Summary: Only approximately 40 percent of an estimated 29,500 companies subject to NIS2 obligations have registered so far, indicating systematic compliance gaps.
NIS2 implementation is progressing slowly: Of an estimated 29,500 critical infrastructure operators in the EU, only 11,500 have registered with the competent authorities so far. This points to significant compliance gaps.
The NIS2 Directive requires operators of critical infrastructure and digital services to register with national authorities. Based on available data, approximately 29,500 companies were identified nationwide as potentially affected entities; however, registration rates reveal a substantial discrepancy: with 11,500 recorded registrations, the rate stands at approximately 39 percent.
For compliance officers, this situation is critical, as the NIS2 Directive establishes binding requirements for cybersecurity governance, incident reporting, and risk management. Companies that do not register in time risk fines and regulatory sanctions. The delayed registration may also indicate organizational uncertainties – many businesses may not be fully aware of their NIS2 obligations or have not yet established the necessary structures for registration.
The national supervisory authorities at federal and state levels will need to increasingly point out compliance gaps as the transition period progresses. For affected organizations, prompt inventory of their criticality characteristics and early registration are now required to minimize legal risks.
Source: news.google.com · Published 28 May 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.2.