Cybersecurity

The Patchwork and the Patch: NIS2, the Cyber Resilience Act, and Europe's Uneven Cybersecurity Harmonisation

Europe's most ambitious cybersecurity directive required all 27 member states to transpose it by October 2024. More than a year later, the patchwork is still being stitched together — and the seams are showing.

P J Laszkowicz

On December 6, 2025, Germany's act implementing the NIS2 Directive entered into force — fourteen months past the EU's transposition deadline of October 17, 2024.1 The new law, a comprehensive revision of the Federal Office for Information Security Act, expanded cybersecurity regulation from approximately 4,500 entities to an estimated 29,000, introduced personal liability for board members who failed to oversee cybersecurity risk management, and established penalties of up to ten million euros or two per cent of global annual turnover.2

Germany was not an outlier. It was the pattern. More than a year after the transposition deadline, only twenty of the twenty-seven member states had officially completed the process. In May 2025, the European Commission sent reasoned opinions — the penultimate step before referral to the Court of Justice — to nineteen member states for failing to notify full transposition, including Germany, France, Spain, and the Netherlands.3 The Czech Republic's transposition entered force on November 1, 2025. Belgium, Denmark, and Italy had transposed earlier. Others were at various stages of parliamentary deliberation, regulatory drafting, or political negotiation.

The result was precisely the condition that the NIS2 Directive had been designed to prevent: a fragmented cybersecurity landscape in which the obligations of companies operating across European borders depended on which member state they happened to be in, and whether that member state had finished its legislative homework. The directive was supposed to harmonise European cybersecurity. Instead, the transposition process had, at least temporarily, created new divergences.

This article examines what NIS2 requires, where transposition stands, how the Cyber Resilience Act adds a complementary layer, and whether the European Commission's proposed Digital Omnibus can stitch the patchwork together.

What NIS2 requires

The NIS2 Directive, adopted in January 2023 and replacing the original NIS Directive of 2016, represented the most significant expansion of European cybersecurity regulation in a decade. The original directive had covered seven sectors — energy, transport, banking, financial market infrastructures, drinking water, healthcare, and digital infrastructure — and left member states wide discretion in identifying which entities qualified as "operators of essential services."4 The result was uneven coverage: what counted as an essential service in Germany might not in Portugal, and the thresholds for cybersecurity obligations varied substantially across borders.

NIS2 replaced this discretionary model with a rule-based one. It expanded coverage to eighteen sectors, adding manufacturing, food production, waste management, postal and courier services, public administration, space, and the chemicals industry, among others.5 It introduced a clear size threshold — all medium and large enterprises in covered sectors fell within scope — eliminating the member state-by-member state identification process that had produced inconsistency under NIS1.6 The European Commission estimated that more than 160,000 entities across the EU now fell under the directive's requirements, a dramatic expansion from the few thousand covered by the original legislation.7

The substantive obligations were correspondingly more demanding. Entities were required to implement cybersecurity risk-management measures covering at minimum: risk analysis, incident handling, business continuity, supply chain security, network and information systems security, and policies on the use of cryptography and encryption.8 Incident reporting followed a tiered timeline: a twenty-four-hour early warning to the relevant CSIRT or national authority, a seventy-two-hour incident notification with an initial assessment, and a final report within one month detailing root causes, impact, and remediation measures.9

The directive also introduced a distinction between "essential" and "important" entities, with essential entities — those in the most critical sectors — subject to proactive supervision, while important entities were supervised reactively, typically triggered by evidence of non-compliance or a reported incident.10 Penalties reflected this distinction: essential entities faced fines of up to ten million euros or two per cent of global annual turnover, whichever was higher, while important entities faced fines of up to seven million euros or 1.4 per cent of turnover.11

Perhaps most consequentially, NIS2 required that management bodies — boards of directors, executive leadership — personally approve and oversee cybersecurity risk-management measures. Governance failures could result in temporary suspension or disqualification from management positions.12 Cybersecurity was no longer, as a matter of European law, merely an IT department concern. It was a board-level responsibility.

The transposition map

The transposition of an EU directive into national law is, by design, an uneven process. Directives set objectives; member states choose the means. This flexibility allows adaptation to national legal traditions, institutional structures, and political priorities. It also means that identical European obligations can take substantially different forms in national law, and that the timeline for implementation depends on legislative calendars, coalition politics, and the bureaucratic capacity of national governments.

NIS2's transposition illustrated every dimension of this unevenness. Belgium was among the first to transpose, introducing enhanced governance obligations and board-level cybersecurity oversight in its national legislation.13 Italy and Croatia had completed transposition by early 2025. The Czech Republic's law, while technically transposed, did not enter force until November 2025 — thirteen months after the deadline.14

Germany's path was representative of the challenges facing larger member states. The revised BSI Act had been in preparation for over a year, but the legislative process was disrupted by the collapse of the governing coalition in late 2024 and the federal election that followed. The final law, when it entered force in December 2025, was comprehensive — but the fourteen-month delay meant that German companies had operated for more than a year in a regulatory interregnum, knowing that new obligations were coming but lacking the legal framework that would define them.15

France and Spain, two of the EU's largest member states, were still completing their transposition processes at the end of 2025. Poland's legislation was nearing completion. The Netherlands, despite being a reasoned opinion recipient, had made substantial progress but had not formally notified the Commission of full transposition.16

The practical consequence was that a company operating across multiple European member states faced a fragmented compliance landscape. An entity classified as "essential" in Germany might face different implementation timelines, reporting channels, and supervisory expectations than the same entity's operations in France or Spain. The supply chain security obligations — which required companies to assess the cybersecurity practices of their direct suppliers — were particularly challenging when those suppliers operated in member states that had not yet transposed the directive, and where the legal basis for enforcement therefore did not yet exist.17

The European Commission's reasoned opinions in May 2025 were a procedural escalation but not a practical remedy. The infringement process — formal notice, reasoned opinion, referral to the Court of Justice — typically took years to complete. By the time the Court could impose penalties for non-transposition, most member states would have completed the process. The threat of infringement proceedings served as a political signal rather than an operational enforcement mechanism.

Board-level accountability

Germany's implementation of the board accountability provisions deserved particular attention, because it represented the most detailed articulation of what NIS2's governance requirements meant in practice.

Under the revised BSI Act, management bodies of in-scope entities were required not merely to be informed about cybersecurity risks but to personally approve the cybersecurity risk-management measures adopted by their organisations and to oversee their implementation.18 This was not a delegable obligation. Board members could not satisfy it by appointing a chief information security officer and stepping back. They were required to demonstrate that they understood the cybersecurity risks their organisation faced and had actively approved the measures taken to address them.

The liability provisions reinforced this expectation. Board members who failed to fulfil their oversight obligations were personally liable for damages resulting from cybersecurity incidents that proper governance could have prevented.19 The penalties for non-compliance — fines of up to ten million euros or two per cent of global turnover for essential entities — applied to the organisation, but the personal liability provisions meant that individual directors could face separate legal consequences.

The Greenberg Traurig analysis characterised this shift as making cybersecurity "an immediate, liability-exposed leadership responsibility" rather than a technical concern delegated to the IT department.20 The ISC2 observed that Germany's implementation "reflects a broader European shift towards embedding cybersecurity into corporate governance," drawing parallels with financial regulation, where directors have long faced personal liability for failures of risk oversight.21

Whether this accountability model would change behaviour depended on whether boards took the obligations seriously — and whether supervisory authorities enforced them. The precedents from financial regulation were instructive but not entirely encouraging: directors' liability provisions in banking regulation had existed for decades but had rarely been enforced against individual board members for governance failures. The test of NIS2's board accountability provisions would not come from the statute itself but from the first enforcement actions against directors who failed to comply.

The Cyber Resilience Act arrives

While NIS2 addressed the cybersecurity obligations of organisations, the Cyber Resilience Act — adopted in October 2024 — targeted the security of the products those organisations used. The two instruments were complementary: NIS2 required entities to maintain secure networks and information systems, while the CRA required manufacturers to ensure that the products with digital elements placed on the European market met cybersecurity requirements by design.22

On November 28, 2025, the European Commission published the implementing regulation that defined which categories of products with digital elements would face the strictest requirements.23 The regulation established three tiers: a default category covering approximately ninety per cent of all products, and two elevated categories — "important" and "critical" — for products whose compromise would pose particularly significant risks. Important products included operating systems, network management systems, and firewalls. Critical products included hardware security modules and smart meter gateways.24

The CRA's obligations applied primarily to manufacturers. They were required to conduct cybersecurity risk assessments, implement security-by-design principles throughout the product lifecycle, provide software updates to address newly discovered vulnerabilities, and document the cybersecurity properties of their products for users and regulators.25 Vulnerability reporting obligations would apply from September 2026, with the main product-level obligations taking effect in December 2027.26

The interaction between NIS2 and the CRA created a layered regulatory architecture. An organisation subject to NIS2 was required to maintain cybersecurity risk-management measures, which necessarily included the security of the products it used. The manufacturers of those products were, separately, required by the CRA to ensure those products met cybersecurity requirements. When a vulnerability was discovered in a product used by a NIS2-regulated entity, both the entity's incident reporting obligations and the manufacturer's vulnerability disclosure obligations could be triggered simultaneously — potentially to different authorities, under different timelines, using different reporting formats.

This was precisely the kind of overlapping obligation that the Digital Omnibus was designed to address.

The Digital Omnibus fix

On November 19, 2025, the European Commission published the Digital Omnibus proposal — a legislative package that sought, among other objectives, to rationalise the fragmented landscape of incident reporting obligations that had accumulated across European digital regulation.27

The core of the Omnibus's cybersecurity contribution was the Single-Entry Point — a unified reporting interface, to be developed and operated by the European Agency for Cybersecurity, through which organisations could submit a single notification that would satisfy reporting obligations under multiple legal instruments simultaneously.28 The approach was described as "report once, share many": an organisation that experienced a cybersecurity incident would submit one standardised report to the SEP, which would then filter and distribute the relevant information to the appropriate authorities under NIS2, the GDPR, DORA, eIDAS, and the Critical Entities Resilience Directive.29

The problem the SEP was designed to solve was real. A financial institution that suffered a cybersecurity incident affecting personal data was potentially subject to incident reporting obligations under NIS2 (to the national CSIRT), the GDPR (to the data protection authority, within seventy-two hours), DORA (to the relevant financial supervisor), and — if the institution operated critical infrastructure — the Critical Entities Resilience Directive.30 Each regime had its own reporting timelines, its own content requirements, and its own receiving authority. The cumulative burden was not merely administrative. In the critical hours after an incident, when an organisation's primary concern should be containment and remediation, the need to prepare multiple reports for multiple authorities diverted attention and resources from the operational response.

The promise of the Omnibus was significant. The concern was implementation. The Single-Entry Point would only become operational within eighteen to twenty-four months after the Omnibus's entry into force, following a pilot phase.31 The proposal still needed to pass through the European Parliament and Council, a legislative process that typically took one to two years. The effective harmonisation of incident reporting was therefore unlikely before 2028 at the earliest — three to four years after the obligations it sought to streamline had begun to apply.

DIGITALEUROPE, the European digital industry association, welcomed the Omnibus as "a first step" but argued that it did not go far enough, calling for more fundamental consolidation of overlapping regulatory requirements rather than a reporting-layer fix.32 Slaughter and May's analysis questioned whether the SEP would truly deliver "report once, share many" in practice, noting that different legal regimes defined reportable incidents differently, used different severity thresholds, and required different types of information — differences that a common reporting interface could accommodate but not eliminate.33

Harmonisation in practice

The stated purpose of NIS2 was to achieve a "high common level of cybersecurity across the Union." The directive's recitals acknowledged that the original NIS Directive had "proven insufficient" to address the evolving threat landscape and had resulted in "fragmented" levels of cybersecurity across member states.34 NIS2 was designed to fix this fragmentation through clearer scope, stronger obligations, and reduced member state discretion.

Fourteen months after the transposition deadline, the picture was mixed. The directive's substantive provisions — risk management, incident reporting, board accountability, supply chain security — were among the most comprehensive cybersecurity obligations in the world. The expansion of scope to 160,000 entities represented a genuine step-change in the breadth of European cybersecurity regulation. And Germany's implementation demonstrated that the board accountability model could be translated into enforceable national law.

But the transposition process had created precisely the kind of temporary fragmentation that the directive was designed to prevent. Companies operating across borders faced different compliance timelines in different member states. The supply chain security obligations assumed a level of harmonisation that did not yet exist. The interaction between NIS2, the CRA, DORA, and other instruments created layers of overlapping requirements that the Digital Omnibus sought to address but had not yet resolved.

The deeper question was whether twenty-seven national transpositions at different speeds, in different legal traditions, with different institutional structures, could ever produce genuine harmonisation rather than convergence that preserved meaningful national variation. The directive set the floor. It could not prevent member states from building different structures on it.

Germany's implementation was the most detailed example: 29,000 entities, personal board liability, a registration portal opening in January 2026, and a supervisory framework that was more prescriptive than NIS2 required.35 Whether France, when it completed transposition, would take a similarly expansive approach, or whether smaller member states would implement the minimum required by the directive, remained to be seen. The harmonisation that NIS2 promised was real in aspiration. In practice, it remained a work in progress — a patchwork that was being stitched together, seam by seam, across a continent that agreed on the destination but had not yet agreed on how fast to travel there.

Footnotes

  1. Mayer Brown, "Cyber Rules for Essential and Important Entities Take Effect in Germany (NIS2 Implementing Law)," December 2025.

  2. Greenberg Traurig LLP, "NIS2 in Germany: The New BSI Act Makes Cybersecurity a Board-Level Issue," December 2025.

  3. European Commission, "NIS2 Directive Transposition in EU Countries," 2025.

  4. European Commission, "Directive on Measures for a High Common Level of Cybersecurity across the Union (NIS2 Directive) — FAQs," 2025.

  5. Greenberg Traurig LLP, "EU NIS 2 Directive: Expanded Cybersecurity Obligations for Key Sectors," August 2025.

  6. NIS2 Directive, Article 2.

  7. European Commission, "NIS2 Directive: Securing Network and Information Systems," 2025.

  8. NIS2 Directive, Article 21.

  9. NIS2 Directive, Article 23.

  10. Goodwin Procter LLP, "Navigating NIS2: What Organisations Need to Know as EU Implementation Unfolds," October 2025.

  11. NIS2 Directive, Article 34.

  12. NIS2 Directive, Article 20.

  13. White & Case LLP, "NIS 2: One Year Later," 2025.

  14. ECSO, "NIS2 Directive Transposition Tracker," 2025.

  15. Reed Smith LLP, "Finally: Germany Enacts Its NIS2 Law," December 2025.

  16. Wavestone, "NIS 2 Directive: Transposition Status and What Companies Must Do," 2025.

  17. Morrison Foerster, "Flipping the NIS2 Switch: What Germany's Implementation Means for 2026 Compliance," December 2025.

  18. Greenberg Traurig LLP, "NIS2 in Germany: The New BSI Act Makes Cybersecurity a Board-Level Issue," December 2025.

  19. Ibid.

  20. Ibid.

  21. ISC2, "Enabling Germany's Cyber Resilience," December 2025.

  22. European Commission, "The Cyber Resilience Act — Summary of the Legislative Text," 2025.

  23. Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025.

  24. European Commission, "Cyber Resilience Act — Implementation," 2025.

  25. Taylor Wessing, "The Cyber Resilience Act — EU-Wide Requirements for the Cybersecurity of Products," November 2025.

  26. European Commission, "Cyber Resilience Act," 2025.

  27. Bird & Bird, "Digital Omnibus Package: Single EU Harmonised Incident Reporting Regime across Cyber and Data Protection," November 2025.

  28. Hunton Andrews Kurth LLP, "EU Digital Omnibus Introduces a Single Reporting Point for Cybersecurity Incidents," November 2025.

  29. Taylor Wessing, "The Digital Omnibus and Incident Reporting," 2026.

  30. Bird & Bird, "Digital Omnibus Package," November 2025.

  31. Slaughter and May, "EU Proposes Single-Entry Point for Cyber Incident Reporting, But Is It Really 'Report Once, Share Many'?", 2025.

  32. DIGITALEUROPE, "Digital Omnibus: A First Step and What Must Come Next, Now," November 2025.

  33. Slaughter and May, "EU Proposes Single-Entry Point for Cyber Incident Reporting," 2025.

  34. NIS2 Directive, Recitals 1–7.

  35. Cyble, "Germany NIS-2 Implementation Act Strengthens Cybersecurity," December 2025.