Only 16% of Businesses Are Fully Compliant with NIS2 Despite 2024 Compliance Deadline

The EU’s Network and Information Security Directive 2 (NIS2) was designed to tighten cyber‑defence across critical sectors, mandating robust safeguards and incident reporting. While member states incorporated the rules into national law by October 2024, the CyberSmart survey shows a stark compliance gap: just 16% of businesses across the UK, Ireland, France, Germany, the Netherlands, Poland, Denmark and Belgium consider themselves fully aligned. This shortfall is especially concerning given the surge in high‑profile cyber incidents in 2025, which have already disrupted major retailers and heightened regulatory scrutiny.

Survey respondents point to practical hurdles rather than lack of motivation. Twenty percent cite insufficient budgets, and 16% struggle with unclear implementation guidance, while a notable 11% admit they do not fully understand NIS2 despite being in scope. Market forces are adding pressure: 42% of firms have been asked by partners to demonstrate compliance, 41% by investors, and 36% by customers. Board engagement is improving—60% have elevated NIS2 oversight to the C‑suite and 95% believe their boards grasp the associated risks—but the expertise gap remains a bottleneck, underscoring the need for dedicated resources and clear roadmaps.

The compliance fatigue revealed by the survey creates a lucrative opening for managed service providers (MSPs) and specialized consultants. With 42% of respondents overwhelmed by the sheer volume of overlapping regulations—DORA, the EU Cybersecurity Act, GDPR, and national mandates—organizations are seeking partners who can deliver continuous, multi‑framework compliance rather than one‑off audits. MSPs that can integrate NIS2 controls into broader security operations, provide expert guidance, and streamline reporting will likely capture a growing share of the market, turning regulatory pressure into a competitive advantage for both providers and their clients.