NIS2 Is Not One Rulebook Across Europe

The contrast with a regulation makes the point clearly. When the EU adopts a regulation, such as the GDPR, it applies directly across the EU without any national implementing step. The text is the same in every jurisdiction. A directive requires Member States to enact their own implementing legislation. That legislation must meet the floor set by the directive, but Member States can go further: adding sectors, lowering thresholds or applying stricter supervision.

NIS2 was adopted in December 2022. Member States were required to transpose it into national law by 17 October 2024. Many have now adopted implementing legislation, although the status and completeness of transposition still varies. The implementing laws differ in ways that affect how the directive applies to each legal entity in each jurisdiction.

Three things change materially when you look at national law rather than the directive itself.

Scope

NIS2 defines two tiers of entity: essential and important. The directive sets minimum size thresholds, but Member States can designate additional entities regardless of size or sector. An organisation that falls outside scope under a strict reading of the directive may find itself designated in one or more jurisdictions. Conversely, a business that assumes it is in scope may find that a specific national exemption applies.

Supervision

The competent authority responsible for oversight varies by Member State and, in some jurisdictions, by sector. The supervisory approach, inspection regime and enforcement posture differ accordingly. An organisation with entities in three EU countries may be subject to three distinct supervisory frameworks, each with different expectations about what adequate compliance looks like.

Evidence

NIS2 Article 21 sets out at least ten categories of security measure. What constitutes adequate evidence of those measures, and how that evidence would be tested in an inspection or following an incident, is shaped by national implementation. A security programme designed against the directive alone may have gaps when assessed against the applicable national law.

The starting point is establishing which entities are in scope under which national law and in which jurisdiction each will be supervised. This is not always obvious. Groups with complex legal structures, shared services or cross-border operations often find that the picture is more fragmented than expected.

Once scope is established, the next step is identifying which differences between national implementations are material. Not every variation is significant. Some are administrative. Others affect the substance of what needs to be in place before a supervisory authority conducts an inspection or before an incident triggers notification obligations.

A compliance programme designed around a single national transposition, typically the jurisdiction closest to headquarters, creates residual risk where other entities are subject to different requirements. The programme needs to be calibrated against each relevant national law, or at minimum, the points of meaningful divergence need to be identified and addressed explicitly.