The European Commission has taken a significant step in enforcing the European Union’s cybersecurity framework by referring Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union over delays in implementing the NIS2 Directive.
The case centres on the four countries’ failure to fully notify the Commission of national measures transposing the Directive into domestic law. NIS2 is one of the EU’s key cybersecurity laws and is designed to strengthen the resilience of essential and important services across the bloc. It applies to organisations operating in 18 critical sectors, including healthcare, energy, transport, public administration, digital infrastructure and other services vital to the functioning of society and the economy.
The Commission’s action follows earlier stages in the infringement process. Letters of formal notice were sent on 28 November 2024, followed by reasoned opinions on 7 May 2025. Since the Commission considers that complete transposition has still not been notified, it has now escalated the matter to the EU’s highest court.
This move comes at a time when cyberattacks against governments, public bodies and private companies are becoming more frequent, more sophisticated and more disruptive. Across Europe, ransomware incidents, attacks on public services and threats to critical infrastructure have underlined the need for consistent cybersecurity standards across all Member States.
The NIS2 Directive is intended to reduce fragmentation by setting common rules on cybersecurity risk management, incident reporting, supervision and enforcement. Its full implementation is important not only for individual countries, but for the EU as a whole, because cyber threats rarely stop at national borders. Weaknesses in one jurisdiction can create vulnerabilities across wider supply chains, public networks and cross-border services.
By asking the Court to impose financial sanctions, including a lump sum and daily penalties until full notification is made, the Commission is signalling that cybersecurity implementation is not optional. The referral also sends a wider message to Member States that delays in transposing critical digital and security legislation will attract consequences.
For organisations operating in affected sectors, the development is another reminder that NIS2 compliance remains a priority. Even where national laws are still being finalised, businesses and public bodies should be preparing their cybersecurity governance, risk management processes and incident response capabilities now.
The Commission’s decision marks an important enforcement moment for EU cyber policy. As cyber threats continue to grow, the EU is pushing to ensure that its legal framework is not only adopted on paper, but implemented in practice.


Leave a Reply