Summary
- The European Commission has referred Ireland, Spain, France, and the Netherlands to the Court of Justice over incomplete NIS2 transposition.
- The case affects operators and suppliers across essential and important sectors in four major European markets.
- The referrals expose the compliance gap created when EU-wide resilience duties depend on uneven national implementation.
The European Commission has referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union after concluding that the four Member States have not completed national transposition of the NIS2 Directive.
The referrals place four large European markets under formal legal pressure over rules designed to raise cyber resilience standards across essential and important sectors, including health, energy, transport, digital infrastructure, public administration, and managed technology services. The Commission said the countries had failed to notify full national measures implementing Directive (EU) 2022/2555, despite a transposition deadline of 17 October 2024.
The decision follows letters of formal notice sent in November 2024 and reasoned opinions issued in May 2025. The Commission is asking the Court to impose financial sanctions, including lump-sum and daily penalties, until each country notifies complete transposition. The move escalates a legal dispute with the four governments while exposing the operational friction created when a European cyber resilience regime advances unevenly across national systems.
NIS2 substantially widens the scope of EU cyber duties compared with the original NIS Directive, bringing more sectors and suppliers into regulatory reach. Organisations in scope face duties around risk management, incident reporting, supply chains, governance accountability, and cooperation with national authorities. Where national laws are incomplete, organisations can still see the direction of travel, but they may lack certainty on local thresholds, competent authorities, enforcement practice, registration mechanics, and sector-specific interpretation.
The Commission’s referral notice reaches beyond the four capitals. Ireland hosts major technology and cloud operations serving the European market. France and Spain carry large industrial, public-sector, transport, health, telecoms, and energy footprints. The Netherlands is a major logistics, datacentre, financial, and digital infrastructure hub. Delays in these jurisdictions create compliance uncertainty for groups that operate across borders, as well as suppliers trying to standardise contractual and assurance obligations across Europe.
Organisations cannot treat incomplete national implementation as a reason to pause NIS2 work. Large operators and suppliers have already had to prepare for the directive’s core expectations, particularly around incident reporting discipline, supplier security, vulnerability handling, continuity planning, and executive oversight. The harder task is evidential: boards, procurement teams, and legal functions need defensible records showing that cyber risk is being managed against a changing regulatory landscape, especially where subsidiaries and third parties span several Member States.
Brussels has built a dense cyber and digital resilience framework around NIS2, DORA, the Cyber Resilience Act, the Cyber Solidarity Act, and sector-specific rules. That architecture depends on national authorities having clear legal mandates, operational resources, and consistent channels for incident handling and supervision. When transposition stalls in large markets, regulated organisations face a hybrid reality in which EU-level expectations are clear but the local enforcement interface remains incomplete.
Supplier contracts are likely to keep moving ahead of national legislation. Buyers in regulated sectors are already asking for incident notification commitments, security evidence, subcontractor visibility, and continuity planning. Even where domestic NIS2 laws are delayed, large customers will continue to press suppliers for assurance because their own exposure does not wait for parliamentary timetables.
The Court process may take time, but the Commission’s position is now formal. NIS2 is moving from policy alignment into legal accountability, and organisations operating in or supplying into the four markets will need to show that resilience work has continued while national implementation catches up.





