Eighteen months after NIS2 came into force across the European Union, the enforcement phase is no longer hypothetical. National supervisors in Germany, France, Italy, and the Netherlands have issued the first significant fines and enforcement orders, and the pattern that's emerging is more instructive than the directive text itself.
The early cases share an uncomfortable theme. Very few of them are about the absence of controls; they're about the absence of evidence that controls exist. A hospital group fined for an outdated incident response plan that hadn't been tested in three years. A logistics operator sanctioned not for a breach, but for missing the seventy‑two‑hour reporting window. A digital infrastructure provider penalized because its supply‑chain risk register named vendors but never assessed any of them.
"European supervisors aren't asking whether you have a policy. They're asking when you last tested it – and they want to see the calendar invite."
That pattern matters because it tells well‑prepared organizations where the audit lens will land. Documentation, dates, signatures, and exercise records are doing the heavy lifting. A perfectly designed control with no evidence of operation looks identical, from a supervisor's chair, to a control that doesn't exist. NIS2 is, in practice, an evidence regime.
Cross‑border enforcement is also coming into focus. Several of the early cases involved entities headquartered in one member state and operating critical services in another. The coordinating supervisor concept is still maturing, but multinational operators should not assume that the strictest national authority is the only one they need to satisfy. Aligning to the most demanding national interpretation is, increasingly, the safer default.
For security and compliance leaders outside the EU, the lesson generalizes. As the SEC's disclosure rules, APRA CPS 230, and similar regimes mature, regulators everywhere are converging on the same expectation – prove that what's on paper is also what happens in practice. The organizations that treat 2026 as the year to close that gap will spend the back half of the decade competing on capability, not explaining themselves to supervisors.