
\n7 member states have not yet communicated any transposition measures: Bulgaria, Spain, France, Ireland, Luxembourg, the Netherlands and Sweden.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

European States Spin Wheels on Cybersecurity Directive https:\/\/www.bankinfosecurity.com\/european-states-spin-wheels-on-cybersecurity-directive-a-30542 Publish Date: 2026-01-16 14:38:00 Source Domain: www.bankinfosecurity.com…<\/p>\n","protected":false},"author":1,"featured_media":179049,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/ismg-cdn.nyc3.cdn.digitaloceanspaces.com\/articles\/european-states-spin-wheels-on-cybersecurity-directive-image_large-5-a-30542.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[33,24],"class_list":["post-179048","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-computer-security","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/179048"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=179048"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/179048\/revisions"}],"predecessor-version":[{"id":179050,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/179048\/revisions\/179050"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/179049"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=179048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=179048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=179048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}