Only 16% of Businesses Are NIS2 Compliant. Here Is What the Other 84% Are Getting Wrong.
By ArvexLab Team — Compliance Research
The Number That Should Worry Every CISO in Europe
According to research by CyberSmart published in early 2026, surveying 670 business leaders across nine EU countries, only 16% of businesses required to comply with NIS2 are confident they are fully compliant.
That leaves 84% in various states of unreadiness — from "working on it" to "we have never heard of NIS2."
The survey also found that 11% of respondents were unsure what NIS2 even is, despite falling within its scope. These are not small businesses flying under the radar. These are organisations with 50–249 employees or more than €10 million in turnover — the exact demographic NIS2 was written for.
And the clock is ticking. Belgium opened its formal NIS2 audit window on April 18, 2026. Germany's BSI estimates that 18,500 of the roughly 29,500 in-scope companies missed the March 6, 2026 registration deadline — and has announced it will actively check which companies have not registered. Italy's ACN is scaling up enforcement capacity. France's ANSSI has expanded its mandate.
2026 is not the year NIS2 was announced. It is the year NIS2 starts costing money.
What the Research Tells Us
The CyberSmart study (conducted by OnePoll across the UK, Poland, Netherlands, Ireland, France, Germany, Italy, Denmark, and Belgium) identified three primary barriers to compliance:
1. Budget
Budgetary constraints were the leading cause of non-compliance. This is paradoxical: the cost of non-compliance (up to €10 million or 2% of global turnover for essential entities) far exceeds the cost of compliance. But for mid-market organisations, finding budget for something that has not yet resulted in a fine feels abstract — until it does.
2. Lack of Guidance
The second barrier: organisations do not know how to comply. NIS2 defines what is required (Article 21 lists 10 security measures), but not how to implement them. The directive is intentionally technology-neutral and proportionate — which is good policy but terrible for a CISO trying to build a compliance programme from scratch.
This is compounded by fragmented national implementation. As DLA Piper reported, reporting obligations vary significantly between countries. Cyprus requires early warnings within six hours of detection. Germany requires immediate notification. Other countries follow the directive's 24-hour standard. A company operating across three EU jurisdictions faces three different compliance targets for the same event.
3. Insufficient Expertise
The third barrier: there are not enough people. ENISA reports nearly 300,000 unfilled cybersecurity roles across the EU, with two-thirds of organisations reporting understaffed teams. Many smaller utilities and healthcare providers face NIS2 obligations despite having zero dedicated security staff.
Where the 84% Are Failing
Based on the research and the compliance gaps identified by enforcement authorities, the failures cluster in five areas:
Incident Reporting (Article 23)
NIS2 requires a three-stage incident reporting process: 24-hour early warning to the national CSIRT, 72-hour detailed notification, and one-month final report. Failure to meet these deadlines triggers fines.
The practical problem: most organisations' incident reporting processes are informal or untested. Teams scramble after an incident because escalation paths are not clear. Reports go out late or incomplete. As one analysis noted, "you cannot report an incident in 24 hours if you detect it after 72 hours."
The EU Commission itself recognised this problem. In January 2026, it proposed amendments that would require organisations to provide additional details about ransomware demands and payments — acknowledging that the current reporting framework needs refinement even as enforcement begins.
Supply Chain Due Diligence (Article 21.2d)
Managing supplier risk is one of the most challenging aspects of NIS2. Organisations are expected to identify critical suppliers, map dependencies, and assess the security posture of each third party. In practice, companies assume suppliers have adequate controls but do not verify. When a supplier breach occurs, the regulators hold the downstream organisation accountable.
This is not theoretical. Our own subprocessor analysis found that 100% of the 10 SaaS vendors we analysed depend on AWS, 90% on Google Cloud, and 80% on Twilio. A single fourth-party failure could cascade through an entire vendor portfolio — and NIS2 expects you to have mapped these dependencies.
Governance and Executive Accountability (Article 20)
One of the most consequential elements of NIS2 is the formalisation of executive accountability. Management bodies must approve cybersecurity measures, oversee their implementation, and can be held personally liable for negligence. In Germany, the new BSI Act explicitly creates personal liability for managing directors under § 38 BSIG, including potential temporary professional bans for repeated violations.
Yet the CyberSmart research found that only 34% of organisations cite the CEO as ultimately responsible for cybersecurity compliance. In the remaining 66%, accountability is diffused, delegated, or unclear — exactly the governance gap NIS2 was designed to close.
Continuous Monitoring
Many organisations lack continuous monitoring and incident response capability. Security operations are limited to business hours. Cloud visibility is incomplete — misconfigurations, exposed services, and identity risks go undetected. NIS2 Article 21.2a requires "policies on risk analysis and information system security" that include continuous assessment, not annual reviews.
Documentation and Audit Readiness
When the auditor arrives (and in Belgium, they are already arriving), they will ask for structured records of risk assessments, incident investigations, policy reviews, and supplier evaluations. Manual processes, spreadsheets, and email threads do not meet this standard. The organisations that will fail their first audit are not necessarily insecure — they are undocumented.
What the 16% Do Differently
The research also offers a positive signal: 75% of respondents see at least some competitive advantage to NIS2 compliance, and 27% believe that advantage is significant. Compliance is not just a regulatory cost — it is a trust differentiator with partners, investors, and customers.
The organisations in the 16% share common characteristics:
- Board-level ownership: Compliance is a standing agenda item, not a quarterly update
- Platform-based approach: They use software to automate evidence collection, track controls, and manage vendor risk — instead of spreadsheets and consulting engagements
- Cross-framework leverage: NIS2 overlaps significantly with ISO 27001, SOC 2, and DORA. The 16% map controls once and reuse evidence across frameworks, reducing total effort by up to 70%
- Proactive incident preparation: They have tested their reporting processes, know their national CSIRT, and have pre-drafted notification templates — not because they expect a breach, but because Article 23 demands readiness
The Enforcement Reality of 2026
The compliance landscape is shifting from "prepare" to "prove it." Here is what is happening right now:
| Country | Authority | Status |
|---|---|---|
| Belgium | CCB | Audit window opened April 18, 2026. Third-party assessments required — no self-attestation |
| Germany | BSI | 18,500 companies missed March 6 deadline. BSI announced active enforcement checks |
| Italy | ACN | Scaling up audit capacity for essential entities through 2026 |
| France | ANSSI | Expanded mandate and enforcement budget. 200+ audits under NIS1; NIS2 scope significantly larger |
| EU-wide | Commission | January 2026 amendments proposed: expanded scope (submarine cables), ransomware reporting, representative requirements |
Germany alone expanded its critical infrastructure scope from roughly 2,000 to over 30,000 entities under the KRITIS Dachgesetz (effective March 17, 2026). The scale of the enforcement challenge is unprecedented.
What to Do If You Are in the 84%
If your organisation is not yet NIS2 compliant, here is a pragmatic action plan:
Step 1: Determine Your Classification
Are you an essential entity (energy, transport, banking, health, digital infrastructure) or an important entity (manufacturing, SaaS, postal, MSPs)? This determines your penalty tier (€10M/2% vs €7M/1.4%) and supervision model (proactive vs reactive).
Step 2: Run a Self-Assessment
Map your current security posture against the 10 measures in Article 21. Identify which areas are covered, partially covered, or completely missing. This gives you a gap analysis you can act on — and show to auditors as evidence of good faith effort.
Step 3: Fix Incident Reporting First
This is the highest-risk area. If a significant incident occurs tomorrow, can you notify your national CSIRT within 24 hours? Do you know which CSIRT to contact? Do you have a template for the early warning, the 72-hour notification, and the final report?
If the answer to any of these is no, this is your priority. The fines for late reporting are the same as the fines for non-compliance — and they are triggered by a single incident.
Step 4: Address Supply Chain
Identify your critical suppliers. Document the dependencies. Ask for their compliance status. This does not require a full TPRM programme on day one — it requires a register, a risk assessment, and a plan.
Step 5: Automate What You Can
The CyberSmart research identified "lack of guidance" as the second barrier. Compliance platforms exist specifically to close this gap — providing pre-configured control libraries, automated evidence collection, cross-framework mapping, and audit-ready documentation. The cost of a platform (typically €300–900/month) is a fraction of a single consulting engagement and operates continuously, not quarterly.
The Competitive Advantage Is Real
NIS2 compliance is not just about avoiding fines. It is about demonstrating to partners, investors, and customers that your organisation takes cybersecurity seriously — with evidence, not just promises.
In a market where 84% of organisations cannot demonstrate compliance, the 16% that can have a genuine competitive advantage. They win contracts faster, pass due diligence checks, and build trust with regulators before an incident forces the conversation.
The question is not whether NIS2 enforcement will reach your organisation. The question is whether you will be ready when it does.
Sources and References
- CyberSmart — NIS2 Research 2026: Why Only 16% of Businesses Are Compliant — 670 business leaders, 9 countries, primary research
- Skadden — European Commission Announces Potential NIS2 Cybersecurity Reform — January 2026 amendments: scope expansion, ransomware reporting, representative requirements
- DLA Piper — NIS2 Update: EU Moves to Harmonise Controls, Refine Scope — Fragmented national implementation analysis
- ADVISORI — NIS2 Enforcement 2026: BSI Actively Auditing — 18,500 companies missed German deadline, BSI enforcement actions
- D3 Security — Belgium's NIS2 Audit Window Opens April 18, 2026 — First EU member state requiring formal conformity assessments
- Gateway Digital — NIS2 Directive Becomes Real in 2026 — Enforcement triggers, compliance gaps, penalty structures
- Aegister — NIS2 Incident Notification Operating Model — Practical challenges of Art. 23 three-stage reporting
- Ropes & Gray — NIS2 in Force but Can It Be Enforced? — Enforcement capacity analysis
- ECSO — NIS2 Directive Transposition Tracker — Country-by-country implementation status
- Morrison Foerster — Germany's NIS2 Implementation — BSI Act, personal liability, 30,000 in-scope entities
- Greenberg Traurig — NIS2 in Germany: Board-Level Cybersecurity — Executive accountability under German law
- Copla — NIS2 Italy: ACN Implementation Guide — Italian enforcement timeline and penalties
Ready to assess your NIS2 readiness?
Use our free self-assessment tool or speak with our compliance team.