The year 2025 is supposed to mark the point where Europe’s digital security enters a new era. With the passing of the deadline for the Network and Information Security Directive 2 (NIS2) this October, it promised a more unified and resilient approach to security. Yet, at this moment in time, it’s easy to feel that this vision will be far from realised.
Instead of delivering cohesion, the Directive’s rollout has been tainted by delays, and member states across Europe are fragmented in their approaches to compliance. Rather than a unified security posture across the continent, we are witnessing a slow-burning reluctance to comply that is testing the patience of regulators, businesses, and investors alike.
If the EU doesn’t take decisive action to address these shortcomings, this patchwork approach will not only weaken Europe’s security posture but could also damage its reputation as a leading region for business.
2025 will be a year of reckoning for NIS2. The EU will have to ensure that all members become aligned with compliance. It’s time to learn from member states’ lack of urgency and work to adopt a more pragmatic, staged approach to compliance with clearer mechanisms for accountability and transparency. It’s time to turn ambition into action.
NIS2: Fragmentation Undermines Security
The original goal of NIS2 was to optimistically bring all EU member states onto the same page, creating a unified security framework. Yet, instead of 27 countries moving in sync, we now have nearly 27 different timelines.
Countries like Sweden and Denmark have pushed compliance deadlines back by months, if not years, while others are stuck in uncertainty. As a result, organisations are no longer feeling the urgency to get their security standards up to scratch.
This lack of cohesion poses a massive risk. Cybersecurity threats don’t recognise borders, and fragmented compliance will lead to weak links that can undermine the entire bloc. For instance, supply chains rely on smooth operations and frictionless trade across Europe daily. What happens when a company in a compliant country must work with a partner in one which is lagging behind? The disparities in security leave the entire chain vulnerable, threatening not only individual businesses but the EU’s broader reputation.
If Europe is serious about its cybersecurity, it must address this fragmentation head-on. A top-down push from Brussels is overdue to ensure lagging nations step up and align with their peers. The current fragmented approach is no longer tenable.
The Case for Staged Compliance
One of the biggest lessons from NIS2’s rollout is that an all-or-nothing approach simply doesn’t work. Currently, organisations are either fully compliant, or not at all, even if they have made progress on certain aspects of NIS2’s demands.
We need to adopt a staged approach which breaks compliance into manageable milestones. This would allow member states and businesses to achieve tangible progress while working toward full compliance. For example, prioritising immediate fixes for the most critical vulnerabilities while setting longer-term goals for broader reforms would be far more effective than demanding perfection upfront.
A staggered roadmap would also help regulators distinguish between those making genuine efforts and those dragging their feet. The current binary system—compliant or non-compliant—fails to capture this nuance.
The Missing Ingredient of Accountability
For NIS2 to have any chance of success, accountability must be at the forefront. At the moment, the lack of enforceable penalties has allowed organisations and even entire nations to deprioritise compliance. Without teeth, regulations are little more than polite suggestions.
The EU must establish mechanisms to hold both companies and governments to account. This could include public progress reports, financial penalties, or even naming and shaming those that are not meeting the proposed standards. Importantly, boards and executives must be held responsible. Cybersecurity cannot remain a back-office concern—it needs to be a boardroom priority.
The harsh reality is that it may take a significant and publicised breach which exposes compliance gaps, to drive urgency among regulators and businesses. This would be a costly wake-up call, yet a breach exposing the gaps in compliance could force regulators and businesses alike to sit up and take notice. While hopefully it doesn’t come to this, history suggests otherwise.
With accountability also must come transparency to rebuild confidence in NIS2. Currently, the lack of visibility into member states’ progress leaves stakeholders in the dark. This uncertainty fuels doubt and erodes trust, particularly among investors and international partners.
A public-facing system that tracks and reports on each nation’s compliance would address this issue. Transparency would reassure stakeholders that progress is being made while also putting pressure on lagging countries to catch up.
What’s Next for the EU?
Looking ahead, the EU must build on the lessons of NIS2 when shaping future regulations. Asking for too much, too soon has clearly backfired. Future legislation should focus on incremental progress, recognising that achieving meaningful change takes time and resources.
The question is, does compliance equal security? The unfortunate answer is no, not always. Organisations may prioritise investments that make them more secure but don’t necessarily tick the boxes for compliance. This disconnect is another issue the EU must address, ensuring that regulations not only promote compliance but genuinely enhance security.
Rather than enforcing a simple pass/fail approach, the EU needs to be flexible and allow organisations to act in their best security interests, even if this might mean working outside the realms of NIS2. By fostering a culture of flexibility and prioritising security outcomes over prescriptive compliance checklists, regulations can better align with their goal of creating a safer digital environment.
Ultimately, the EU faces a choice. It can either double down on its commitments, enforcing NIS2 with the urgency it demands, or risk seeing its ambitions crumble under the weight of inaction. Cyber threats are evolving every day. Europe’s response must evolve just as quickly.
