EU takes member states to court over unimplemented cybersecurity law

EU takes member states to court over unimplemented cybersecurity law

EU takes member states to court over unimplemented cybersecurity law

https://therecord.media/eu-cyber-filing-ireland-spain-france-netherlands-nis2

Publish Date: 2026-07-09 09:15:00

Source Domain: therecord.media

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. The European Commission on Wednesday filed legal referrals at the EU’s top court against four member states for failing to implement the bloc’s flagship cybersecurity law covering critical infrastructure. Ireland, Spain, France and the Netherlands are more than 20 months late in transposing the NIS2 Directive, which sets minimum security standards for hospitals, energy networks, transport operators and public administrations. The Commission has asked the Court of Justice of the European Union to impose a lump sum and ongoing daily financial penalties on all four countries until each formally notifies full transposition. Few member states met the original October 2024 deadline for transposing NIS2 into domestic legislation. As of January 2025, only six of the EU’s 27 member states had transposed the directive. In practice, the fines being sought by the Commission are rarely paid. Member states in previous cases have generally adopted the required legislation while proceedings are under way, prompting the Commission to withdraw before the court makes a ruling. The filing comes as ENISA, the EU’s cybersecurity agency, has warned of thousands of cybersecurity incidents affecting the bloc in the year ending June 2025. ENISA identified public administration as the most-targeted critical sector at 38% of incidents, followed by transport at 7.5%. European officials have cast the risk in increasingly stark terms. Speaking in Munich in February, the Commission’s technology lead, Henna Virkkunen, warned the European Union could no longer afford to be “naive” about adversaries’ ability to switch off critical infrastructure, saying that power grids, hospitals and financial systems were all increasingly exposed. NIS2 is an update of the original Network and Information Security Directive of 2016, a law that covered fewer sectors and was applied unevenly across the bloc. The newer directive widened its scope to 18 critical sectors and added risk management and incident reporting requirements that were not included in the original directive. NIS2 also underpins a broader legislative program on cybersecurity. The EU’s Cyber Resilience Act, which imposes security requirements on connected products and whose vulnerability-reporting obligations begin to apply in 2027, relies on the national response-team network that NIS2 establishes. In January, the Commission proposed revising the EU’s Cybersecurity Act to strengthen ENISA and reduce risks in critical technology supply chains, including a provision that would see member states phase out designated high-risk suppliers such as Huawei and ZTE from critical infrastructure. Separately, the Commission proposed targeted amendments to NIS2 to provide greater legal clarity and ease compliance for companies — issues which officials have said contributed to delays in transposing the updated directive. Ireland said its National Cyber Security Bill, which will transpose NIS2 and place the country’s National Cyber Security Centre on a statutory footing, is close to finalization, with the minister responsible expecting to notify transposition by end of 2026. Spain, France and the Netherlands had not published comparable statements at the time of writing. Get more insights with the Recorded FutureIntelligence Cloud.Learn more.