The NIS2 Directive covers approximately 30,000 additional companies that must align their cybersecurity governance and technical controls with EU-wide standards.
The CritInfra Ordinance draft contains definitional gaps and relies on a 20-year-old, methodologically disputed threshold of 500,000 persons that does not adequately reflect actual critical infrastructure risks.
Temporary onboarding passwords distributed via email or SMS and not consistently changed create unnecessary security risks for companies and violate NIS2 standards.
Unmanaged non-human identities represent a systematic security gap that will manifest as a mass outage in 2026 when expired machine certificates in millions of enterprise-dependent services expire simultaneously.
Data sovereignty through local cloud infrastructure is necessary but insufficient — true control requires robust identity governance and transparency over metadata, encryption keys, and access protocols.
The EU launches infringement proceedings against France and Spain for failing to transpose the NIS2 Directive into national law after the transposition deadline expired.
The Commission is suing France and Spain before the CJEU for non-implementation of the NIS2 Directive to enforce comprehensive regulatory protection of critical infrastructure.
The NIS2 Directive significantly expands the scope of regulated companies and introduces new requirements for cybersecurity governance and risk management systems.