NIS2 is addressed to EU Member States, meaning it is their responsibility to incorporate the directive into national law. Each country must create enforcement mechanisms, designate competent authorities, and ensure businesses comply with the new rules. While organizations must meet security and reporting obligations, it is the governments that set the legal framework.

No, NIS2 does not apply directly to companies. Instead, it is implemented through national laws, which define how organizations must comply. Companies operating in critical or important sectors must follow these laws, but the exact requirements may vary depending on the country’s approach to transposing NIS2.

Yes, but only within certain limits. While Member States must follow the core requirements of NIS2, they have some flexibility in defining enforcement mechanisms, penalties, and specific compliance processes. However, they cannot weaken the directive’s minimum security standards or reporting obligations.

If a Member State fails to implement NIS2 correctly, the European Commission can take legal action, including referring the country to the Court of Justice of the European Union. This could result in fines or other measures to force compliance, ensuring a uniform approach across all EU countries.