The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s second major cybersecurity framework, adopted to strengthen and harmonise cyber risk management, incident reporting, and resilience across the European Union. It replaces the original 2016 NIS Directive with a broader scope, covering more sectors and introducing stricter security requirements. The directive was adopted and published in the Official Journal in December 2022. It aims to ensure a high level of cybersecurity across critical sectors such as energy, transport, health, digital infrastructure, public administration, and water, by setting minimum standards for risk management and incident reporting. Member States were required to transpose the directive into national law by 17 October 2024.

The directive was adopted through the EU’s ordinary legislative procedure, with the European Commission submitting the proposal and negotiations taking place with the European Parliament and the Council. While NIS2 received broad political support, negotiations involved complex technical discussions on scope, proportionality, reporting timelines, and supply-chain security. These deliberations required careful compromise to balance cybersecurity objectives with national legal frameworks and operational feasibility across the EU. The final text was adopted in 2022 and, following its publication, became binding on Member States for transposition into national law. Despite the extended preparation period, many EU countries missed the transposition deadline and remain at different stages of implementation. By mid-2025, only a minority of Member States had completed the transposition process, or were close to completing.

The Transposition Hurdle: Delays and Infringement Risks

According to Euronews, Belgium and Croatia were the first Member States to adopt national implementing legislation by the transposition deadline. Since then, several other countries—including Italy, Lithuania, Hungary, Latvia, Finland, Romania, Slovakia, and Slovenia—have adopted national laws. However, in many cases, formal notification to the European Commission of full transposition remains pending. As of mid-July 2025, approximately 14 out of 27 Member States had transposed the directive into national law. Only a limited number - such as Belgium, Croatia, Italy, and Lithuania - are generally regarded as having completed both legislative transposition and the associated notification requirements.

Delays in transposition have triggered infringement procedures at EU level. In November 2024, the European Commission issued letters of formal notice to 23 Member States for failure to transpose the directive. This was followed in May 2025 by reasoned opinions - the second stage of infringement proceedings - against 19 Member States that had still not notified full transposition, granting them a two-month deadline before potential referral to the Court of Justice of the European Union and the risk of financial sanctions.

Why Has NIS2 Transposition Proven Difficult?

This section of the article briefly examines the conceptual and methodological challenges that arise when NIS2-related principles are misapplied to law enforcement and internal security entities. It highlights the risks of conflating public-sector responsibilities with private-sector analogies and underscores the necessity of analyses grounded in national law, verified operational realities, and constitutionally mandated safeguards.

At first sight, several factors have contributed to the complexity of transposing the NIS2 Directive. The directive applies to a broad range of sectors and introduces detailed governance, incident-reporting, and cyber risk-management requirements. Member States must integrate these obligations into existing national legal and administrative frameworks, which vary significantly in structure, scope, and institutional responsibilities. As a result, transposition timelines and legislative approaches have differed widely. In some countries, including France, political developments and legislative backlogs further delayed the process. Moreover, even where national laws have been adopted, several Member States have not yet completed the formal notification to the European Commission, which is a necessary element of compliance.

The Risk of Over-Transposition: Guarding the Subsidiarity Principle

Beyond these structural challenges, a less discussed but increasingly relevant issue is the risk of over-transposition. In some Member States, political recommendations, stakeholder advocacy, or academic and policy-oriented analyses have promoted extending NIS2 requirements beyond the directive’s legal scope. This includes proposals to apply NIS2 obligations or ENISA technical guidance to police organisations. Such approaches raise complex legal and constitutional questions, particularly in areas traditionally reserved to national competence, and risk complicating transposition by introducing obligations not required by EU law.

The intersection of cybersecurity and law enforcement has therefore attracted growing attention in both policy and academic discourse. A number of studies and policy papers have examined the potential implications of NIS2 for police organisations and other internal security bodies, often proposing harmonised governance models or operational controls inspired by the directive. However, the NIS2 Directive explicitly excludes law enforcement and public security entities from its scope. Despite this clear exclusion, certain post-adoption interpretations, sometimes influenced by policy advocacy perspectives or analyses that place greater emphasis on strategic or policy considerations than on operational or constitutional frameworks, may lead to interpretations that go beyond the directive’s expressly defined legal scope.

Where national legislation, policy debates, or academic discourse do not clearly reflect the exclusion of law enforcement, interpretative uncertainty regarding the directive’s scope may emerge. This may influence policy discussions, contribute to uncertainty regarding the boundaries of EU competence, and create the perception that harmonised EU-level obligations could extend to national policing and internal security bodies. Such framing risks setting precedents that may affect the established balance of competences between the Union and the Member States in matters of internal security.

Data Sovereignty vs. Outmoded Analogies: Why Police Are Not “Digital Enterprises”

While research addressing cybersecurity risks in law enforcement contexts is legitimate and necessary, it is essential that such analysis clearly distinguishes between voluntary best practices and legally binding EU obligations. Maintaining this distinction is crucial to preserving legal certainty, respecting constitutional boundaries, and ensuring that the NIS2 Directive is implemented as intended - no more, and no less.

A particular concern arises when the language used in such studies draws conceptual analogies between public law enforcement agencies and private-sector enterprises, for example through assertions that “law enforcement agencies operate as digital enterprises.” While such phrasing may be intended to highlight organisational or technological complexity, it risks importing private-sector logics of efficiency, optimisation, or profit into domains where these considerations are neither primary nor appropriate. Law enforcement bodies are state-mandated, non-profit institutions governed by constitutional, legal, and operational frameworks designed to uphold public safety, the rule of law, and national security. Treating police organisations as functionally equivalent to private enterprises obscures their public-interest mandate and the high-sensitivity nature of their activities and may inadvertently encourage the application of governance models that are incompatible with public accountability, constitutional safeguards, and the strict avoidance of conflicts of interest linked to financial incentives.

Preserving Constitutional Order in the New Techno-Political Era

Where the exclusion of law enforcement from the scope of EU cybersecurity legislation is not made explicit, interpretative ambiguities regarding applicability may emerge. Such ambiguities can influence policy discussions and blur the delineation of EU competences in the field of internal security. In this context, the NIS2 Directive and ENISA guidance are more appropriately understood as reference frameworks, rather than as binding legal instruments for police or other law enforcement agencies, and the development of comprehensive compliance architectures on this basis may warrant careful reconsideration. Over time, such interpretative approaches could be invoked in support of broader harmonisation initiatives in the area of law enforcement cybersecurity, notwithstanding the fact that internal security remains governed by the principle of subsidiarity, as set out in the Treaties of the European Union and by competence allocations defined in national constitutional orders.

Analogies that equate police organisations with other categories of critical infrastructure—such as energy or transport operators—raise additional analytical challenges. Police information systems are uniquely sensitive, state-controlled, and embedded within constitutional and fundamental-rights safeguards that do not apply to conventional critical infrastructure entities. Framing NIS2 as directly applicable to law enforcement therefore risks obscuring important legal and operational distinctions, with potential implications for regulatory clarity. Similarly, methodological approaches that accord EU policy statements, recommendations, or communications a level of normative weight comparable to binding instruments for national police systems may contribute to uncertainty regarding institutional roles and responsibilities among policymakers, scholars, and practitioners.

Conclusion: Grounding Cyber-Security into Ethical Boundaries

This risk of misalignment becomes particularly evident when alleged conflicts, such as those relating to logging, data retention, or incident reporting, are presented as direct tensions between NIS2 obligations and constitutional policing law. In reality, Article 2(7) of the NIS2 Directive explicitly excludes entities carrying out activities in the areas of national security, public security, defence, or law enforcement. Any such conflicts are therefore theoretical rather than operational. Presenting them otherwise may give rise to interpretations suggesting a more extensive EU role in the operational governance of national internal security networks than is provided for under the Treaties, thereby raising questions regarding consistency with the principle of subsidiarity and the allocation of competences under the Treaties. Moreover, selective citation of NIS2 or ENISA materials without reference to law enforcement specific domains, coupled with reliance on private-sector regulatory literature or consultancy publications, without complementary analysis of binding legal sources, does not, on its own, provide a sufficient legal basis for claims regarding EU law applicability.

While EU research and innovation policy has made important and otherwise commendable contributions in addressing shared security challenges—including counter-terrorism, hybrid threats, and crisis resilience—its increasing proximity to areas traditionally reserved for national internal security warrants careful scrutiny. The risk of over-centralisation in relation to constitutional systems cannot be ignored. Principles of national sovereignty and subsidiarity, as well as carefully delimited delegations of competence to EU institutions, do not extend to core domains such as policing, public order, or internal security governance. The European Union’s original design as a customs union, primarily oriented toward economic integration, further reinforces the distinction between market regulation and the exercise of coercive public authority. In this context, security governance - particularly in areas such as counter-terrorism - must remain clearly distinguished from market-oriented governance models and firmly anchored in the primacy of the public interest.

From a methodological perspective, reliance on EU communications—often drafted for policy outreach rather than legal or operational precision—together with consultancy blogs, vendor marketing materials, and general policy portals, does not, in itself, provide a sufficient legal basis for substantiating claims regarding law enforcement obligations. In several such studies, the bibliography omits binding legal sources, including the NIS2 Directive itself, national transposition acts, relevant constitutional and police legislation, applicable CJEU case law, and authoritative academic literature on EU competences, subsidiarity, and law enforcement governance.

A robust literature base in this field must therefore be grounded in EU constitutional law and subsidiarity doctrine, the allocation of competences between the Union and the Member States, police governance and operational doctrine, law enforcement cyber-forensics frameworks, and established public administration cybersecurity practices. Absent these foundations, assertions regarding the applicability of NIS2 to police organisations, the binding nature of ENISA guidance for law enforcement agencies, or EU authority to define operational policing doctrine across Member States remain unsupported. This results in both methodological and conceptual shortcomings and underscores the necessity for analyses of sensitive public security sectors to rely primarily on national legislation, verified operational practices, and frameworks actually employed by law enforcement agencies, rather than on general EU communications or policy statements.