European Commission takes four countries to EU court over NIS2 delays
Ireland, Spain, France and the Netherlands have been referred to the Court of Justice of the EU for failing to fully transpose the NIS2 cybersecurity directive.
The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union over delays in implementing the NIS2 Directive.
NIS2 is the EU’s updated cybersecurity law. It sets common security and incident-reporting requirements for organisations in critical sectors, including health, energy, transport, public administration and digital infrastructure.
Member States were required to transpose the directive into national law by 17 October 2024. According to the Commission, the four countries have not notified full implementation.
The court referrals follow earlier infringement steps. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025.
The Commission is asking the Court to impose financial sanctions. These include a lump sum and daily penalties until each country notifies complete transposition.
NIS2 is intended to strengthen cyber resilience across the EU. It requires covered entities to improve risk management, security measures and incident response.
The Commission said full implementation is needed to improve the EU’s overall cybersecurity resilience and the ability of critical organisations to respond to cyber incidents.
