European Commission Refers Four Member States to CJEU Over NIS2 Transposition Delays
Time 2 Minute Read

On July 8, 2026, the European Commission announced that it had referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union (“CJEU”) for failing to notify the Commission that they had fully transposed Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the European Union (the “NIS2 Directive”) into national law.  

The NIS2 Directive is intended to strengthen cybersecurity across the EU by imposing risk management and incident reporting requirements on entities operating in critical sectors, including health, energy, transport, and the public sector. EU Member States were required to transpose the NIS2 Directive into their national laws by October 17, 2024.

According to the Commission, the four EU Member States have not yet notified the Commission that they have completed the required transposition. The Commission sent letters of formal notice on November 28, 2024, and sent reasoned opinions on May 7, 2025, before referring the matter to the CJEU.

The Commission has requested the CJEU to impose financial sanctions, including lump-sum amounts and daily penalties, on the EU Member States until full transposition is notified. The referrals reflect the Commission’s view that timely implementation of the NIS2 Directive is important to improving cybersecurity resilience and incident response capacity across the EU.

The decision comes as the Commission continues to refine the EU’s cybersecurity framework. As part of a broader cybersecurity package released in January 2026, the Commission proposed targeted amendments to the NIS2 Directive intended to provide greater legal clarity and make compliance more manageable for companies operating in the EU. Read more about the Commission’s January 2026 proposals here.

Read the press release here.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page