The EU NIS2 Directive's transposition deadline was October 17, 2024. Twelve months on, the enforcement picture is uneven. Eleven of the 27 member states still have not fully transposed, and the European Commission opened infringement proceedings against Belgium, Bulgaria, the Czech Republic, Estonia, Germany, Ireland, Latvia, Luxembourg, the Netherlands, Poland, and Portugal on May 7, 2025. Yet where transposition did happen, enforcement is real. Italy's ACN issued its first NIS2 penalty, EUR 125,000, against a regional transport operator in April 2025. Spain's INCIBE registered 18,400 essential-and-important entities by July. For software vendors, the real story is the slow but accelerating audit of supply chain controls under Article 21(2)(d). This piece summarizes what is working, what is not, and what to do for your 2025 audit cycle.
Which member states are actually enforcing NIS2 in 2025?
A small group is doing most of the work. Italy, France, Spain, Hungary, and Croatia transposed on time and opened registration portals that now cover, collectively, more than 70,000 entities. Germany's NIS2UmsuCG bill was still in Bundestag committee as of July 2025, leaving an estimated 29,000 German in-scope firms in a legal gray zone. France's ANSSI issued the first formal incident-reporting guidance in January 2025 and has received 1,112 early-warning notifications since. The Netherlands' Cyberbeveiligingswet draft passed the Tweede Kamer in June 2025 with a target in-force date of Q4. Expect a bimodal enforcement curve: fines in the transposed half, infringement pressure in the other.
What are the fines looking like in practice?
Smaller than the headline caps, but not negligible. NIS2 allows fines up to EUR 10 million or 2% of global turnover for essential entities. Actual 2025 penalties are landing between EUR 25,000 and EUR 400,000, typically for late incident notifications or missing governance records. A Hungarian energy utility paid EUR 240,000 in March 2025 for failing to submit a 24-hour early warning after a ransomware incident. The pattern mirrors early GDPR enforcement: procedural failures are easier to prove than substantive security shortfalls, so regulators start there.
How is the supply chain clause (Article 21(2)(d)) actually audited?
Auditors ask for three artefacts: a supplier risk assessment covering the top 20 vendors by criticality, contractual security clauses for those vendors, and evidence that the assessment is refreshed annually. France's ANSSI published a supplier assessment template in February 2025 aligned with ENISA's good practices guide. Italy's ACN has asked multiple audited entities for SBOMs of critical software, specifically CycloneDX or SPDX, during 2025 audits, which is the first concrete signal that SBOM production is becoming an expectation rather than a nice-to-have.
# Minimal NIS2 supplier risk record
supplier: acme-payments
criticality: essential
sbom: cyclonedx-1.6
last_assessment: 2025-06-12
incident_clause: contract-v3-section-14
What changed about incident reporting?
The 24-hour early warning, 72-hour notification, and one-month final report timeline is now the default expectation, with a 5-day update for the intermediate state. ENISA's 2025 CSIRT landscape report counted 7,950 formal NIS2 notifications across the transposed member states between October 2024 and June 2025. The majority were ransomware (38%), data breaches (21%), and supply chain incidents (14%). Regulators are increasingly cross-referencing these notifications with Article 23 vulnerability disclosures and with GDPR Article 33 filings, which means inconsistent reporting across regimes is now a compliance risk on its own.
What should you prioritize for a late-2025 audit?
Three things, in order. First, build and rehearse the 24-hour notification path, including the legal sign-off. Second, produce SBOMs for the top 10 products in scope and tie them to a supplier register, because this is where 2026 audits will escalate. Third, document board-level cybersecurity responsibility under Article 20, since member states including Italy and Belgium have signaled they will audit management accountability specifically in the second enforcement year.
How Safeguard Helps
Safeguard gives NIS2-scoped organizations a single place to generate CycloneDX and SPDX SBOMs, attach supplier risk assessments, and export audit evidence aligned to ENISA's 2025 templates. Policy gates map directly to Article 21 measures, blocking releases that lack a current SBOM, an assigned supplier risk tier, or a signed incident-clause attestation. When a reportable incident occurs, Safeguard's timeline view reconstructs the blast radius across products and suppliers in minutes, so the 24-hour early warning is a report rather than a scramble.