As the dust begins to settle following the October 2024 transposition deadline for the NIS 2 Directive, the road ahead for EU Member States and organizations is anything but straightforward. While the directive promises a more harmonized and resilient cybersecurity landscape, the current state of implementation reveals a mix of progress, delays, and untapped opportunities that demand closer examination.

Where Do We Stand?

Although the transposition deadline has passed, most Member States remain behind schedule. Only a handful-five out of 27-have officially incorporated NIS 2 into national legislation. This delay is not simply a procedural hiccup; it signals a broader challenge in aligning national cybersecurity frameworks with the directive's ambitious scope.

This lag creates a fragmented regulatory landscape, where some countries are prepared to enforce compliance while others remain in limbo. The implications are particularly acute for multinational organizations now facing the challenge of navigating varying expectations across jurisdictions. This fragmented compliance environment is not just inconvenient; it threatens the directive's core goal of creating a unified cybersecurity posture across the EU.

Harmonization vs. Local Realities

At its heart, NIS 2 aims to consistently identify and regulate essential and important entities. Yet, harmonization is proving difficult in practice. For smaller countries with unique economic or logistical profiles, like Iceland, the directive's rigid categorization of critical infrastructure may miss the mark. In Iceland, for instance (a European Economic Area member, so NIS 2 applies), a food manufacturer with only a few employees might still be critical due to its outsized role in national food security. However, applying it to one specific entity that would otherwise be out of scope (due to its size) is an issue not fully addressed by the directive's broad brush.

This tension between centralized regulation and local nuances underscores a fundamental challenge: How can the EU ensure a consistent approach and avoid market fragmentation without disregarding unique national contexts? As more Member States work toward transposition, finding a balance between these two priorities will be crucial, especially in the context of borderless digital services (including cybersecurity).

The Growing Role of National Cybersecurity Agencies

As organizations navigate the complexities of NIS 2 compliance, one promising development is the emergence of tools and resources from national cybersecurity agencies. These initiatives provide actionable guidance, helping organizations assess their readiness and take the necessary steps toward compliance. Highlighting these efforts underscores the importance of collaboration and reminds us of our collective responsibility in building a secure digital ecosystem.

Several countries have taken proactive measures, offering tools and frameworks to assist organizations. Among them, Belgium is a leader in guiding businesses toward NIS 2 compliance. The Belgian National Cybersecurity Center has published detailed guidelines and resources designed to clarify the next steps for organizations, including self-assessment tools and recommendations for strengthening defenses. Belgium's comprehensive approach serves as a benchmark for other Member States.

Similarly, other national cybersecurity agencies are stepping up:

• Germany's Federal Office for Information Securityhas developed extensive resources focused on helping organizations align with evolving requirements, including risk management frameworks and incident response guidelines.
• France's National Cybersecurity Agencyprovides tailored guidance and training materials to help organizations build compliance strategies, especially for critical infrastructure operators.

The Role of ENISA in Harmonizing Efforts

At the EU level, the European Union Agency for Cybersecurity (ENISA) is pivotal in supporting the harmonization of NIS 2 implementation across Member States. ENISA has released guidance and draft policies that help bridge gaps between national approaches. The agency's resources, including threat landscape reports, incident reporting templates, and sector-specific compliance guides, offer a valuable foundation for organizations and regulators.

In November 2024, ENISA released a draft of its technical guidance to assist entities in implementing the cybersecurity risk-management measures outlined in the Commission Implementing Regulation (EU) 2024/2690 of October 17, 2024. This guidance offers additional advice on implementing requirements, clarifies concepts and terms used in the legal text, provides examples of evidence to assess compliance, and includes mappings of security requirements to European and international standards and national frameworks. ENISA has invited industry stakeholders to provide feedback on this draft by December 9, 2024, emphasizing the agency's commitment to the collaborative development of effective cybersecurity practices.

The Risks of Delay

Implementation delays are more than just administrative bottlenecks. They introduce significant risks to both the private and public sectors. For public administrations, many of which are custodians of critical infrastructure, the absence of clear enforcement mechanisms could leave gaps in cybersecurity defenses as threats continue to escalate.

Furthermore, the legal uncertainties stemming from these delays could create compliance dilemmas for organizations. The self-executing nature of NIS 2 means that even in countries where it has not been transposed, elements of the directive may still be enforceable. This raises questions about how organizations should prioritize compliance efforts in the face of ambiguous expectations.

Opportunities for Thoughtful Engagement

Despite these challenges, NIS 2 presents important opportunities for transformation. Its emphasis on risk management, incident reporting, and supply chain security provides a framework for organizations to strengthen their cybersecurity postures meaningfully. More importantly, it encourages organizations to think beyond minimum compliance and toward a more resilient and adaptive security strategy.

Forward-thinking organizations are using this moment to assess their cybersecurity practices to meet regulatory obligations and position themselves as leaders in their respective industries. For those operating across multiple jurisdictions, this might involve adopting a "highest common denominator" approach to compliance, ensuring readiness in even the most stringent regulatory environments.

Fortinet's Approach to NIS 2 Compliance

As a multinational organization operating across compliant and noncompliant jurisdictions, Fortinet demonstrates how proactive measures can address the challenges of uneven NIS 2 transposition. Recognizing the importance of early preparation, Fortinet has identified its main establishment within the EU and is engaging informally with its anticipated competent authority. By taking these steps ahead of formal transposition, Fortinet ensures its readiness to meet compliance obligations while maintaining operational continuity.

Fortinet's approach is a practical example for other organizations navigating similar complexities. Its focus on early engagement, alignment with emerging best practices, and collaboration with national cybersecurity agencies underscores the value of proactive compliance strategies in an evolving regulatory landscape. These efforts position Fortinet as a leader in adapting to NIS 2 requirements and offer actionable insights for businesses aiming to build resilient and scalable compliance frameworks.

In addition to ensuring its own compliance, Fortinet provides tools and solutions to help other organizations meet NIS 2 requirements. For example, the Fortinet Security Operations (SecOps) platform integrates advanced, AI-powered sensors to detect and disrupt cyber threats across the entire attack surface, transforming the security paradigm from "detect and respond" to "detect and disrupt." By continuously analyzing device, network, application, cloud, and even dark web activity, the SecOps platform enables early detection, rapid containment, and comprehensive remediation-all critical capabilities for compliance with NIS 2's risk management and incident response requirements.

Moreover, Fortinet addresses the critical human element of cybersecurity, a key aspect often overlooked in compliance strategies. With solutions like FortiPhish, Fortinet equips organizations to simulate phishing attacks and train employees to identify and avoiding such threats. Combined with Fortinet's NSE training and certification programs, businesses can elevate employee awareness and expertise, reducing human error risk while fostering a cybersecurity readiness culture.

Additionally, Fortinet's FortiRecon service enhances third-party risk visibility by identifying external threats, including vulnerabilities, shadow IT, and exposed credentials on the dark web. These insights empower organizations to understand and mitigate risks in their extended ecosystem, a key component of complying with NIS 2's emphasis on supply chain security. Vital tools like Fortinet's SecOps platform, FortiRecon service, and training solutions enable businesses to proactively address evolving threats while meeting regulatory demands efficiently and confidently.

What's Next?

As the implementation of NIS 2 unfolds, several key questions remain:

• How will the EU address the disparities in Member State readiness?Coordinated efforts at the European level, including further guidance from ENISA and other bodies, will be critical to bridging these gaps.
• What role will organizations play in driving compliance?Companies operating across multiple jurisdictions have a unique opportunity to set proactive engagement and readiness standards.
• How can the directive evolve to accommodate local realities?A more dynamic approach to categorizing critical infrastructure, informed by local conditions, could enhance the directive's long-term impact.

Final Thoughts

The NIS 2 Directive represents both a challenge and an opportunity. Its success hinges on the ability of Member States, organizations, and regulatory bodies to navigate its complexities thoughtfully and collaboratively. While the uneven pace of implementation raises immediate concerns, it also invites a deeper conversation about how Europe can achieve a genuinely resilient and harmonized cybersecurity landscape.

Organizations, regulators, and policymakers must seize this opportunity to go beyond compliance and embrace the directive's broader vision of collective security. The journey may be challenging, but the potential rewards-a safer, more resilient digital Europe-make it worth pursuing.

Discover the latest NIS2 resources including the new webinar series on-demand "Navigating NIS2 Compliance with Fortinet SecOps".