NIS2 Compliance Statistics 2026: 50+ Facts on Scope, Fines, and Readiness
The NIS2 Directive is the most significant overhaul of cybersecurity regulation in the European Union's history. It replaces the original NIS Directive from 2016, expanding its scope from a few hundred operators of essential services per member state to an estimated 160,000 entities across the EU.
This page compiles verified statistics on NIS2's scope, transposition status, penalty framework, compliance readiness, costs, and the broader cybersecurity landscape it aims to address. Every number is sourced from official EU agencies, regulatory bodies, and verified industry reports.
NIS2 Scope and Scale
NIS2 dramatically expanded the number of organizations subject to EU cybersecurity requirements. The original NIS Directive covered a narrow set of operators of essential services. NIS2 applies to any medium or large enterprise operating in 18 designated sectors.
| Statistic | Source |
|---|---|
| ~160,000 entities across the EU fall under NIS2 scope | European Commission Impact Assessment |
| 18 sectors covered (11 essential + 7 important) | NIS2 Directive, Annexes I and II |
| Applies to medium enterprises (50+ employees or EUR 10M+ turnover) and large enterprises (250+ employees or EUR 50M+ turnover) | European Commission NIS2 FAQ |
| Germany alone: ~29,500+ companies affected | BSI estimate, via DLA Piper |
| Finland: scope expanded from ~1,100 entities under NIS1 to ~5,500 under NIS2 (5x increase) | Secomea NIS2 country tracker |
11 Sectors of High Criticality (Annex I - Essential Entities)
- Energy (electricity, oil, gas, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking
- Financial market infrastructures
- Health (hospitals, laboratories, pharmaceuticals, medical devices)
- Drinking water
- Wastewater
- Digital infrastructure (IXPs, DNS, TLD registries, cloud, data centres, CDNs)
- ICT service management (B2B - managed service providers, managed security service providers)
- Public administration (central government)
- Space
7 Other Critical Sectors (Annex II - Important Entities)
- Postal and courier services
- Waste management
- Chemicals (manufacturing, production, distribution)
- Food (production, processing, distribution)
- Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research organizations
NIS2 Transposition Status
The deadline for EU member states to transpose NIS2 into national law was October 17, 2024. The majority of member states missed this deadline.
| Statistic | Source |
|---|---|
| 20 of 27 EU member states completed transposition by January 1, 2026 | Wavestone NIS2 Transposition Tracker |
| On May 7, 2025, the European Commission sent reasoned opinions to 19 member states for failing to notify full transposition | Skadden; Goodwin Law |
| Transposition deadline: October 17, 2024 | NIS2 Directive, Article 41 |
Countries That Have Fully Transposed NIS2
| Country | Date of Transposition |
|---|---|
| Croatia | February 15, 2024 (earliest) |
| Latvia | September 1, 2024 |
| Belgium | October 18, 2024 |
| Italy | October 16, 2024 |
| Lithuania | October 17, 2024 |
| Greece | November 27, 2024 |
| Slovakia | January 1, 2025 |
| Hungary | January 2025 |
| Slovenia | June 19, 2025 |
| Czech Republic | November 1, 2025 |
| Germany | December 6, 2025 |
Source: Wavestone NIS2 Transposition Tracker (as of January 2026)
Countries With Legislation Approved but Framework Pending
Sweden, Denmark, Austria, Portugal, Malta, Finland, Estonia, Romania, Cyprus (9 countries)
Countries Still in Draft Stage
Luxembourg, France, Spain, Netherlands, Poland, Bulgaria (6 countries)
Source: Wavestone NIS2 Transposition Tracker
NIS2 Penalties and Fines
NIS2 introduces a tiered penalty framework based on entity classification. Unlike GDPR, which has a single maximum, NIS2 distinguishes between essential and important entities.
| Entity Type | Maximum Fine | Source |
|---|---|---|
| Essential entities | EUR 10,000,000 or 2% of global annual turnover (whichever is higher) | NIS2 Directive, Article 34 |
| Important entities | EUR 7,000,000 or 1.4% of global annual turnover (whichever is higher) | NIS2 Directive, Article 34 |
| Member states can set fines above these thresholds but not below | NIS2 Directive, Article 34 |
NIS2 vs GDPR Penalty Comparison
| Regulation | Maximum Fine | Turnover Threshold |
|---|---|---|
| GDPR | EUR 20,000,000 | 4% of global turnover |
| NIS2 (essential entities) | EUR 10,000,000 | 2% of global turnover |
| NIS2 (important entities) | EUR 7,000,000 | 1.4% of global turnover |
Personal Liability for Management
NIS2 introduces direct accountability for management bodies. Board members and senior executives can be held personally liable for non-compliance. In cases of serious negligence, competent authorities can impose a temporary ban on individuals from exercising managerial functions.
Source: DLA Piper NIS2 Directors' Personal Liability Analysis
NIS2 Compliance Readiness
Compliance readiness data paints a concerning picture. Significant portions of affected organizations are either unaware of NIS2 or unprepared for its requirements.
| Statistic | Source |
|---|---|
| 38% of manufacturing entities are unaware of NIS2 | ENISA NIS Investments 2024 |
| 40% of wastewater management entities are unaware of NIS2 | ENISA NIS Investments 2024 |
| 89% of organizations say they need additional staff for NIS2 compliance | ENISA NIS Investments 2024 |
| 30% of organizations had no security assessment in the past 12 months | ENISA NIS Investments 2025 |
| 63% of SMEs had no security assessment | ENISA NIS Investments 2025 |
| 28% of organizations take 3+ months to patch critical vulnerabilities | ENISA NIS Investments 2025 |
| 50%+ of SMEs take 3+ months to patch critical systems | ENISA NIS Investments 2025 |
| 43% of ICT service management entities have no security testing program | ENISA NIS Investments 2025 |
| 82% of organizations reported a positive cybersecurity impact from NIS1 compliance | WALLIX, citing ENISA study |
NIS2 Compliance Costs
The cost of implementing NIS2 varies significantly based on entity size, existing maturity, and sector. The European Commission's impact assessment and independent analyses provide the following estimates.
| Statistic | Source |
|---|---|
| EU-wide total implementation cost: EUR 31.2 billion per year (0.31% of affected sectors' turnover) | Frontier Economics |
| Essential entities already NIS1 compliant: ~EUR 107,000 average cost to adapt | Tarlogic |
| Important entities starting from scratch: ~EUR 180,000 average cost | Tarlogic |
| Important entities with 27% existing implementation: ~EUR 131,000 average cost | Tarlogic |
| Companies expected to increase cybersecurity spending by up to 22% in the first years | ENISA impact assessment, via WALLIX |
| Median EU cybersecurity budget (2025): EUR 1.5 million | ENISA NIS Investments 2025 |
| IT budget share allocated to cybersecurity: 9% in 2023, up from 7.1% in 2022 | ENISA NIS Investments 2024 |
| Median information security budget doubled from EUR 0.7M to EUR 1.4M between 2022 and 2023 | ENISA NIS Investments 2024 |
| 70% of organizations cite regulatory compliance as their primary investment driver | ENISA NIS Investments 2025 |
| 34% of SMEs are unable to request additional budget for NIS2 compliance | ENISA NIS Investments 2025 |
NIS2 Incident Reporting Requirements
NIS2 introduces a three-stage incident reporting framework with strict timelines, significantly tightening the original NIS Directive's requirements.
| Reporting Stage | Deadline | Purpose |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Initial alert to competent authority |
| Full notification | Within 72 hours | Detailed assessment of severity and impact |
| Final report | Within 1 month | Root cause, mitigation, cross-border impact |
Source: NIS2 Directive, Article 23
Incident Statistics Under NIS1
| Statistic | Source |
|---|---|
| 188 incidents reported by national authorities from 26 EU member states and 2 EFTA countries (2024 annual summary) | ENISA CIRAS |
| 55% of digital infrastructure entities subject to national reporting had no reportable incidents | ENISA NIS Investments 2024 |
Sector Maturity Under NIS2
ENISA's NIS360 assessment maps sectors based on their cybersecurity maturity relative to their criticality. This reveals which sectors are most at risk of non-compliance.
Most Mature Sectors (Maturity Matches Criticality)
- Electricity
- Telecommunications
- Banking
Sectors in the "Risk Zone" (Criticality Outweighs Maturity)
- ICT service management
- Space
- Public administrations
- Maritime transport
- Health
- Gas
Source: ENISA NIS360 2024
Supervision Model
| Entity Type | Supervision Approach |
|---|---|
| Essential entities | Proactive (ex-ante) and reactive (ex-post) oversight |
| Important entities | Reactive oversight only (ex-post - only after an incident or evidence of non-compliance) |
Source: European Commission NIS2 FAQ
EU Cybersecurity Threat Landscape
The following statistics from ENISA's Threat Landscape report provide context for why NIS2 was necessary.
| Statistic | Source |
|---|---|
| 4,875 cybersecurity incidents analyzed between July 2024 and June 2025 | ENISA Threat Landscape 2025 |
| DDoS and hacktivism account for ~80% of all recorded incidents | ENISA Threat Landscape 2025 |
| Only 2% of hacktivist DDoS attacks resulted in actual service disruption | ENISA Threat Landscape 2025 |
| Phishing accounts for ~60% of all intrusion attempts | ENISA Threat Landscape 2025 |
| 80%+ of phishing campaigns now use AI-generated or AI-enhanced content | ENISA Threat Landscape 2025 |
| 53.7% of incidents targeted essential entities as defined by NIS2 | ENISA Threat Landscape 2025 |
| 42,595 new vulnerabilities disclosed - a 27% increase year-over-year | ENISA Threat Landscape 2025 |
| 82 ransomware variants deployed against EU organizations | ENISA Threat Landscape 2025 |
| Top 3 ransomware variants: Akira (11.6%), SafePay (10.1%), Qilin (7.5%) | ENISA Threat Landscape 2025 |
| 90% of organizations expected increased cyberattacks in 2024 | ENISA NIS Investments 2024 |
Top Targeted Sectors
| Sector | Share of Incidents |
|---|---|
| Public administration | 19% |
| Transport | 11% |
| Finance | 9% |
| Digital infrastructure | 8% |
Source: ENISA Threat Landscape 2025
Supply Chain Security Under NIS2
NIS2 mandates supply chain security as one of 10 required risk management measures under Article 21. This reflects the growing threat of supply chain-based attacks across Europe.
| Statistic | Source |
|---|---|
| 90% of organizations claim to have supply chain risk management practices in place | ENISA NIS Investments 2025 |
| 47% of organizations fear third-party compromises as a top future threat | ENISA NIS Investments 2025 |
| Vulnerability exploitation accounts for 21% of incidents, many via supply chain components | ENISA Threat Landscape 2025 |
Cybersecurity Workforce in the EU
NIS2 compliance requires qualified cybersecurity professionals. The current talent shortage across Europe makes this one of the most challenging aspects of compliance.
| Statistic | Source |
|---|---|
| EU cybersecurity skills deficit: 299,000 professionals | ENISA NIS Investments 2025 |
| Europe has ~1.4 million cybersecurity professionals but needs ~1.8 million (shortage of ~424,000) | Source Group International |
| 75% of organizations struggle to attract cybersecurity talent | ENISA NIS Investments 2025 |
| 71% of organizations struggle to retain cybersecurity staff | ENISA NIS Investments 2025 |
| 76% of cybersecurity staff lack formal qualifications or certified training | ENISA NIS Investments 2024 |
| 59% of SMEs struggle to recruit cybersecurity talent | ENISA NIS Investments 2024 |
| Cybersecurity-to-IT staff ratio: 10.6% | ENISA NIS Investments 2025 |
| IT FTEs dedicated to cybersecurity: 11.1% (4th consecutive year of decline) | ENISA NIS Investments 2024 |
| Germany's projected cybersecurity workforce gap: up to 106,000 workers | Net Group |
| Global cybersecurity workforce gap: 4.8 million unfilled positions (2024), a 19% increase year-over-year | ISC2 |
| 52% of organizations say the primary concern is "not having the right staff" vs 48% saying "not having enough staff" | ISC2 |
NIS2 10 Minimum Security Measures
Article 21 of the NIS2 Directive requires entities to implement at least these 10 categories of security measures:
- Policies on risk analysis and information system security
- Incident handling procedures
- Business continuity and crisis management (including backup management and disaster recovery)
- Supply chain security (including security-related aspects of relationships between entities and their direct suppliers or service providers)
- Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies, and asset management
- The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems
Source: NIS2 Directive, Article 21(2)
Key NIS2 Dates and Timeline
| Date | Event |
|---|---|
| December 27, 2022 | NIS2 published in the Official Journal of the European Union |
| January 16, 2023 | NIS2 entered into force |
| October 17, 2024 | Deadline for member states to transpose NIS2 into national law |
| October 18, 2024 | NIS2 became applicable in member states that transposed on time |
| May 7, 2025 | European Commission issued reasoned opinions to 19 non-compliant member states |
| April 17, 2025 | Deadline for member states to establish a list of essential and important entities |
Frequently Asked Questions
Q: How many companies are affected by NIS2?
A: The European Commission estimates approximately 160,000 entities across the EU fall under NIS2's scope. This includes medium enterprises with 50+ employees or EUR 10M+ turnover and large enterprises with 250+ employees or EUR 50M+ turnover operating in any of the 18 designated sectors.
Q: What are the maximum NIS2 fines?
A: Essential entities face fines of up to EUR 10,000,000 or 2% of global annual turnover, whichever is higher. Important entities face fines of up to EUR 7,000,000 or 1.4% of global annual turnover. Member states may set higher maximum fines in their national transposition.
Q: Which EU countries have implemented NIS2?
A: As of January 2026, 20 of 27 EU member states have completed NIS2 transposition. Croatia was the first (February 2024), followed by Latvia, Belgium, Italy, Lithuania, Greece, Slovakia, Hungary, Slovenia, Czech Republic, and Germany. Six countries remain in draft stage, including France, Spain, and the Netherlands.
Q: How much does NIS2 compliance cost?
A: Costs vary significantly by entity size and existing maturity. Entities already compliant with NIS1 may spend approximately EUR 107,000 to adapt. Important entities starting from scratch face an average cost of approximately EUR 180,000. The EU-wide total implementation cost is estimated at EUR 31.2 billion per year.
Q: What are the NIS2 incident reporting deadlines?
A: NIS2 requires a three-stage approach: an early warning within 24 hours of becoming aware of a significant incident, a full notification within 72 hours with an assessment of severity and impact, and a final report within one month detailing root cause analysis and mitigation measures.
Q: Can board members be held personally liable under NIS2?
A: Yes. NIS2 introduces direct accountability for management bodies. Board members and senior executives can be held personally liable for non-compliance with cybersecurity risk management obligations. In cases of serious negligence, authorities can impose a temporary ban on individuals from exercising managerial functions.
All statistics on this page are sourced from official EU agencies, regulatory bodies, and verified industry reports. Primary sources include ENISA NIS Investments Reports (2024, 2025), ENISA Threat Landscape 2025, ENISA NIS360 2024, the European Commission NIS2 FAQ, Wavestone NIS2 Transposition Tracker, Frontier Economics, ISC2, and the NIS2 Directive text. This page is updated regularly as new data becomes available.
Last updated: March 2026