In September, a cyberattack interrupted airport operations across Europe, cancelling thousands of flights, and causing significant economic losses by disrupting business operations and supply chains. This event highlights how indispensable it is to ensure that vital sectors are not only well-prepared for cyber threats but also actively engage with experts to stay ahead of evolving risks and strengthen their cybersecurity posture.
This comes at a critical time, as EU Member States approach the first anniversary of the deadline to transpose the Network and Information Systems 2 Directive (NIS2) into national legislation. NIS2 is a major update to its 2016 predecessor, expanding the scope of covered entities to ensure that essential and important sectors are adequately prepared to withstand cyber threats. However, 13 EU Member States, including France, Germany, and Spain, still have not transposed NIS2. This delay poses serious risks to the proper functioning of society, business continuity, and public safety.
TIC Council, the international association representing the Testing, Inspection, and Certification (TIC) sector, urges all Member States to establish the appropriate frameworks and governance structures (e.g., designation of competent authorities and single points of contact) to ensure NIS2 is correctly implemented.
The TIC sector brings extensive experience and technical expertise to support Member States and entities under the scope of NIS2. Standards such as ISO/IEC 27001 offer a proven, internationally recognised framework for managing information security, helping organisations identify risks, implement effective controls, and continuously improve their cybersecurity resilience. Evidence of this is ENISA’s mapping between NIS2 and ISO/IEC 27001, which argues that the standard provides a structured foundation for governance, risk management, and information security. Thus, proactive engagement with TIC companies that certify against ISO/IEC 27001 can significantly reduce disruptions, enhance operational resilience, lower compliance costs, and, most importantly, build trust through independent verification and audits.
Encouragingly, some Member States (e.g., Finland, Croatia, Belgium, and Romania) have already incorporated ISO/IEC 27001 into their national transposition of NIS2, allowing certified companies to demonstrate effective compliance. This approach rewards those who have invested over the years in security maturity and certification. The alignment with international standards is a positive development that should be extended to Member States whose transposition is pending, ensuring consistent protection and enabling organisations to prove compliance through well-established, globally recognised certification. Hungary, for instance, has integrated external cybersecurity audits into its national law to ensure the highest level of safety through independent and professional oversight.
However, as NIS2 is implemented through national legislation, its application across Member States shows a lack of harmonisation and uniformity. To prevent further fragmentation within the EU, we call on all Member States to closely collaborate and align their national implementations through the NIS2 Cooperation Group. This will ensure that all critical infrastructure actors across Europe operate under common standards and a level playing field. A harmonised approach will benefit both EU businesses and critical infrastructure operators by providing predictable requirements.
Protecting the EU’s critical infrastructure from cyber threats is not optional; it is crucial for the safety, resilience, and competitiveness of both society and the economy. With the NIS2, there is a clear opportunity for Member States, businesses, and the TIC sector to work together to create a robust cybersecurity ecosystem, ensuring that the most vital sectors are secure and prepared for future threats.