Why are so many organizations dragging their feet on NIS2 compliance?

Although NIS2, the European Union’s updated Cybersecurity Directive, came into force in October 2024, many organizations are still grappling with compliance. As of July 2025, only 14 out of the 27 EU Member States had transposed the directive into national law. And, whilst NIS2 is an EU regulation, many UK businesses with existing operations in the EU could face fines or potential legal repercussions for non-compliance.

NIS2 was initially introduced to strengthen the security posture of ‘essential services’, including industries such as transport, financial services, and energy. For these industries, which often have legacy systems in place and a distributed infrastructure, fending off cyberattacks remains a significant challenge.

Although NIS2, the European Union’s updated Cybersecurity Directive, came into force in October 2024, many organizations are still grappling with compliance. As of July 2025, only 14 out of the 27 EU Member States had transposed the ...