European Commission takes four countries to EU court over NIS2 delays
Delayed NIS2 implementation prompts the European Commission to pursue court action.
The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive fully into national law.
The Directive strengthens the EU cybersecurity rules and sets common requirements for organisations operating in critical sectors.
Member states were required to transpose NIS2 by 17 October 2024, but the four countries have not notified the Commission of full implementation.
The referrals follow earlier infringement steps. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025.
The Commission is asking the Court to impose financial sanctions, including a lump sum and daily penalties until the countries notify complete transposition.
NIS2 applies to entities in 18 critical sectors, including health, energy, transport and public administration.
The Directive aims to improve national and EU-wide cyber resilience by strengthening risk management, incident response and security obligations for public and private entities.
The Commission said full implementation is essential for improving the EU’s overall resilience and the incident response capacity of organisations operating in critical sectors.
Why does it matter?
The referral shows that the Commission is prepared to enforce cybersecurity law against member states that fail to meet implementation deadlines. NIS2 is designed to create a more consistent baseline of cyber resilience across the EU, but delays in national transposition can leave organisations facing fragmented obligations and uneven enforcement. For critical sectors, consistent implementation is central to risk management, incident response and cross-border resilience.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
