EU sues four member states over NIS2 cybersecurity law delays
European Commission files legal referrals against Ireland, Spain, France, and Netherlands for failing to transpose NIS2 Directive for critical infrastructure cybersecurity, 20...

Executive Summary
The European Commission on Wednesday filed legal referrals at the Court of Justice of the European Union against Ireland, Spain, France, and the Netherlands for failing to transpose the NIS2 Directive, the bloc's flagship cybersecurity law for critical infrastructure. The four member states are more than 20 months past the original October 2024 deadline, leaving hospitals, energy networks, transport operators, and public administrations without mandated minimum security standards. The Commission is seeking lump-sum fines and ongoing daily penalties until each country formally notifies full transposition, though such fines are rarely collected in practice.
Technical Analysis
NIS2 (Directive (EU) 2022/2555) replaced the 2016 Network and Information Security Directive, expanding coverage from a handful of sectors to 18 critical sectors including healthcare, energy, transport, digital infrastructure, and public administration. The directive introduces mandatory risk-management measures, incident-reporting obligations, and supply-chain security requirements that the original law lacked. It also establishes a network of national computer security incident response teams (CSIRTs) that underpins the EU's Cyber Resilience Act, whose vulnerability-reporting obligations begin applying in 2027.
As of January 2025, only six of the EU's 27 member states had transposed NIS2 into domestic law. The Commission's legal action targets the four countries that have made the least progress. Ireland's National Cyber Security Bill, which would transpose NIS2 and place the National Cyber Security Centre on a statutory footing, is expected to be notified by the end of 2026, according to the responsible minister. Spain, France, and the Netherlands had not published comparable timelines at the time of writing.
The filing coincides with ENISA's warning of thousands of cybersecurity incidents affecting the bloc in the year ending June 2025. According to ENISA, public administration was the most-targeted critical sector, accounting for 38% of incidents, followed by transport at 7.5%. Speaking in Munich in February, European Commission technology lead Henna Virkkunen warned the EU could no longer afford to be "naive" about adversaries' ability to switch off critical infrastructure, citing power grids, hospitals, and financial systems as increasingly exposed.
Mitigations & Recommendations
Organizations operating in the four cited member states should monitor national legislative progress and prepare for NIS2 compliance requirements as transposition approaches, even if delayed. Defenders in critical infrastructure sectors should implement the directive's core risk-management and incident-reporting frameworks voluntarily where possible, as ENISA data indicates active targeting of these sectors regardless of legal transposition status. The Commission's separate proposal to amend NIS2 for greater legal clarity may further ease compliance burdens, but no timeline for those amendments has been set.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.

