A tough new EU cyber law is off to a messy start, with many countries failing to adopt the rules

New European Union regulations requiring businesses to bolster their cyber defenses is off to a slow start as many member states have failed to adopt the rules in time to meet a key enforcement deadline, according to research monitoring the progress of the directive.

The EU's NIS 2 cybersecurity directive sets a high benchmark for companies over their internal cybersecurity systems and practices. It imposes tougher requirements around risk management, transparency obligations and business continuity planning, in the event of a cyber breach.

On Thursday, the new directive officially became enforceable by member states. That means firms have to now ensure their operations are up to scratch with the rules. However, most EU member states have yet to implement NIS 2 in their own respective national laws, meaning that enforcement is likely to be spotty.

Two countries — Portugal and Bulgaria — haven't begun the transposition process for NIS 2, where directives are incorporated into the national laws of EU member states, according to a tracker tool from internet research organization DNS Research Federation. The governments of Portugal and Bulgaria were not immediately available for comment when contacted by CNBC Wednesday.

"The implementation status varies significantly across the bloc," Tim Wright, partner and technology lawyer at Fladgate, told CNBC via email.

NIS 2 — or the Network and Information Security Directive 2 — is an EU directive that aims to increase the security of IT systems and networks across the bloc. First proposed in 2020, the law serves as an update to an earlier directive simply called NIS.

NIS 2 expands the scope of its predecessor to address more recent cybersecurity challenges and threats, as criminals have