How can we prevent fragmentation of the European market during the implementation of NIS 2?
Fragmentation can be mitigated first through EU coordination. The NIS Cooperation Group, where Member States sit together with ENISA and the Commission, is the formal venue to align interpretations, share practices and converge on reusable guidance (templates, taxonomies, reporting formats).
Second, encouraging bottom-up convergence where political will exists. For example, mutual recognition of control frameworks and assurance (e.g., CyFun used by Belgium and adopted by Romania and Ireland) reduces duplication for cross-border operators.
At this stage, the realistic goal is common baselines among supervisors and industry to reuse across Member States, rather than maximum harmonisation. However, it is worth highlighting some amendments to NIS 2, recently proposed as part of the Cybersecurity Act revision package, including the Cyber Posture Scheme. This would provide an EU-level, risk-based baseline that organisations can demonstrate in a comparable way across Member States. By aligning core outcomes and measurement criteria, it would help reduce duplicate audits and friction for cross-border operators.
Should the NIS 2 directive be seen as just another regulatory burden, or as a strategic lever for sovereignty to propel European cyber champions?
Neither framing is quite right. NIS 2 is primarily a security policy. It exists to raise the baseline of resilience across essential and important entities because risks are high and maturity is uneven across sectors and across countries. As a result, companies in scope may stimulate demand for cybersecurity products and services, but NIS 2 is not an industrial policy and should not blur the directive's core purpose.
Regarding regulatory burdens, there are legitimate concerns. These are also amplified by divergent national transposition, as we have tried to evidence through the ECSO NIS2 Directive Transposition Tracker. Simplification and harmonisation are European priorities at the highest level, as highlighted in the Draghi Report and by multiple leaders ever since. Our research identified four main areas to address: incident reporting, risk management frameworks, supply chain, and assessments and auditing.
Can NIS 2 truly transform the cyber culture within European companies by holding top executives directly and personally accountable?
There is no single proof that personal executive accountability automatically "changes culture", but experience from other regimes suggests it can change behaviour and governance, especially when enforcement is credible and expectations are clear. But this is a really good question, applied to NIS 2 and the broader cybersecurity legislative ecosystem, for which we will need more evidence in the future.
In your view, what are the most critical aspects of NIS 2 that CISOs should focus on?
CISOs tend to read NIS 2 through two lenses simultaneously, operational security on one side, compliance on the other. The starting point is confirming what is actually in scope in each country of operation, since national transpositions diverge enough to change the answer. It's worth paying attention to both sectoral differences, their applied thresholds, but also how entities services are classified - and descoped in some cases.
Afterwards, governance comes first, because Article 20 puts management bodies on the hook for approving cybersecurity risk-management measures and for following dedicated training. There must be clear roles, decision rights, and a board-level reporting cadence. Incident reporting is the next pressure point. To be able to meet the timeline (a 24-hour early warning, a 72-hour notification, and a final report within a month), organisations need to define classification criteria and escalation paths, collect evidence well in advance.
Last, supply chain risk management under Article 21 is the hardest, because of the number of third-party suppliers and the complexity of managing supply chain security, for which there are still limited guidelines.
Overall, the focus is on keeping the fundamentals strong in line with the existing international frameworks and the applicable national ones.
About Cristian Michael Tracci
Cristian Michael Tracci is Strategy Officer at ECSO (European Cyber Security Organisation) and co-founder of Cyber Strategy Initiative. Holding a Master of International Affairs in International Security Policy from Columbia University (SIPA), he brings a geopolitical and strategic perspective to cybersecurity.
