ALERTE
August 7, 2025
Read time: 8 min
As cybersecurity rises to the top of the corporate agenda, businesses face growing pressure to comply with the EU’s evolving regulatory landscape. Whether your company falls directly under EU cybersecurity laws or is indirectly affected through customers, suppliers, or partners, understanding your obligations is critical.
The EU is raising the bar through landmark legislation – most notably the NIS2 Directive, the Directive on the Resilience of Critical Entities (CER), the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) – to create a more secure and resilient digital environment across the EU.
These rules affect a wide range of businesses: from producers of food and technology infrastructure and ICT service providers to manufacturers of connected products and operators of critical infrastructure. The risks of non-compliance are significant, including substantial fines, management’s personal liability, operational restrictions, and reputational damage.
Addressing these challenges demands active engagement from leadership teams, the empowerment and education of key stakeholders, and the cultivation of a security-conscious culture that encompasses all employees.
The NIS2 Directive, which gradually replaces the original NIS Directive as of 18 October 2024, covers a wide range of entities obligating them to implement strengthened cybersecurity measures and is still in the process of transposition into local law.
The Directive allows all 30 EEA countries to introduce stricter local cybersecurity requirements. It is therefore of essence to understand national specificities and make the informed strategic decisions on how and when to implement them.
Our NIS2 Monitoring Tracker* captures the local transposition process (orange: Local NIS2 legislation not yet implemented and blue: Local NIS2 legislation implemented and in force) helping your team to put the NIS2 puzzle pieces together.
*This map was updated on April 3, 2026.
Discover more details below.
NIS2 applies to wide range of entities operating across various sectors and industries, including:
- Digital infrastructure (including data center providers, providers of public electronic communications networks, cloud computing service providers),
- ICT service management (managed service/security service providers),
- Digital providers (including providers of online marketplaces and social networking services platforms),
- Manufacturing (e.g., industrial machinery and equipment, motor vehicles, computer, electronic and optical products, chemicals (including production and distribution)),
- Energy,
- Space,
- Transport,
- Health,
- Banking,
- Research,
…and more,
where those entities meet the size thresholds for medium or large enterprises and provide their services or conduct their activities within the EU. In addition, the NIS2 Directive applies to certain types of entities regardless of size, such as those designated as critical entities under the CER Directive.