The European Commission has taken Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union over their failure to put the bloc’s NIS2 cybersecurity directive into national law, a delay that leaves critical-sector operators under uneven rules across the EU.
The Commission said Wednesday it is asking the court to order both one-off fines and daily penalties against the four governments. Those payments would run until each country formally tells Brussels it has fully implemented the directive.
NIS2 is the EU’s main cybersecurity law for essential and important entities. It sets baseline requirements for risk management and incident reporting across sectors including healthcare, energy, transport and public administration. The directive replaces the 2016 Network and Information Security Directive, which covered fewer sectors and produced inconsistent national regimes.
The updated law expands the framework to 18 critical sectors. That wider reach is the point: Brussels wants hospitals, utilities, government bodies and transport networks to meet comparable security obligations rather than depending on a patchwork of national choices. The problem, as usual, is that EU directives need national legislation before they bite in each member state.
The deadline was October 2024. According to the Commission’s earlier figures, only six of the EU’s 27 member states had completed transposition by January 2025. Ireland, Spain, France and the Netherlands are now more than 20 months behind schedule, according to the Commission.
The requested fines may be more stick than invoice. In similar EU infringement cases, governments often pass the missing laws while the case is pending, after which the Commission can withdraw the referral before judges rule. Still, the move raises the political cost of leaving cyber rules half-built while attacks keep landing on public and private infrastructure.
The timing is not subtle. ENISA, the EU cybersecurity agency, has warned of thousands of cyber incidents affecting the bloc in the year to June 2025. ENISA identified public administration as the most frequently targeted critical sector, accounting for 38% of incidents, with transport next at 7.5%.
European officials have also become blunter about the stakes. Speaking in Munich in February, Henna Virkkunen, the Commission’s technology lead, warned that the EU could no longer afford to be “naive” about adversaries’ ability to disrupt critical infrastructure. She pointed to exposure in power grids, hospitals and financial systems.
NIS2 also props up other pieces of the EU’s cyber rulebook. The Cyber Resilience Act, which will impose security requirements on connected products and begins applying vulnerability-reporting duties in 2027, relies on the national computer security incident response team network created under NIS2.
Brussels is also trying to tune the broader system. In January, the Commission proposed changes to the EU Cybersecurity Act to strengthen ENISA and address risks in critical technology supply chains. The proposal included a mechanism under which member states would phase out designated high-risk suppliers, including Huawei and ZTE, from critical infrastructure.
The Commission has separately proposed targeted amendments to NIS2, saying they would give companies clearer legal obligations and reduce compliance burdens. Officials have said those issues contributed to delays in national implementation.
Ireland has said its National Cyber Security Bill, which would transpose NIS2 and put the National Cyber Security Centre on a statutory footing, is nearing completion. The minister responsible expects to notify transposition by the end of 2026. Spain, France and the Netherlands had not issued comparable public statements.
This story draws on original reporting from The Record.