During this Cybersecurity Month in the European Union, we join the ENISA initiative and continue to analyze the greatest challenges of the future. One of the most notable is the lack of coordination in compliance with the NIS2 directive, which aims to unify Europe into a cybersecurity powerhouse with a framework of common cybersecurity standards and compliance.

NIS2 is the directive that was supposed to be transposed into national law by October 17, 2024. A year later, many Member States have still not completed the transposition or are implementing it unevenly.

The European Commission has opened infringement proceedings against several countries due to these delays, confirming that the regulatory landscape continues to "develop at different speeds."

Where fragmentation is evident

• Different timelines and partial laws. Some countries have regulations already in force and others are in draft form, creating uncertainty for organizations operating in several states. Example: Germany acknowledged at the beginning of 2025 that it had not been on time with its transposition laws.

• Non-identical definitions and thresholds. Although NIS2 sets common requirements, the details (e.g., which entities are "essential" or "important") vary. To top it all off, the obligation to maintain national entity lists and notify them to the Commission by April 17, 2025, has also not been met equally. The result: the same provider may be "essential" in one country and "important" (or not even listed) in another.

• Uneven supervisory capacities. National competent authorities and CSIRTs do not have the same resources or processes. ENISA has pointed out unequal sectoral maturity and the need to harmonize taxonomies and reporting to make data comparable.

• Heterogeneous notification gates and deadlines. NIS2 sets milestones (24-hour initial notice, etc.), but in practice, portals, formats, and evidentiary requirements differ by country while common guidelines are being consolidated, adding burden and risk of errors in cross-border incidents.

Why does this complicate coordination?

In the event of a large cyber incident that crosses borders, the CSIRTs Network and EU-CyCLONe (the "crisis mechanism" at the political-operational level) should be integrated.

If each country arrives with laws, lists, and procedures at different stages of maturity, sharing indicators, activating aid, and taking common measures becomes slower and more uneven.

ENISA insists on strengthening these solidarity and joint response mechanisms so that they operate with harmonized data and clear rules.

Practical consequences for companies

• Increased compliance complexity (custom-made programs and evidence per country).

• Operational risk: In a multinational attack, notification deadlines and formats vary by jurisdiction.

• Disparate regulatory decisions (different sanctions or injunctions for the same act).
  These frictions are being seen "one year after" the deadline, according to legal and industry analyses.

What the EU is doing (and what's still missing)

• The Commission has initiated infringement proceedings to accelerate transposition.

• ENISA is working on taxonomies, reporting frameworks, and support for CyCLONe/CSIRTs to standardize the practice.

• Even so, until all states approve and fully implement their laws (and publish consistent lists of entities), the asymmetry will continue to hinder coordinated and comparable responses.

Spain (status as of October 27, 2025)

• There is still no definitive NIS2 law in force. The Council of Ministers approved the Preliminary Draft Law on Cybersecurity Coordination and Governance in January 2025 as a "vehicle" for NIS2 (and the CER Directive), but it is still pending parliamentary approval.

• The European Commission sent a reasoned opinion on May 7, 2025, to Spain (and 18 other countries) for failing to notify the full transposition of NIS2.

• Meanwhile, Spain has been aligning the ENS and technical work with the EU (CCN), but without finalizing the transposition. Local economic and legal press highlighted this in October 2025 ("Spain, against the clock...").

Indicative ranking in the EU (regulatory progress)

Based on laws already passed/in force and official public references (does not imply that all have "notified" 100% of the Commission).

Most advanced (law in force, active operational milestones)

1. Italy – Legislative Decree 138/2024, effective October 16, 2024; ACN authority and registration platform.

2. Belgium – Law of April 26, 2024 + RD of June 9, 2024; NIS2 in force since October 17, 2024.

3. Malta – Transposition by LN 71/2025 (April 8, 2025).

4. Slovakia – Law published December 2024, effective January 1, 2025.

5. Slovenia / Greece – Slovenia in force June 2025; Greece Law 5160/2024 (November 29, 2024).

Most delayed (national transposition still pending/"in progress" as of this date)

• Germany (NIS2/KRITIS drafts still in progress in 2025).

• France (process underway in 2025).

• Spain (preliminary draft January 2025; pending final approval).

• The Netherlands and Portugal (among the countries to which the Commission sent a reasoned opinion in May 2025 for not notifying full transposition).

The coordination of the European body is important to ensure that citizens are safe from cyberattacks and our institutions are prepared against cybercriminals.