NIS2 Directive: Key Legal Developments and Compliance Priorities for 2025

Expanded Scope and Applicability

• Broader Sectoral Coverage: NIS2 now applies to additional sectors, including digital infrastructure, manufacturing, food, chemicals, and postal services. Both “essential” and “important” entities are covered, with classification based on size, sector, and national relevance.
• Non-EU Entities: Non-EU service providers operating within the EU may also fall under NIS2, requiring careful jurisdictional analysis.

Governance and Management Liability

• Board-Level Responsibility: NIS2 elevates cybersecurity to a board-level issue. Senior management is now personally accountable for compliance failures, including potential administrative fines and reputational damage.
• Mandatory Risk Management: Entities must implement robust risk management frameworks, conduct regular audits, and ensure timely incident reporting (initial notification within 24 hours).

Implementation Status and Divergence

• Transposition Deadline: The deadline for national implementation was 17 October 2024. As of September 2025, only 16 EU/EEA countries have fully transposed NIS2. Others, including Germany, France, and Spain, are still finalizing legislation.
• National Variations: Some Member States (e.g., Italy, Belgium, Hungary) have introduced stricter requirements, such as mandatory audits and broader public-sector inclusion. Legal teams must monitor local developments and adapt compliance strategies accordingly.

Compliance Challenges for Multinationals

• Multi-Jurisdictional Reporting: A single incident may trigger reporting obligations in multiple Member States, each with its own enforcement approach. Legal counsel should adopt a “strictest common denominator” strategy to ensure compliance across all jurisdictions.
• Supply Chain and Third-Party Risk: NIS2 places increased emphasis on supply chain security. Contracts with third parties should be reviewed and updated to reflect new obligations.

Key Legal Priorities

Legal teams should focus on the following actions:

• Executive Training: Ensure senior management understands their legal responsibilities under NIS2.
• Policy Review: Update internal policies and incident response plans to align with NIS2 requirements.
• Contractual Protections: Review and amend supplier and customer contracts to address new risk allocation and notification obligations.
• Regulatory Engagement: Establish clear channels for communication with national authorities and prepare for potential regulatory investigations.
• Documentation: Maintain comprehensive records of compliance efforts, risk assessments, and incident responses.

Looking Ahead

NIS2 is part of a broader EU digital resilience agenda, complementing the Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA). Legal teams should take a holistic approach, integrating NIS2 compliance into wider governance, risk, and compliance (GRC) frameworks.

How can BDO Malta help

For many organisations, achieving compliance with the NIS2 Directive may initially appear overwhelming. Our Legal team together with our Technology Advisory & Assurance team will not only guide you through the process of meeting NIS2 requirements but also help you leverage this regulatory challenge as an opportunity to strengthen your organisation’s overall governance and security resilience. We can assist your organisation by: 

• Begin mapping obligations by conducting a gap analysis to align current practices with NIS2 requirement
• Integrate cybersecurity into both operational workflows and legal decision-making processes
• Through our BDO network we can engage with legal counsel in relevant jurisdictions

Contact our Legal Team