Understanding the registration and reporting requirements of the EU NIS2 Directive

Since 16 January 2023, the directive has been in force with the goal of improving the resilience of organisations operating in critical sectors. Member States were required to transpose the directive into their national legislation by 17 October 2024. However, as of 28 November 2024, the European Commission identified that 23 Member States, including the Netherlands, had failed to meet this deadline.

This raises important questions: what are the consequences for organisations in these countries? Are registration and incident reporting obligations enforceable?

This blog explores the legal implications of delayed implementation of the NIS2 Directive.

The status of implementation: which countries are delayed

On 28 November 2024, the European Commission announced infringement proceedings against 23 Member States for failing to transpose the NIS2 Directive into their national laws on time. These Member States include:

• Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, and Sweden.

These delays have resulted in significant legal uncertainty. Belgium and Croatia are among the few Member States that managed to complete their transposition within the stipulated timeframe.

Registration and reporting obligations under NIS2

The NIS2 Directive imposes several obligations on organisations in critical sectors. Two key obligations include:

• Incident reporting obligation (Article 23): Organisations must report significant incidents that impact the security of their network and information systems to the competent authorities or Computer Security Incident Response Teams (CSIRTs). An ‘early warning’ must be made within 24 hours of becoming aware of the incident, with full notification (72 hours), further updates and a final report (1 month) to follow as more details become available.
• Registration obligation (Article 3(4) and Article 27): The NIS2 Directive imposes a general registration obligation under Article 3(4), requiring Member States to establish mechanisms for identifying and maintaining a list of essential and important entities. These entities must provide specific information, including their name, sector, addresses of their main and legal establishments, contact details, IP ranges, and the Member States where they operate. Additionally, Article 27 outlines specific requirements for digital infrastructure providers, such as cloud computing services, DNS providers, and online platforms, to submit similar details to national authorities. Any changes to this information must be reported within three months, and the data is forwarded to ENISA for inclusion in a centralised registry. These obligations aim to enhance oversight and coordination across the EU’s cybersecurity framework.

These obligations become enforceable only after a Member State has transposed the directive into its national legislation.

The legal reality in countries without implementation

Until a Member State implements the NIS2 Directive, there is no legal basis to compel organisations to register or report incidents. This means that organisations based in these countries are formally not required to register with a supervisory authority or to report significant incidents.

This is rooted in the legal principle that EU directives are only binding on individuals and organisations once they are transposed into national law. The European Commission confirms this principle, stating that “directives […] must be transposed into national legislation by EU countries before they can be enforced.”

Consequently, in the absence of national implementation, organisations in these countries have no direct obligations under the NIS2 Directive.

The absence of national implementation of the NIS2 Directive does not entirely negate its impact. While organisations are not directly obligated to comply with registration or reporting requirements, positive obligations on Member States to act in certain circumstances may still hold weight under EU law. This can occur through the principles of the effet utile doctrine, which ensures the effective application of EU law, even if it has not been fully transposed.

The NIS2 Directive places an emphasis on Member States' responsibilities to coordinate, assist, and respond to significant cybersecurity incidents. For example:

• Coordination and support: Even without full national transposition, Member States are required to facilitate incident response, including providing assistance to affected organisations, under the principles outlined in the directive’s framework.
• Establishment of CSIRTs (Computer Security Incident Response Teams): Member States are mandated to maintain operational CSIRTs capable of managing and mitigating significant incidents. These teams must operate regardless of whether the directive is transposed, as many Member States already have pre-existing obligations under the original NIS Directive (2016).

Proactive steps organisations can take

While organisations in Member States without implementation laws currently face no enforceable obligations, this period of legal “breathing space” is not an excuse to remain unprepared. The implementation of the directive is inevitable. Organisations should take the following steps to enhance their cybersecurity posture and prepare for compliance:

• Strengthen security measures: Conduct internal risk assessments and implement technical and organisational measures to secure network and information systems in line with Article 21 of the directive.
• Develop incident management procedures: Establish internal protocols for managing and reporting significant incidents, as required under Article 23 of the directive.
• Engage leadership in cybersecurity: Ensure board members are aware of their responsibilities regarding cybersecurity and receive the necessary training to oversee the implementation of security measures effectively.

Conclusion

In Member States that have yet to implement the NIS2 Directive, registration and reporting obligations are not currently enforceable. However, organisations should not mistake this delay for a lack of accountability. By proactively strengthening cybersecurity measures and establishing compliance frameworks, organisations can safeguard their operations, protect their reputations, and ensure readiness for the regulatory landscape ahead.

Further reading

• A Unified Cybersecurity Vision for Europe’s Digital Future: The NIS2 Directive
• Determining the size of your organization under the NIS2 Directive and the SME Recommendation
• Registration requirements under NIS2: The countdown to cybersecurity compliance