Skip to main content

On-demand webinar coming soon...

Blog

Navigating NIS2: A new era of EU cyber governance

Multinational companies must manage compliance across a fragmented regulatory landscape

Kaitlyn Archibald
Product Marketing Director
June 4, 2025

EU flag flying in front of a government building

The NIS2 Directive is reshaping cybersecurity obligations across the EU. With 10 member states already transposing NIS2 into national law, organizations face a growing patchwork of compliance requirements. The directive expands scope to cover more sectors and third-party partners, while introducing personal liability for leadership. For multinational companies, this means managing compliance across a fragmented regulatory landscape — requiring board-level attention, localized execution, and a clear strategy to raise the cybersecurity baseline across the business.

The NIS2 Directive (Directive (EU) 2022/2555) marks a significant evolution in the European Union’s approach to cybersecurity regulation. Designed to strengthen digital resilience across critical and essential services, NIS2 introduces stricter obligations, broader applicability, and — for the first time — personal accountability for company leadership.

 

State of implementation: A patchwork of national laws

As of now, 10 EU member states have transposed the NIS2 Directive into national law, each with its own legal framework and enforcement body:

  • Belgium: Law of April 26, 2024 on cybersecurity of networks and systems for public security
  • Croatia: Cybersecurity Act
  • Greece: Law on the National Cybersecurity Authority and Other Provisions
  • Hungary: Act XXIII of 2023 on cybersecurity certification and supervision
  • Italy: Legislative Decree No. 138 of September 4, 2024
  • Latvia: National Cybersecurity Law
  • Lithuania: Cyber Security Law No.12-1428
  • Romania: Emergency Ordinance on cybersecurity of civil national cyberspace
  • Slovakia: Act 366/2024, amending existing cybersecurity regulations
  • Finland: Cybersecurity Act (Kyberturvallisuuslaki)

 

Political map of Europe showing the status of the EU's NIS2 Directive in member states.

 

While this progress is notable, the divergence in how each member state structures enforcement and operational requirements is beginning to reveal a key challenge of NIS2: variability.

 

A fragmented enforcement landscape for multinational organizations

Unlike centralized regulations, NIS2 allows each member state discretion in defining specific enforcement procedures and even expanding the directive’s applicability. This results in a fragmented regulatory landscape, especially problematic for multinational organizations operating across multiple EU jurisdictions.

Organizations will need to account for:

  • Different definitions of “essential” and “important” entities
  • Varying national timelines and authorities for incident reporting
  • Country-specific penalties and audit requirements
  • Expanded criteria for scope inclusion based on national discretion

What emerges is a compliance sprawl — one that demands operational alignment across legal, cybersecurity, and risk functions, all while ensuring continuous coordination with each country’s supervisory authority.

 

Expanded scope: More entities, more exposure

At the heart of NIS2 lies a vastly expanded scope. The directive covers two categories of in-scope entities:

  • Essential entities: Energy, transport, banking, health, digital infrastructure, and public administration
  • Important entities: Postal services, food production, manufacturing of critical products, and digital providers

Additionally, third-party providers and suppliers who play a critical role in delivering these services are also subject to risk management and due diligence requirements.

Complicating matters further, member states retain the right to expand scope through national law, potentially bringing additional sectors or smaller organizations under the directive’s umbrella. For multinational organizations, this introduces compliance uncertainty and increases the need for centralized governance with localized implementation.

 
Personal liability begins at the top

For senior executives and board members, NIS2 is not just another technical mandate—it’s a leadership issue. Under Article 20 of the Directive, management bodies are legally required to approve and oversee cybersecurity measures. In the event of non-compliance, they may be held personally liable.

This clause represents a significant shift:

  • Cybersecurity oversight is now a board-level responsibility
  • Failure to comply may lead to individual penalties, including suspension or exclusion from leadership roles
  • Enforcement mechanisms are becoming more aggressive and transparent

 

Elevate through adversity

At the same time, NIS2 creates a real opportunity for leadership to elevate the organization’s cybersecurity baseline — not just to comply, but to embed resilience, trust, and operational continuity into the core of the business.

The NIS2 Directive is reshaping the cybersecurity and risk landscape across Europe. Its intent is clear: raise the bar, close the gaps, and enforce accountability at the top. But its decentralized enforcement structure and sweeping scope mean that compliance is no longer a one-size-fits-all exercise.

For business and security leaders, the time to act is now. Organizations must take a proactive, cross-functional approach to NIS2 — grounded in strong governance, clear reporting frameworks, and executive ownership.

Learn more about OneTrust’s Tech Risk & Compliance solutions by requesting a demo.  


You may also like

Webinar

Third-Party Risk

DORA: Evidencing compliance with minimal effort

Join Protiviti and OneTrust where we’ll explore how to evidence DORA compliance effectively and with minimal effort. You’ll gain practical advice on aligning your third-party risk program to regulatory expectations—without slowing down innovation.

June 17, 2025

Learn more

Demo

Third-Party Risk

OneTrust Digital Operational Resilience Act DORA demo video

Discover how OneTrust helps financial institutions comply with the DORA regulation by streamlining ICT risk and third-party management at scale.

May 22, 2025

Learn more

Webinar

Third-Party Risk

Understanding the DORA: Unpacking risk and compliance requirements and best practices

Join our expert panel to explore DORA compliance post-deadline. Learn key lessons, risk challenges, and best practices for operational resilience.

April 01, 2025

Learn more

Webinar

Third-Party Risk

DORA Compliance Countdown: Are you ready?

Join us to learn more about the Digital Operational Resilience Act (DORA) and how OneTrust can help organizations research, implement, and monitor compliance at scale with DORA and other related regulations and standards like NIS2 and ISO.

January 16, 2025

Learn more

Webinar

Third-Party Risk

Unpacking global regulatory frameworks to enhance third-party operational resilience

Register for this OneTrust webinar to learn about the relevant resilience focused requirements of DORA, NIS 2, and other global regulations.

December 11, 2024

Learn more

eBook

Third-Party Risk

Understanding DORA: Implications of the Digital Operational Resilience Act for Third-Party Risk Management

Download our guide on DORA and learn about its implications for the financial services' industry, real-world lessons, and how to prepare for compliance.

November 01, 2024

Learn more

Checklist

Third-Party Risk

Essential checklist for simplifying third-party risk management

Third-party management doesn’t have to be a complicated process for your business.

October 02, 2024

Learn more

Infographic

Third-Party Risk

Navigating risk in financial services with third-party management

Working with third parties introduces privacy and security risks, making compliance and business growth a balancing act.

October 01, 2024

Learn more

Webinar

Third-Party Risk

Third-Party Risk Management: From compliance to strategy

Navigate third-party risk challenges and discover strategic steps to scale, automate, and operationalize your program with this webinar series.

August 09, 2024

Learn more

Webinar

Technology Risk & Compliance

Tech risk and compliance masterclass

Unlock tech risk management & compliance excellence. Master risk management, build robust frameworks, and foster cross-functional collaboration for long-term resilience.

August 07, 2024

Learn more

eBook

Third-Party Risk

Deploying third-party management to navigate risk across industries

Download this eBook to explore third-party management across industries and key considerations before bringing this approach organization-wide.

August 06, 2024

Learn more

Webinar

Privacy Management

New European cyber laws: What you need to know

The EU has adopted several new Cyber Laws that will impact many businesses and will come into force over the next few months (in October in the case of NISD2) and require actions now. Join the webinar to learn about the latest cyber developments.

July 23, 2024

Learn more

Infographic

Third-Party Risk

Streamline compliance with the Digital Operational Resilience Act (DORA)

Download our infographic to learn about the new DORA regulation, who needs to comply, and how OneTrust can help streamline the process.

April 29, 2024

Learn more