Most EU Countries Miss NIS2 Cybersecurity Directive Deadline

Despite the European Union’s commitment to strengthening cybersecurity across 18 critical sectors, a significant number of Member States have yet to implement the NIS2 Directive into national law. As of six months past the 17 October deadline, only seven countries have fully adopted the directive, while another seven have partially done so. Thirteen Member States, including Germany and France, remain non-compliant, exposing vulnerabilities in sectors such as pharmaceuticals, government agencies, and space infrastructure.

This lack of progress highlights a disconnect between political priorities and legislative action. Although cybersecurity is widely recognized as essential for economic protection, practical steps to improve resilience have lagged. Contributing factors include political instability, shortages of skilled professionals, and concerns about the financial impact of new compliance requirements on businesses.

Recent developments in Malta and Finland, where laws have been adopted but not yet formally notified to the European Commission, show some movement. However, these countries are not yet counted among those in full compliance. The European Commission has issued formal notices to several Member States, urging swift action, but overall progress remains slow.

The delayed transposition of NIS2 is particularly concerning given the increased risk of cyberattacks. Experts and policymakers, such as Bart Groothuis MEP and Sebastijan Čutura of ECSO, have emphasized the urgency of closing these legislative gaps to protect the EU’s critical infrastructure and maintain economic competitiveness.

Source: EU countries miss deadline on cybersecurity rules for critical sectors