The NIS2 Directive is reshaping cybersecurity obligations across the EU. With 10 member states already transposing NIS2 into national law, organizations face a growing patchwork of compliance requirements. The directive expands scope to cover more sectors and third-party partners, while introducing personal liability for leadership. For multinational companies, this means managing compliance across a fragmented regulatory landscape — requiring board-level attention, localized execution, and a clear strategy to raise the cybersecurity baseline across the business.

The NIS2 Directive (Directive (EU) 2022/2555) marks a significant evolution in the European Union’s approach to cybersecurity regulation. Designed to strengthen digital resilience across critical and essential services, NIS2 introduces stricter obligations, broader applicability, and — for the first time — personal accountability for company leadership.

State of implementation: A patchwork of national laws

As of now, 10 EU member states have transposed the NIS2 Directive into national law, each with its own legal framework and enforcement body:

• Belgium: Law of April 26, 2024 on cybersecurity of networks and systems for public security
• Croatia: Cybersecurity Act
• Greece: Law on the National Cybersecurity Authority and Other Provisions
• Hungary: Act XXIII of 2023 on cybersecurity certification and supervision
• Italy: Legislative Decree No. 138 of September 4, 2024
• Latvia: National Cybersecurity Law
• Lithuania: Cyber Security Law No.12-1428
• Romania: Emergency Ordinance on cybersecurity of civil national cyberspace
• Slovakia: Act 366/2024, amending existing cybersecurity regulations
• Finland: Cybersecurity Act (Kyberturvallisuuslaki)

While this progress is notable, the divergence in how each member state structures enforcement and operational requirements is beginning to reveal a key challenge of NIS2: variability.

A fragmented enforcement landscape for multinational organizations

Unlike centralized regulations, NIS2 allows each member state discretion in defining specific enforcement procedures and even expanding the directive’s applicability. This results in a fragmented regulatory landscape, especially problematic for multinational organizations operating across multiple EU jurisdictions.

Organizations will need to account for:

• Different definitions of “essential” and “important” entities
• Varying national timelines and authorities for incident reporting
• Country-specific penalties and audit requirements
• Expanded criteria for scope inclusion based on national discretion

What emerges is a compliance sprawl — one that demands operational alignment across legal, cybersecurity, and risk functions, all while ensuring continuous coordination with each country’s supervisory authority.

Expanded scope: More entities, more exposure

At the heart of NIS2 lies a vastly expanded scope. The directive covers two categories of in-scope entities:

• Essential entities: Energy, transport, banking, health, digital infrastructure, and public administration
• Important entities: Postal services, food production, manufacturing of critical products, and digital providers

Additionally, third-party providers and suppliers who play a critical role in delivering these services are also subject to risk management and due diligence requirements.

Complicating matters further, member states retain the right to expand scope through national law, potentially bringing additional sectors or smaller organizations under the directive’s umbrella. For multinational organizations, this introduces compliance uncertainty and increases the need for centralized governance with localized implementation.

 
Personal liability begins at the top

For senior executives and board members, NIS2 is not just another technical mandate—it’s a leadership issue. Under Article 20 of the Directive, management bodies are legally required to approve and oversee cybersecurity measures. In the event of non-compliance, they may be held personally liable.

This clause represents a significant shift:

• Cybersecurity oversight is now a board-level responsibility
• Failure to comply may lead to individual penalties, including suspension or exclusion from leadership roles
• Enforcement mechanisms are becoming more aggressive and transparent

Elevate through adversity

At the same time, NIS2 creates a real opportunity for leadership to elevate the organization’s cybersecurity baseline — not just to comply, but to embed resilience, trust, and operational continuity into the core of the business.

The NIS2 Directive is reshaping the cybersecurity and risk landscape across Europe. Its intent is clear: raise the bar, close the gaps, and enforce accountability at the top. But its decentralized enforcement structure and sweeping scope mean that compliance is no longer a one-size-fits-all exercise.

For business and security leaders, the time to act is now. Organizations must take a proactive, cross-functional approach to NIS2 — grounded in strong governance, clear reporting frameworks, and executive ownership.

Learn more about OneTrust’s Tech Risk & Compliance solutions by requesting a demo.