Understanding the registration and reporting requirements of the EU NIS2 Directive


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview International Sanctions and Export Controls Construction and Engineering Corporate and M&A Corporate and M&A overview Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Venture Capital Corporate Crime Corporate Crime overview International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Cybersecurity Data Privacy Information Law Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Employment Litigation Financial Services Regulation Insurance Intellectual Property Litigation and Dispute Resolution Litigation and Dispute Resolution overview Commercial Litigation Construction Disputes Energy Disputes Financial Services Disputes and Investigations Fraud Procurement Disputes Real Estate Disputes Regulatory Investigations and Enforcement Private Client Private Client overview Family offices services Real Estate and Planning Real Estate and Planning overview Corporate Real Estate Real Estate Disputes Real Estate Finance Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Industries Consumer Consumer overview Hospitality and Leisure Luxury Retail and Wholesale Energy Energy overview Hydrogen Financial Services Financial Services overview Corporate and Investment Banking Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Industrials Industrials overview Automotive Manufacturing and Industrial Engineering Life Sciences and Healthcare Real Estate Real Estate overview Real Estate Investment Technology & Digital Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Reports Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices Czech Republic Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English Understanding the registration and reporting requirements of the EU NIS2 Directive Home Resources Insights Home Resources Insights Understanding the registration and reporting requirements of the EU NIS2 Directive Understanding the registration and reporting requirements of the EU NIS2 Directive December 09, 2024 AustriaBelgiumBulgariaCzech RepublicEstoniaFinlandFranceGermanyHungaryIrelandItalyLatviaLithuaniaLuxembourgNetherlandsPolandPortugalRomaniaSlovakiaSpainSweden AustriaBelgiumBulgariaCzech RepublicEstoniaFinlandFranceGermanyHungaryIrelandItalyLatviaLithuaniaLuxembourgNetherlandsPolandPortugalRomaniaSlovakiaSpainSweden Austria The NIS2 Directive (Network and Information Security Directive 2) is one of the European Union’s most ambitious initiatives to harmonise and strengthen cybersecurity across the bloc. Since 16 January 2023, the directive has been in force with the goal of improving the resilience of organisations operating in critical sectors. Member States were required to transpose the directive into their national legislation by 17 October 2024. However, as of 28 November 2024, the European Commission identified that 23 Member States, including the Netherlands, had failed to meet this deadline. This raises important questions: what are the consequences for organisations in these countries? Are registration and incident reporting obligations enforceable? This blog explores the legal implications of delayed implementation of the NIS2 Directive. The status of implementation: which countries are delayed On 28 November 2024, the European Commission announced infringement proceedings against 23 Member States for failing to transpose the NIS2 Directive into their national laws on time. These Member States include: Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, and Sweden. These delays have resulted in significant legal uncertainty. Belgium and Croatia are among the few Member States that managed to complete their transposition within the stipulated timeframe. Registration and reporting obligations under NIS2 The NIS2 Directive imposes several obligations on organisations in critical sectors. Two key obligations include: Incident reporting obligation (Article 23): Organisations must report significant incidents that impact the security of their network and information systems to the competent authorities or Computer Security Incident Response Teams (CSIRTs). An ‘early warning’ must be made within 24 hours of becoming aware of the incident, with full notification (72 hours), further updates and a final report (1 month) to follow as more details become available. Registration obligation (Article 3(4) and Article 27): The NIS2 Directive imposes a general registration obligation under Article 3(4), requiring Member States to establish mechanisms for identifying and maintaining a list of essential and important entities. These entities must provide specific information, including their name, sector, addresses of their main and legal establishments, contact details, IP ranges, and the Member States where they operate. Additionally, Article 27 outlines specific requirements for digital infrastructure providers, such as cloud computing services, DNS providers, and online platforms, to submit similar details to national authorities. Any changes to this information must be reported within three months, and the data is forwarded to ENISA for inclusion in a centralised registry. These obligations aim to enhance oversight and coordination across the EU’s cybersecurity framework. These obligations become enforceable only after a Member State has transposed the directive into its national legislation. The legal reality in countries without implementation Until a Member State implements the NIS2 Directive, there is no legal basis to compel organisations to register or report incidents. This means that organisations based in these countries are formally not required to register with a supervisory authority or to report significant incidents. This is rooted in the legal principle that EU directives are only binding on individuals and organisations once they are transposed into national law. The European Commission confirms this principle, stating that “directives […] must be transposed into national legislation by EU countries before they can be enforced.” Consequently, in the absence of national implementation, organisations in these countries have no direct obligations under the NIS2 Directive. The absence of national implementation of the NIS2 Directive does not entirely negate its impact. While organisations are not directly obligated to comply with registration or reporting requirements, positive obligations on Member States to act in certain circumstances may still hold weight under EU law. This can occur through the principles of the effet utile doctrine, which ensures the effective application of EU law, even if it has not been fully transposed. The NIS2 Directive places an emphasis on Member States' responsibilities to coordinate, assist, and respond to significant cybersecurity incidents. For example: Coordination and support: Even without full national transposition, Member States are required to facilitate incident response, including providing assistance to affected organisations, under the principles outlined in the directive’s framework. Establishment of CSIRTs (Computer Security Incident Response Teams): Member States are mandated to maintain operational CSIRTs capable of managing and mitigating significant incidents. These teams must operate regardless of whether the directive is transposed, as many Member States already have pre-existing obligations under the original NIS Directive (2016). Proactive steps organisations can take While organisations in Member States without implementation laws currently face no enforceable obligations, this period of legal “breathing space” is not an excuse to remain unprepared. The implementation of the directive is inevitable. Organisations should take the following steps to enhance their cybersecurity posture and prepare for compliance: Strengthen security measures: Conduct internal risk assessments and implement technical and organisational measures to secure network and information systems in line with Article 21 of the directive. Develop incident management procedures: Establish internal protocols for managing and reporting significant incidents, as required under Article 23 of the directive. Engage leadership in cybersecurity: Ensure board members are aware of their responsibilities regarding cybersecurity and receive the necessary training to oversee the implementation of security measures effectively. Conclusion In Member States that have yet to implement the NIS2 Directive, registration and reporting obligations are not currently enforceable. However, organisations should not mistake this delay for a lack of accountability. By proactively strengthening cybersecurity measures and establishing compliance frameworks, organisations can safeguard their operations, protect their reputations, and ensure readiness for the regulatory landscape ahead. Further reading A Unified Cybersecurity Vision for Europe’s Digital Future: The NIS2 Directive Determining the size of your organization under the NIS2 Directive and the SME Recommendation Registration requirements under NIS2: The countdown to cybersecurity compliance The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Services Cybersecurity Data Privacy Business Topics NIS2 Directive Key contacts Olaf van Haperen Partner Rotterdam, Netherlands Robbert Santifort Partner Rotterdam, Netherlands Ilham Ezzamouri Associate Rotterdam, Netherlands Latest Insights legal updates Commercially Connected Shorts - 17 June 2026 legal updates EU Pay Transparency Directive: Job evaluation and classification guidelines legal updates Global Sustainability & ESG Insights - May 2026 legal updates EU Tightens Control Over Critical Raw Materials Latest News firm news Eversheds Sutherland continues European expansion with further strategic partner hire in project finance client news Eversheds Sutherland powers 12 key deals for Gresham House Energy Storage Fund in three-week surge client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition client news Advising Howden Joinery Group plc on £390m DIY Kitchens acquisition Latest Events virtual \| June 23, 2026 Introduction to Swiss employment law virtual \| September 10, 2026 UAE - Employment law in the Dubai International Financial Centre in-person \| September 17, 2026 Basic foundations of US employment law in-person \| September 23, 2026 2026 BDC Roundtable Tabs Label legal updates June 17, 2026 Commercially Connected Shorts - 17 June 2026 legal updates June 16, 2026 EU Pay Transparency Directive: Job evaluation and classification guideline... legal updates June 14, 2026 Global Sustainability & ESG Insights - May 2026 legal updates June 11, 2026 EU Tightens Control Over Critical Raw Materials Legal notices Terms & conditions Privacy notice Cookies LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website. For information on Konexo please also see the Legal Notices page of this website.

The NIS2 Directive (Network and Information Security Directive 2) is one of the European Union’s most ambitious initiatives to harmonise and strengthen cybersecurity across the bloc.

Since 16 January 2023, the directive has been in force with the goal of improving the resilience of organisations operating in critical sectors. Member States were required to transpose the directive into their national legislation by 17 October 2024. However, as of 28 November 2024, the European Commission identified that 23 Member States, including the Netherlands, had failed to meet this deadline.

This raises important questions: what are the consequences for organisations in these countries? Are registration and incident reporting obligations enforceable?

This blog explores the legal implications of delayed implementation of the NIS2 Directive.

The status of implementation: which countries are delayed

On 28 November 2024, the European Commission announced infringement proceedings against 23 Member States for failing to transpose the NIS2 Directive into their national laws on time. These Member States include:

Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, and Sweden.

These delays have resulted in significant legal uncertainty. Belgium and Croatia are among the few Member States that managed to complete their transposition within the stipulated timeframe.

Registration and reporting obligations under NIS2

The NIS2 Directive imposes several obligations on organisations in critical sectors. Two key obligations include:

Incident reporting obligation (Article 23): Organisations must report significant incidents that impact the security of their network and information systems to the competent authorities or Computer Security Incident Response Teams (CSIRTs). An ‘early warning’ must be made within 24 hours of becoming aware of the incident, with full notification (72 hours), further updates and a final report (1 month) to follow as more details become available.
Registration obligation (Article 3(4) and Article 27): The NIS2 Directive imposes a general registration obligation under Article 3(4), requiring Member States to establish mechanisms for identifying and maintaining a list of essential and important entities. These entities must provide specific information, including their name, sector, addresses of their main and legal establishments, contact details, IP ranges, and the Member States where they operate. Additionally, Article 27 outlines specific requirements for digital infrastructure providers, such as cloud computing services, DNS providers, and online platforms, to submit similar details to national authorities. Any changes to this information must be reported within three months, and the data is forwarded to ENISA for inclusion in a centralised registry. These obligations aim to enhance oversight and coordination across the EU’s cybersecurity framework.

These obligations become enforceable only after a Member State has transposed the directive into its national legislation.

The legal reality in countries without implementation

Until a Member State implements the NIS2 Directive, there is no legal basis to compel organisations to register or report incidents. This means that organisations based in these countries are formally not required to register with a supervisory authority or to report significant incidents.

This is rooted in the legal principle that EU directives are only binding on individuals and organisations once they are transposed into national law. The European Commission confirms this principle, stating that “directives […] must be transposed into national legislation by EU countries before they can be enforced.”

Consequently, in the absence of national implementation, organisations in these countries have no direct obligations under the NIS2 Directive.

The absence of national implementation of the NIS2 Directive does not entirely negate its impact. While organisations are not directly obligated to comply with registration or reporting requirements, positive obligations on Member States to act in certain circumstances may still hold weight under EU law. This can occur through the principles of the effet utile doctrine, which ensures the effective application of EU law, even if it has not been fully transposed.

The NIS2 Directive places an emphasis on Member States' responsibilities to coordinate, assist, and respond to significant cybersecurity incidents. For example:

Coordination and support: Even without full national transposition, Member States are required to facilitate incident response, including providing assistance to affected organisations, under the principles outlined in the directive’s framework.
Establishment of CSIRTs (Computer Security Incident Response Teams): Member States are mandated to maintain operational CSIRTs capable of managing and mitigating significant incidents. These teams must operate regardless of whether the directive is transposed, as many Member States already have pre-existing obligations under the original NIS Directive (2016).

Proactive steps organisations can take

While organisations in Member States without implementation laws currently face no enforceable obligations, this period of legal “breathing space” is not an excuse to remain unprepared. The implementation of the directive is inevitable. Organisations should take the following steps to enhance their cybersecurity posture and prepare for compliance:

Strengthen security measures: Conduct internal risk assessments and implement technical and organisational measures to secure network and information systems in line with Article 21 of the directive.
Develop incident management procedures: Establish internal protocols for managing and reporting significant incidents, as required under Article 23 of the directive.
Engage leadership in cybersecurity: Ensure board members are aware of their responsibilities regarding cybersecurity and receive the necessary training to oversee the implementation of security measures effectively.

Conclusion

In Member States that have yet to implement the NIS2 Directive, registration and reporting obligations are not currently enforceable. However, organisations should not mistake this delay for a lack of accountability. By proactively strengthening cybersecurity measures and establishing compliance frameworks, organisations can safeguard their operations, protect their reputations, and ensure readiness for the regulatory landscape ahead.