MENU
CLOSE
The Law Platform
© Copyright 2021 - 2026
The European Commission has escalated its enforcement action against four Member States, referring France, Spain, Ireland and the Netherlands to the Court of Justice of the European Union (CJEU) for failing to fully incorporate new cybersecurity rules into their national laws. The Commission’s move marks the next stage in an infringement procedure over delays in transposing the Network and Information Security Directive 2 (NIS2 Directive), a major EU cybersecurity framework designed to strengthen the resilience of critical sectors against growing digital threats. By taking the matter before the EU’s highest court, the Commission is seeking to ensure that Member States comply with their obligations under EU law and establish a more consistent cybersecurity regime across the bloc.
The Legal Dispute Behind the Court Action
The NIS2 Directive was adopted by the European Union to replace and expand the earlier cybersecurity framework, known as the NIS Directive. It seeks to improve cybersecurity standards across a wider range of sectors, including energy, transport, healthcare, digital infrastructure, banking, and public administration.
Unlike regulations, which apply directly across Member States once adopted, directives require countries to take legislative action at the national level to achieve the objectives set by the EU.
However, Member States are not free to implement directives whenever they choose. They are legally required to transpose them into domestic law within the deadline set by the EU legislature.
The deadline for Member States to transpose the NIS2 Directive into national law expired on 17 October 2024. According to the Commission, the four Member States referred to the CJEU have failed to fully complete that process.
EU Enforcement Powers at Work
The Commission’s decision reflects EU’s infringement proceedings, one of its most important legal mechanisms. Under the Treaty on the Functioning of the European Union, the Commission has the authority to take action against Member States that fail to fulfil their obligations under EU law. Where a Member State does not address the Commission’s concerns during the earlier stages of the procedure, the Commission may refer the matter to the CJEU. The purpose of such proceedings is not simply punitive. They serve to preserve the uniform application of EU law across all Member States. In areas such as cybersecurity, where threats can easily cross national borders, inconsistent implementation of EU rules can create vulnerabilities that affect the wider Union. A weakness in one Member State’s cybersecurity framework can potentially have consequences for businesses, public institutions, and citizens across Europe.
1 day ago
1 day ago
7th Jul, 2026
9th May, 2026
12th Jan, 2026
Why NIS2 Matters
The NIS2 Directive represents the EU’s response to the rapidly changing nature of cyber threats.
As economies become increasingly dependent on digital systems, cyberattacks have evolved from isolated incidents affecting individual organisations into risks capable of disrupting essential services and national infrastructure. The directive therefore expands the number of entities required to comply with cybersecurity obligations and introduces stronger requirements relating to risk management, incident reporting, supply chain security, and cooperation between national authorities. The delayed implementation of these rules has raised concerns about whether some Member States have the necessary legal and institutional frameworks in place to protect critical infrastructure from cyber risks.
Balancing National Implementation and EU Obligations
The dispute also highlights the balance between national legislative autonomy and the obligation of Member States to give effect to common EU standards. Though Member States retain responsibility for creating their own domestic legal frameworks, that responsibility exists within the broader obligation to ensure that EU directives achieve their intended purpose. The NIS2 dispute demonstrates that delays in national implementation can have consequences beyond domestic politics. In areas requiring collective action, such as cybersecurity, the EU relies on timely and consistent implementation by all Member States.
Failure to do so may undermine the very objective of harmonisation that EU legislation seeks to achieve.
What Happens Next?
The referral of France, Spain, Ireland and the Netherlands to the CJEU does not automatically mean that the Member States will be found in breach. The court will examine the Commission’s arguments and determine whether the countries failed to meet their obligations under EU law. If the CJEU agrees with the Commission, the Member States may be required to take corrective measures. In certain circumstances, the Commission may also seek financial penalties where a Member State fails to comply with EU obligations. For now, the case serves as a reminder that EU directives are not merely policy recommendations. Once adopted, they create legal obligations that Member States must implement within the required timeframe. As cyber threats continue to expand in scale and sophistication, the Commission’s action signals that cybersecurity compliance is becoming an increasingly important area of EU legal enforcement.
Source: European Commission Press Release