European Commission Refers Ireland, Spain, France and the Netherlands to the CJEU Over NIS2 Delays

A sharp regulatory-enforcement move from the European Commission — compliance stakes rise this week.

Share

Key Takeaways

  • The European Commission on July 9, 2026 decided to refer Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union (CJEU) for failing to notify measures transposing the NIS2 Directive on securing network and information systems into national law.
  • The transposition deadline for NIS2 was October 17, 2024; the four member states remain more than 20 months past it, and the Commission opened infringement procedures in November 2024 and sent a reasoned opinion on May 7, 2025 before escalating to the Court.
  • The Commission is asking the Court to impose lump-sum and continuing daily financial penalties on each state until NIS2 is fully incorporated into domestic law — turning a transposition delay into a live financial and legal exposure for the affected member states.

A defender-relevant escalation: the European Commission has taken four member states to the EU's top court for not transposing the NIS2 cybersecurity directive, with financial penalties on the table.

BRUSSELS — The European Commission on July 9, 2026 referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union (CJEU) for failing to transpose the NIS2 Directive — the bloc's central cybersecurity law for network and information systems — into national law. The four states are more than 20 months past the directive's October 17, 2024 transposition deadline, and the Commission has asked the Court to impose financial penalties until each brings NIS2 fully into force domestically.

The move reads as a regulatory-enforcement story rather than an incident, but its stakes are concrete for the critical-infrastructure operators the directive governs. NIS2 sets baseline cybersecurity obligations across 18 sectors — including energy, health, transport, and the public sector — and its enforcement depends on national transposition. As The Record reported, the Commission is now asking the Court for lump-sum and daily penalties, escalating a two-year infringement process into a courtroom that can attach a running financial cost to continued delay.

At a Glance
FieldDetails
WhoEuropean Commission (referring party); Court of Justice of the European Union (CJEU)
Member states referredIreland, Spain, France, and the Netherlands
Law at issueNIS2 Directive (Directive (EU) 2022/2555) on network and information systems security
Core failureFailure to notify measures transposing NIS2 into national law
Transposition deadlineOctober 17, 2024 (more than 20 months elapsed)
Prior stepsInfringement procedures opened November 2024; reasoned opinion sent May 7, 2025
Remedy soughtLump-sum and continuing daily financial penalties until full transposition
StatusReferred to the CJEU on July 9, 2026; proceedings pending

What the European Commission Announced

The European Commission announced on July 9, 2026 that it had decided to refer four member states — Ireland, Spain, France and the Netherlands — to the Court of Justice of the European Union (CJEU), the bloc's highest court, for failing to notify the measures needed to transpose the NIS2 Directive into national law. NIS2, formally Directive (EU) 2022/2555, is the European Union's flagship cybersecurity law for network and information systems, and it required member states to bring national implementing measures into force by October 17, 2024. As The Record reported, the four states remain more than 20 months past that deadline.

The referral is the culmination of a formal, multi-stage infringement process rather than a sudden action. According to the Commission, it opened infringement procedures against the member states in November 2024, shortly after the transposition deadline lapsed, and on May 7, 2025 it sent them a reasoned opinion — the step in EU infringement practice that grants a member state a final window to comply before the Commission can escalate to the Court. With that window closed and the required measures still not notified, the Commission has now asked the CJEU to intervene.

The remedy the Commission is seeking gives the referral its enforcement teeth. Rather than merely a declaratory judgment, the Commission has asked the Court to impose both lump-sum and continuing daily financial penalties on each member state until it confirms that NIS2 has been fully incorporated into domestic law. That structure is designed to make continued delay progressively costly, converting an administrative deadline that passed quietly in October 2024 into an open financial exposure that grows for as long as transposition remains incomplete.

Why NIS2 Transposition Matters for Critical Infrastructure

The significance of the referral lies less in the courtroom mechanics than in what NIS2 is meant to do. The directive establishes baseline cybersecurity obligations across 18 critical sectors — among them energy, health, transport, digital infrastructure, and the public sector — and it raises the bar for the entities operating within them, from risk-management and incident-reporting duties to governance accountability at the management level. It is, in effect, the European Union's attempt to set a common cybersecurity floor for the services that societies depend on.

That common floor only exists in practice once each member state transposes the directive into enforceable national law. NIS2 is a directive, not a regulation, which means it does not apply directly; it obliges member states to write and enact their own implementing measures within the bounds the directive sets. Until a state completes that step, the operators inside its borders are not bound by NIS2's national regime in the way the directive intends — a gap that matters most precisely in the sectors the law was written to protect.

For defenders and compliance teams inside affected organizations, the referral is a signal that the transposition gap is now a live regulatory concern at the highest level, not a background technicality. The direction of travel is clear even where national law has not yet caught up: the obligations NIS2 sets out — mature risk management, timely incident reporting, and accountable governance — are the baseline European regulators expect, and the Commission's willingness to litigate underscores that it regards the delay as a genuine cybersecurity-resilience problem rather than a paperwork lag.

Compliance Implications for the Affected Member States

For Ireland, Spain, France and the Netherlands, the immediate implication is legal and financial exposure at the state level. By asking the Court for lump-sum and daily penalties, the Commission has structured the case so that the cost of non-compliance accrues over time and stops only when full transposition is confirmed. The affected states can end that exposure at any point by completing and notifying their implementing measures — the remedy the Commission is seeking is aimed at compelling transposition, not at punishing beyond it.

The downstream implication falls on the critical-infrastructure operators within those jurisdictions. Organizations in the covered sectors face a period of regulatory uncertainty: the shape of their eventual national obligations is set by the directive, but the precise scope, thresholds, and supervisory arrangements are fixed only once each state enacts its law. Prudent security and compliance teams in these markets are likely to treat NIS2's requirements as the working baseline now, rather than waiting for national statutes that the Commission is actively pressing the Court to accelerate.

It is worth being precise about what remains unconfirmed. Whether the four member states have responded publicly to the referral, the specific reasons each cited for the delay, and the timeline the CJEU will follow are not established in the announcement itself. What is confirmed is the core action: four states referred, NIS2 named as the law at issue, and financial penalties requested — a combination that places the compliance question squarely on the affected governments this week.

How the Referral Affects NIS2 Harmonization Across the EU

The broader stake in this case is harmonization. NIS2 was designed to replace an uneven patchwork left by its predecessor with a more consistent, higher common standard across the single market, so that a critical-infrastructure operator faces recognizably similar cybersecurity expectations whether it operates in Dublin, Madrid, Paris, or Amsterdam. That goal is undercut when major member states have not transposed the directive years after the deadline, leaving parts of the bloc governed by the old regime or by interim arrangements while others operate under NIS2.

The referral is, in that light, an enforcement of harmonization as much as of any single obligation. By taking four states to the Court and seeking penalties, the Commission is signaling that partial or delayed transposition is not an acceptable steady state — that the value of a common cybersecurity floor depends on it actually being common. The case will be watched by other member states as an indicator of how aggressively Brussels intends to police the timeline for its cybersecurity framework.

This is consistent with a broader European pattern of using regulatory and legal instruments to shape the cybersecurity and digital-policy landscape, from encryption-certification timelines to platform and disclosure rules. The CyberSignal has tracked adjacent moves such as France's non-quantum-safe encryption certification decision and a Council of Europe investigation-disclosure matter, both of which reflect the same underlying reality: in Europe, cybersecurity outcomes increasingly turn on how policy and law are written and enforced, not only on how systems are defended.

Scope and Impact

The scope of the action is defined narrowly by its subject: it concerns the failure to transpose one directive, NIS2, and names four member states. It is not an allegation of a breach, an attack, or operator misconduct — it is a transposition-enforcement case. That framing matters, because the impact is felt not through any single incident but through the slow effect of an uneven legal baseline across the sectors NIS2 governs. The impact is regulatory and structural, and it compounds the longer transposition remains incomplete. Reporting from The Record frames the referral as part of the Commission's broader effort to hold member states to the cybersecurity framework they collectively adopted.

For the wider European policy landscape, the impact is a clear precedent. The Commission has demonstrated that it will litigate cybersecurity-law delays and seek financial consequences, which raises the cost of inaction for any member state weighing its own transposition timeline. That precedent sits alongside a run of recent European regulatory activity touching digital safety, online platforms, and cross-border enforcement — a pattern in which policy instruments, not only technical controls, are doing the work of raising the region's cybersecurity baseline.

The affected community, ultimately, is the operators and public bodies inside the covered sectors, whose eventual obligations depend on national transposition finally being completed. This is the same policy-and-enforcement current visible in other CyberSignal coverage of European digital rules, including the UK's move to restrict social media for under-16s and Europol's first VPN takedown targeting cybercrime anonymity — each a reminder that the region's cybersecurity posture is being shaped as much in institutions and courts as in security operations centers.

Open Questions

Several aspects of the referral are not established in the announcement and should be treated as open. It is not confirmed whether the four member states — Ireland, Spain, France and the Netherlands — have responded publicly to the referral, nor what specific reasons each has given for the transposition delay. The internal or political factors behind each state's failure to notify implementing measures are not detailed in the Commission's action itself.

The procedural timeline is also unresolved. When the CJEU will hear the case, how long proceedings may run, and the eventual size of any lump-sum or daily penalties the Court might impose are not specified at this stage; the Commission has requested penalties, but their imposition and amount are for the Court to decide. Whether any of the four states completes transposition before the case is decided — which would bear directly on the remedy — is likewise open.

Finally, the wider scope is worth flagging as a known unknown. The referral names four states, but it does not by itself resolve how many other member states have or have not fully transposed NIS2, or whether further referrals may follow. What is confirmed is the specific action reported this week: four member states referred to the CJEU over NIS2 transposition, with financial penalties sought — and that alone raises the compliance stakes for the affected jurisdictions and the operators within them.


The CyberSignal Analysis

The reported facts above are drawn from the European Commission's announcement and independent reporting; what follows is The CyberSignal's editorial reading of what defenders and compliance teams should take from them. None of the judgments below are new reported facts.

Signal 01 — Transposition Delay Is Now a Priced Risk, Not a Grace Period

The most durable lesson here is that the Commission has attached a running price to delay. By asking the Court for lump-sum and continuing daily penalties, it has reframed a missed transposition deadline from an administrative lag into an accruing financial and legal exposure. Our reading is that this changes the calculus for any member state treating the October 2024 deadline as a soft target — the cost of inaction is now designed to grow for as long as the gap persists.

For operators inside the affected jurisdictions, the practical interpretation is to stop waiting on national law as a trigger. The obligations NIS2 sets out are the baseline European regulators expect, and the Commission's willingness to litigate signals that these expectations are not contingent on a state's transposition schedule. Treating NIS2's requirements as the working standard now is the posture most consistent with where enforcement is heading.

Signal 02 — Harmonization Is the Real Objective the Case Defends

The referral is best read as a defense of harmonization rather than of any single clause. NIS2's value proposition is a common, higher cybersecurity floor across the single market; that value collapses if major member states operate outside it years after the deadline. Our assessment is that the Commission is litigating the principle that a common standard must actually be common — and that partial adoption undermines the whole framework.

The forward-looking watch item is whether this precedent accelerates the laggards. A visible enforcement action with financial teeth is the clearest signal Brussels can send to other member states weighing their own timelines. We would watch for further referrals or expedited transposition as the practical measure of whether this case moves the harmonization needle.

Signal 03 — In Europe, Cybersecurity Outcomes Are Increasingly Set in Institutions

The through-line connecting this referral to the region's other recent moves is that European cybersecurity outcomes are increasingly shaped by policy and legal instruments, not only by technical defense. The CJEU referral, encryption-certification timelines, and platform-and-disclosure rules are all cases where the decisive action happens in institutions and courts. Our reading is that defenders operating in Europe must treat the regulatory layer as a first-order part of their threat and compliance model.

The actionable interpretation for security and compliance leaders is to build the policy dimension into planning rather than reacting to it. Tracking transposition status, anticipated national thresholds, and enforcement posture is now as material to European operations as any control-level decision — because in this region, the baseline is being set, and enforced, from the top down.


Sources

TypeSource
PrimaryEuropean Commission — press release on the CJEU referral over NIS2 transposition
ReportingThe Record — EU takes member states to court over unimplemented cybersecurity law
RelatedThe CyberSignal — France Non-Quantum-Safe Encryption Certification Decision
RelatedThe CyberSignal — Council of Europe Investigation-Disclosure Matter
RelatedThe CyberSignal — UK Social Media Restrictions for Under-16s
RelatedThe CyberSignal — Europol's First VPN Takedown Targeting Cybercrime Anonymity