The European Commission has filed legal actions against Ireland, Spain, France and the Netherlands for their failure to transpose the NIS2 Directive into national law. The deadline for implementation passed over 20 months ago, leaving critical infrastructure in these countries without the updated cybersecurity protections mandated by the EU.
NIS2 is the EU's flagship cybersecurity law, designed to strengthen resilience across sectors like energy, transport, health, and digital infrastructure. The directive imposes stricter incident reporting requirements, supply chain security measures, and governance obligations on operators of essential services. Delayed implementation means these protections are not yet enforceable in the four member states.
The commission has referred the cases to the Court of Justice of the European Union, which could impose financial penalties. This marks an escalation in enforcement after months of warnings and formal notices to the lagging nations. Other member states have already completed or are near completing their transposition.
The affected countries now face the risk of significant fines if the court rules against them. The move underscores the EU's commitment to cybersecurity harmonization, even as some member states struggle with legislative bottlenecks or political resistance. The commission has urged immediate action to close the gap.