Ireland, Spain, France and the Netherlands are being referred to the Court of Justice of the European Union over a failure to notify national measures implementing new EU cybersecurity rules.
The action concerns the NIS2 Directive, an EU law on securing network and information systems that sets cybersecurity requirements for organisations in 18 critical sectors, including health, energy, transport and the public sector, the European Commission announced on Wednesday.
EU countries had until 17 October 2024 to bring the directive into national law, but the four states have not notified full transposition.
The Commission said it sent formal letters to the countries on 28 November 2024, followed by “reasoned opinions” — a step in the EU infringement process warning a case may go to court — on 7 May 2025.
It is asking the court to impose financial sanctions on the four states, made up of a lump sum and daily penalties until they notify complete transposition.
What the NIS2 rules cover
Cybersecurity involves protecting network and information systems, users and affected individuals from cyber incidents and threats, the Commission said.
The NIS2 Directive requires EU countries to strengthen their cybersecurity capabilities and to introduce risk-management measures and incident-reporting obligations for entities in the 18 sectors covered.
The Commission also said it proposed targeted amendments to NIS2 on 20 January 2026, alongside a wider “cybersecurity package”, to provide greater legal clarity and make compliance easier for companies operating in the EU.

