Navigating the EU’s NIS2 Directive: Expert Services to Ensure Your Compliance and Resilience

Enacted on January 16, 2023, NIS2 builds on its predecessor to combat escalating cyber threats and bolster critical infrastructure resilience. As of July 2025, implementation remains uneven, with only 14 out of 27 member states having fully transposed the directive into national law, creating a complex compliance environment. This presents both challenges and opportunities for businesses. At Coalfire, we specialize in helping companies achieve seamless NIS2 compliance through tailored consulting, risk assessments, and implementation support. In this blog, we'll dive into the current status, key requirements, and how our services can safeguard your operations while turning compliance into a competitive advantage.

The Current Landscape of NIS2 Implementation

NIS2 required EU member states to transpose the directive into national law by October 17, 2024, with obligations kicking in the following day. However, progress has been slower than anticipated. As of July 2025, 14 member states have completed transposition based on primary laws, but significant divergences in timelines, sectoral scopes, and enforcement persist. The European Commission has ramped up enforcement: In November 2024, it launched infringement procedures against 23 non-compliant states. By May 7, 2025, reasoned opinions were sent to 19 states—including Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland, and Sweden—for failing to notify full transposition. These states have two months to respond, or risk referral to the Court of Justice of the European Union.

Countries like Belgium, Croatia, Greece, Italy, Lithuania, and Slovakia have made strides with adopted legislation, while others, such as Germany and France, continue to grapple with drafts amid political and structural hurdles. This patchwork of progress means businesses operating across borders face uncertainty and potential inconsistencies in requirements.

Don't let these delays derail your strategy. Our NIS2 compliance services include real-time monitoring of national developments, customized gap analyses, and proactive transposition alignment. We've helped numerous clients in delayed markets like Germany and France navigate draft laws and prepare for full enforcement, ensuring you're compliant no matter the jurisdiction.

Expanded Scope and Essential Compliance Requirements

NIS2 casts a wider net than its predecessor, encompassing 15 critical sectors such as energy, transport, health, digital infrastructure, and public administration. Entities are classified as "essential" (large organizations in Annex I sectors, subject to proactive supervision and fines up to €10 million or 2% of global annual turnover) or "important" (medium-sized or Annex II entities, with fines up to €7 million or 1.4% of turnover).

All in-scope organizations must adopt "appropriate and proportionate" measures, including:

• Comprehensive risk analysis and incident handling protocols
• Supply chain security assessments
• Regular cybersecurity training, especially for management bodies who now bear personal liability for breaches

Failing to meet these can result in severe penalties and reputational damage. Coalfire’s team of assurance professionals offers end-to-end compliance solutions: from conducting thorough risk assessments to assessing compliance against NIS2 and other directives and frameworks seemlessly.

Streamlined Incident Reporting Under NIS2

One of NIS2's hallmarks is its rigorous reporting framework, designed to foster transparency and rapid response. Upon detecting a "significant" incident—one that disrupts operations, causes financial loss, or harms third parties—entities must:

• Issue an early warning within 24 hours
• Provide a detailed notification within 72 hours
• Submit a final report within one month, covering root causes, mitigations, and cross-border effects

Reports go to national Computer Security Incident Response Teams (CSIRTs) or authorities, with the EU-CyCLONe network aiding coordination. The next EU-CyCLONe report is slated for January 17, 2026.

Tailoring to Member-State Variations

Flexibility in transposition leads to national differences, amplifying compliance complexity. For example:

• Belgium and Ireland: Ireland has joined the Cyber Fundamentals Framework (CyFun), originally developed in Belgium, as a scheme co-owner. The CyFun framework provides a structured, risk-based approach for essential and important entities to help entities organize and evidence their NIS2 security measures.
• Germany: Drafts stick to minimum standards to avoid extra burdens, but delays persist.
• Italy: ACN has established requirements for achieving NIS 2 compliance
• France: Aiming for simplification, but political delays continue.
• Non-transposed states face ongoing pressure for uniformity.

Our member-state-specific consulting deciphers these variations. Whether you're in a fully transposed state like Italy or a delayed one like Slovenia, we deliver localized strategies, including legal reviews and cross-border harmonization, to keep you ahead.

Building Cybersecurity Excellence for NIS2 Success

Compliance thrives on strong cybersecurity hygiene. We advocate—and implement—practices like multi-factor authentication, regular audits, and management training to prevent incidents altogether. Automated tools for backups and detection align perfectly with NIS2, reducing risks and enhancing resilience.

By partnering with us, you gain more than compliance; you gain a trusted partner dedicated to staying on the cutting edge of emerging compliance needs and security initiatives, meeting you where you are on your compliance journey.

Charting the Future: Proactive Compliance Starts Today

With NIS2 enforcement intensifying and transposition gaps closing, now is the time for action. Monitor national updates, collaborate with CSIRTs, and tap into resources like ENISA's Vulnerability Database. But for expert guidance, let Coalfire be your trusted compliance partner!