Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The NIS2 Directive reaches an important anniversary this month: It has been one year since EU member states were required to pass national implementing legislation.
Over the past year, progress has been slow and patchy. Only six jurisdictions met the initial 17 Oct. 2024 deadline to transpose their implementing legislation; although a further nine have implemented to date, 12 jurisdictions still have yet to do so.
It's certainly too soon for the EU to celebrate achieving its goal of unifying and enhancing its legal framework for cybersecurity. The delay also creates major practical challenges for multinational organizations, which must balance compliance with requirements already in force, monitoring of draft legislation in key jurisdictions, and the development of a holistic Europe-wide strategy that works for their global business.
It also creates a lot of legal uncertainty, particularly for those that need to determine their main establishment in the EU or designate a representative in the EU if they have no establishment there.
However, there is still a path to success. Perspectives from two ends of the NIS2 spectrum — Belgium, which met the implementation deadline and where concrete obligations are already in force, and Ireland, where draft legislation has yet to be published — can help form practical tips on two key considerations that are the foundation of a successful compliance strategy: getting an organization's main establishment right and identifying where compliance efforts can be leveraged across multiple jurisdictions.
Main establishment
One of the most important aspects of any NIS2 compliance program is to understand from the outset which jurisdiction an organization will be subject to. The jurisdictional rules under NIS2 are relatively complex.
The general rule is that in-scope entities are subject to the jurisdiction and governing laws of the member state where they are established and, where an entity is established in more than one member state, they will be subject to the separate and concurrent jurisdiction of each of those member states.
Practical challenges for multinational organizations
These jurisdictional rules are causing significant headaches as multinational organizations must comply with all local implementing laws, register locally in all jurisdictions, and report incidents locally. There is no one-stop shop incident reporting as with other regimes like the EU General Data Protection Regulation.
It also means senior management in each jurisdiction is responsible for compliance; the stakes are high, with direct accountability — and personal liability — for boards and senior management for compliance failings.
This causes particular issues for multinational organizations where cybersecurity is traditionally the responsibility of the organization's headquarters, with affiliates simply relying on the adopted measures.
It also means it is difficult for organizations to develop a holistic Europe-wide strategy as the rules vary from member state to member state. What we are seeing in practice is that the national laws transposing NIS2 can differ materially; varying jurisdictions are at completely different places in the implementation process.
Some specific obligations in some countries don't exist in others. For example, Hungary's legislation requires organizations to have appointed an auditor from an approved list by 31 Aug. 2025. Some jurisdictions require risk assessments to be conducted annually and submitted to the relevant competent authority, while others have implemented different rules for incident reporting.
Certification and assessment criteria also differ between member states. While Ireland's National Cyber Security Centre published draft Risk Management Measures in June 2025 and has adopted the Cyber Fundamentals certification scheme, joining Romania and Belgium, other member states will have different certification and assessment requirements.
Strategic considerations in the digital sector
Thankfully, the rules on jurisdiction differ for the digital sector — that is, domain name system service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines and social networking services platforms — where the main establishment principle applies.
The main establishment principle means digital sector entities will only need to comply with the laws in the member state where they have their main establishment as determined in accordance with NIS2 and report security incidents to the competent authority in that member state — similar to the one-stop shop under the GDPR. Identifying the main place of establishment is therefore critical for NIS2.
The main establishment for digital sector entities will be the member state where the decisions related to the cybersecurity risk-management measures are predominantly made. If such a member state cannot be determined or if such decisions are not made in the EU, the main establishment is considered to be in the member state where cybersecurity operations are conducted. If such a member state cannot be determined, the main establishment is considered to be in the member state where the concerned entity has the establishment with the highest number of employees in the union. Where the entity is not established in the EU, a representative within the EU must be appointed in one of the member states where the entity provides its services.
Ideally, the main establishment for GDPR and NIS2 purposes would align. However, that in and of itself is causing difficulties for some organizations, particularly U.S.-headquartered organizations where decisions related to cybersecurity risk-management measures are predominantly made in the U.S. Organizations headquartered in the U.S. will generally establish one or more EU entities, with one of them designated as the main establishment for GDPR purposes and thereby availing of the one-stop shop.
However, it's relatively common for those U.S. entities to retain control in relation to cybersecurity and risk management measures. This will make it difficult to align main establishment under the GDPR, which requires that the controller's central place of administration is in the EU, and main establishment under NIS2.
To add to the enigma, the jurisdictional rules are different again for providers of public electronic communications networks or providers of publicly available electronic communications services, which will be considered to fall under the jurisdiction of the member state in which they provide their services as opposed to where they are established. Again, this means these sectors must comply with all local implementing laws in jurisdictions, register locally, and report incidents in each member state where they provide services.
Leveraging compliance efforts
After one year of practicing and implementing NIS2 compliance programs, starting with Belgium and moving to the other EU member states that have gradually transposed NIS2 requirements — Hungary, Italy, Finland, Greece, Romania and Denmark — there have been a number of lessons learned and best practices that have emerged.
While EU member states could have transposed the NIS2 Directive in a harmonized way to make it easier for organizations to comply, this is unfortunately not the case; many disparities have arisen among the member states that have implemented NIS2.
Despite local variations, following the seven-step approach to compliance recommended by the Cybersecurity Centre Belgium has proven a useful guide in most jurisdictions. Inspired by the CCB's seven step process and our experience so far, below is a seven-step plan that has been efficient not only in Belgium, but also as a more global approach to NIS2 compliance.
Step 1: Determine which entities are in-scope of NIS2 and where. In general, all EU member states follow the same three criteria set by the NIS2 Directive to determine entities in scope of implementing laws: size, sector/activity, and establishment — sometimes provision of services — in the territory.
In this assessment, multinational organizations must consider that some national laws have expanded the list of the activities and sectors qualifying as "highly critical" or "critical." For example, Hungary and Romania expanded the highly critical health sector to include the mere distribution and wholesale of medicinal products, while the NIS2 Directive only covers the manufacturing of medicinal products.
In addition, some EU member states' authorities appear to consider that, while not falling within a highly critical sector, the distribution of medicines may nevertheless fall within another critical sector, the "Manufacture, production and distribution of chemicals," to the extent the medicinal products qualify as a "substance" or "mixture" as defined under the "Regulation on the registration, evaluation, authorisation and restriction of chemicals."
While Italy's National Cybersecurity Authority, the Agenzia per la Cybersicurezza Nazionale, considers that medicinal products, exempted under Article 2 of the REACH Regulation from registration obligations under Title II of the same regulation, do not fall within the scope of NIS2 — at least in the 2024-25 implementation phase and pending the establishment of a consensus at EU level — this is not the approach followed by other authorities, such as in Belgium.
Step 2: Register in-scope NIS2 entities with competent authorities. One relatively burdensome aspect is that each member state/authority has adopted a different registration form and platform, with some asking for more details than others.
Step 3:Plan cybersecurity training. This is one constant in all EU member states: Management needs to receive specific training on NIS2 in order to be able to understand and comply with their duties and responsibilities. Since the content of the training is generally not set by law, training materials prepared for one EU member state may serve as a basis in another country.
Step 4: Conduct a strategic risk assessment, determine your risk assurance level, and implement appropriate and proportionate cybersecurity risk-management measures. This should start with a strategic risk assessment to evaluate the organization's risk profile and appropriate risk assurance level.
Regarding cybersecurity risk-management measures, while NIS2 expressly lists 10 minimum measures based on an "all-hazards" approach and aiming to protect network and information systems and their physical environment against incidents, some member states appended additional or more specific measures. For example, Belgium added "a coordinated vulnerability disclosure policy."
Other member states, such as Hungary, have added a requirement to appoint an external auditor, while Romania is setting specific requirements for the local management to appoint a person responsible for the security of networks and information systems. Greece will appoint an information and communication systems security officer.
In order to facilitate the practical implementation of the cybersecurity risk-management measures, a practical compliance framework called the "Cybersecurity Framework" has been developed. This framework, initially created in Belgium and then adopted by other EU member states such as Ireland and Romania, allows organizations that are not already relying on a specific information technology security and cybersecurity framework standard to assess their risk assurance level and to follow a simple framework designed specifically to meet NIS2 requirements.
For the "digital sector" — cloud computing service providers, data center service providers, managed security service providers, and providers of online market places — the Commission Implementing Regulation (EU) 2024/2690 lays down the technical and the methodological requirements of the cybersecurity risk-management measures referred to in NIS2, as well as specification of the cases in which an incident is considered to be significant.
Step 5: Prepare your organization to report and address significant incidents. While the definition of a significant incident is common to all member states, the reporting platform will differ, and companies need to keep track of where to report and how.
Step 6: Ensure supply chain security. While this step is not included as such in the CCB's plan, supply chain security is one of the 10 cybersecurity risk-management measures imposed under Article 21 of the NIS2 Directive. Our experience of NIS2 projects shows this is a core element to an organization's compliance efforts as it includes maintaining and keeping an up-to-date registry of direct suppliers and service providers, performing an appropriate assessment of their cybersecurity practices as well as reviewing contractual terms to include specific requirements in terms of cybersecurity and right of audit — or to receive audit reports.
Step 7: Have your cybersecurity reviewed/assessed and validated. As indicated, EU member states currently have varying approaches to this requirement.
Under the NIS2 Directive, essential entities will be subject to on-site inspections and off-site supervision, regular and targeted security audits, as well as ad hoc audits carried out by an independent body or a competent authority. Important entities are only subject to ex-post supervision and targeted security audits.
In substance, essential entities must undergo a mandatory, regular conformity assessment.
In Belgium, and hopefully soon in other EU member states, obtaining a "label" under the Cybersecurity Framework, or an ISO 27001 certification with the relevant scope of application and issued by an accredited body, will offer a presumption of conformity to NIS2. Let's hope more EU member states follow this pragmatic approach.
If more EU member states adopt the Cybersecurity Framework or ISO 27001 certification, this will no doubt facilitate compliance efforts as organizations will be able to leverage compliance efforts across countries that adopt this approach, like Ireland and Belgium.
Conclusion
The fact that many EU member states are late in adopting the NIS2 Directive does not mean organizations should not take action now and make cybersecurity a top priority for the months and year to come.
Cyberattacks are on the rise. As our experience shows, some trends are already emerging as to what efficient NIS2 compliance looks like and how compliance efforts in some EU member states can be leveraged in order to ensure quick and smooth implementation in the others.
Elisabeth Dehareng, AIGP, CIPP/E, is a partner at Baker McKenzie.
Julie Austin is a partner at Mason Hayes and Curran.
