Summary
- The European Commission has referred Ireland, Spain, France, and the Netherlands to the Court of Justice over NIS2 transposition delays.
- NIS2 applies to entities in 18 critical sectors, including health, energy, transport, public administration, and digital infrastructure.
- Delayed implementation creates uneven compliance conditions for companies operating across Europe.
The European Commission has referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union for failing to fully transpose the NIS2 cybersecurity directive into national law, exposing the uneven pace at which Europe’s cyber resilience ambitions are becoming enforceable rules.
NIS2 was designed to raise cybersecurity standards across the EU by widening the range of organisations covered by mandatory risk management and incident reporting duties. Member States had until 17 October 2024 to transpose the directive, but the Commission says the four countries have not notified complete implementation measures.
The referral follows earlier letters of formal notice and reasoned opinions. The Commission is also asking the Court to impose financial sanctions, including a lump sum and daily penalties until full transposition is notified.
The affected countries are not peripheral to Europe’s digital economy. France, the Netherlands, Spain, and Ireland host large technology operations, cloud regions, financial services activity, pharmaceutical and healthcare systems, transport operators, public sector platforms, and multinational headquarters. Delays in those markets create a practical compliance problem for companies that operate across borders.
NIS2 covers entities in 18 critical sectors, including health, energy, transport, public administration, digital infrastructure, ICT service management, space, wastewater, waste management, and manufacturing of critical products. The directive is meant to strengthen incident response capacity across both public and private organisations, while reducing the risk that weak cyber controls in one part of the economy spill into wider disruption.
Directives depend on national transposition, and that creates a familiar European technology policy problem. A common EU framework can still arrive unevenly in practice, leaving organisations with different timelines, supervisory expectations, penalties, and reporting requirements depending on where they operate. Companies trying to build group-wide cyber governance rarely get a neat implementation map.
Suppliers serving regulated customers face a particular challenge. Cloud providers, managed service providers, software vendors, telecoms operators, and security companies may need to support clients across jurisdictions where NIS2 obligations are live, incomplete, or subject to national interpretation. Contract clauses, incident notification procedures, audit rights, and resilience commitments become harder to standardise in that environment.
The court referral also lands as cybersecurity policy is being pulled into wider industrial and geopolitical debates. NIS2 is not only about preventing data breaches. It is part of a broader attempt to make Europe’s essential services more resilient in a period of state-backed cyber activity, ransomware pressure, supply chain attacks, AI enabled threat development, and growing dependence on shared digital infrastructure.
Delayed implementation weakens that effort because attackers do not wait for legislative calendars to align. Organisations in critical sectors still need to modernise patching, asset management, access controls, incident response, supplier oversight, and executive accountability, even where local rules are not yet fully in force. The court process may accelerate national action, but it will not remove the underlying implementation burden.
Boards and public sector executives should treat NIS2 as more than a legal deadline. European cyber regulation is hardening, and lagging national transposition is unlikely to provide durable cover against expectations from customers, regulators, insurers, and supply chain partners. The legal machinery is catching up with a business reality that has already arrived: cyber resilience is now part of the operating licence for critical and important services.










