17 October 2024 is the deadline by which EU member states were required to transpose NIS2 into national law. As of this date, not every member state has completed full transposition — a pattern consistent with most major EU Directives, where a proportion of member states inevitably miss the transposition deadline and face European Commission infringement proceedings.
For organisations operating in member states that have not yet fully transposed NIS2, a practical question arises: what are your obligations when the national implementing legislation is not yet final?
What Transposition Means — and What It Doesn’t Change
NIS2 is an EU Directive — it sets the framework and minimum requirements, but it takes effect through national implementing legislation in each member state. Member states have some flexibility in implementation: they can set stricter requirements than the NIS2 minimum, they can expand the entities in scope beyond the Directive’s baseline, and they implement the supervisory and enforcement mechanisms through their own regulatory structures.
What transposition does not change is the substance of NIS2’s requirements. The security measures required under Article 21, the incident reporting obligations under Article 23, and the management accountability requirements under Article 20 are set at EU level. Member states must implement them — they cannot implement weaker requirements. The national legislation provides the specific enforcement mechanism and the names of the competent authorities; it does not materially change what organisations must do.
The Practical Implication: Compliance Now, Not When Legislation Lands
For organisations that have been waiting for national implementing legislation before beginning their NIS2 compliance programme, the October 2024 deadline is a clear signal: the substance of what you need to do is set. The national legislation may add specificity on supervisory processes and notification channels, but it will not change the core requirements you have already been able to plan against.
Organisations that are not yet compliant with NIS2’s Article 21 security requirements — risk management framework, incident handling processes, supply chain security, MFA — are exposed from October 2024 in member states that have transposed the Directive. In member states with delayed transposition, the window of enforcement exposure is slightly deferred, but it will arrive. Using a member state’s transposition delay as a compliance deferral is a risk management decision, not an absence of obligation.
Where Compliance Programmes Typically Stand
In our experience working across multiple member states this year, the most common picture is: organisations that have scoped their NIS2 obligations, implemented or updated their cybersecurity risk management framework, and begun work on incident reporting processes — but have gaps in supply chain security, have not fully implemented the management training and accountability requirements, and have not yet tested their incident reporting against the 24-hour timeline.
These are solvable gaps. They are also the gaps that regulators beginning NIS2 supervision will examine first. The next six months are the right window to close them.
At Bitsecura, we are helping organisations across the EU complete their NIS2 compliance programmes in the months following the transposition deadline. If you have gaps to close, reach out here — the enforcement window is open.
Bitsecura provides NIS2 compliance consulting and cybersecurity services for essential and important entities. Learn more about our NIS2 services.