One year after the NIS2 Directive’s transposition deadline, many EU countries have lagged on implementation, but firms cannot afford to wait for local laws. NIS2 applies to essential organizations in critical sectors, often based on size, regardless of where the companies are based or whether their activities are internal. Core obligations include entity registration, risk-based cybersecurity, detailed incident reporting, and strict supply chain controls, with boards personally accountable for compliance. Enforcement tools range from significant fines to bans on managers, and implementation challenges are heightened for multinationals because compliance is assessed per entity, not as a group. Organizations should proactively develop compliance strategies specific to each jurisdiction, as waiting could fail to meet obligations.
