Ireland, Spain, France, Bulgaria, Luxemburg, the Netherlands, Portugal and Sweden have failed to add NIS2 to law.
EU member states are under pressure from the European Commission for failing to implement the NIS2 cybersecurity directive into law.
According to this directive, eight European countries have failed to transpose the NIS2 directive into domestic law, despite the deadline to do so being October 17th 2024. These were named as Ireland, Spain, France, Bulgaria, Luxemburg, the Netherlands, Portugal and Sweden.
Unlike regulations such as GDPR, directives require transposition into domestic legislation, which can delay and vary enforcement. The Commission had warned 19 countries in May 2025 to act within two months or risk referral to the Court of Justice of the EU.
Jamie Akhtar, CEO and co-founder of CyberSmart, said: “Uptake problems have plagued NIS2 since the European Commission enacted it a couple of years ago. You can broadly split these problems into two categories: European states that still haven’t transposed it into national law, and organisations that should be compliant but aren’t.
“At the state level, there’s little excuse for the inaction. It speaks to some national governments still failing to take the security of critical national infrastructure as seriously as they should. It’s worth asking if NIS2 had been a regulation (it would have passed straight into national law in that case), rather than a directive, its rollout might have been smoother. Although DORA is a regulation and has faced many of the same problems, perhaps the problem is more cultural than legal.”
Akhtar said that if initiatives like NIS2 and DORA are to succeed, they must be championed and led by the state. “Anything else just sends the message that cybersecurity is an afterthought and that strong defences are a ‘nice to have’ rather than essential.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show.
Outside work, Dan supports Tottenham Hotspur, manages mischievous cats, and samples the finest craft beers.