European Patience With Cybersecurity Laggards Snaps

European Patience With Cybersecurity Laggards Snaps

European Patience With Cybersecurity Laggards Snaps

https://www.bankinfosecurity.com/european-patience-cybersecurity-laggards-snaps-a-32190

Publish Date: 2026-07-09 16:53:00

Source Domain: www.bankinfosecurity.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Geo-Specific
,
Regulation
,
Standards, Regulations & Compliance

European Commission Sues 4 Countries for Not Implementing NIS2

David Meyer •
July 9, 2026    

Image: Lukianenko Igor/Shutterstock

The European Commission is cracking down on Spain, France and other countries for failing to implement or abide by cybersecurity legislation.
The EU executive body sued Ireland, Spain, France and the Netherlands on Wednesday because they have not yet implemented the second version of the Network and Information Security Directive, commonly known as NIS2. This directive forces the EU’s member states to publish national cybersecurity strategies and boost the protection of critical infrastructure in sectors ranging from energy and transport to search and cloud.
Member nations were all supposed to have national legislation implementing the directive in place by mid-October 2024. Very few did, though most got their laws in order by January of this year, when the commission told ISMG that just seven of the bloc’s member states had failed to notify any measures for transposing the directive (see: European States Spin Wheels on Cybersecurity Directive).
Of those seven, Bulgaria, Sweden and Luxembourg all introduced the necessary laws in the first half of this year. That leaves the four that the commission just referred up to the Court of Justice, the EU’s highest court, with a request for a fine “consisting of a lump sum and daily penalties until notification of complete transposition.”
“The directive strengthens EU cybersecurity by setting high standards for entities operating in 18 critical sectors, including health, energy, transport and the public sector,” the commission said. “Its full implementation is key to improving the EU’s resilience and the incident response capacity of public and private entities operating in these critical sectors, and of the EU as a whole.”
The commission on Wednesday also opened infringement procedures against Spain, France and Latvia for failing to pass national laws implementing another piece of cybersecurity legislation, the Digital Operational Resilience Act Regulation. The law, known as DORA, standardizes cybersecurity measures across the financial sector. It fully entered into force in mid-January 2025.
Being a regulation rather than a directive, DORA automatically applies across the EU, regardless of whether national implementing legislation has been passed or not. But, regulations are supposed to be enforced evenly across all member countries so they generally require at least some tweaks to existing national laws. DORA explicitly mandates national governments to disclose by January 2025 implementing legislation to the commission, the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority.
“These provisions concern administrative penalties and remedial measures, as well as the powers of competent authorities where member states provide for criminal penalties instead of administrative sanctions,” the commission said. “The effective enforcement framework established by DORA is an essential element of the Union’s efforts to strengthen the digital operational resilience of financial entities, including banks, insurance undertakings and investment firms, in an increasingly digitalized financial sector.”
Spain, France and Latvia now have two months to respond to the commission’s letters of formal notice, which may be followed by “reasoned opinions” and, eventually, the sort of referral to the Court of Justice that just took place over lack of NIS2 implementation.
France’s NIS2 and DORA woes stem from the fact that Paris has decided to implement both laws – plus the EU’s Critical Entities Resilience Directive, which is supposed to protect essential services from non-cyber types of disruption – in one bumper bill. The draft law first appeared in late 2024. Its last draft was published in September last year and legal observers were expecting passage in the first quarter of this year, but that hasn’t happened.
In Spain, the government approved a draft of a NIS2-implementation law in January 2025. But it hasn’t submitted the bill to the Spanish parliament.
Reports in Spain suggest the government may be holding back the new law until it can incorporate cybersecurity requirements that will be set under two current EU-level legislative pushes: the Cybersecurity Act revisions that the commission proposed in January, and last November’s Digital Omnibus, which would tweak NIS2 reporting requirements in an effort to make it easier for organizations to comply with the thicket of EU cybersecurity laws in a streamlined way (see: Europe Readies Law to Eject Chinese Equipment From Telecoms).
Ireland intends to implement NIS2 through a bill the government published in 2024 after delays that were partially down to a national election – such events are often responsible for the uneven implementation of EU directives.
The Irish proposal is currently being scrutinized by parliamentary committees. Civil liberties advocates say it goes beyond NIS2’s requirements by allowing the Irish National Cyber Security Centre to scan all publicly accessible systems for vulnerabilities without permission, and to gather large amounts of communications metadata and public-sector network traffic. They also don’t like how the law would allow for domain-blocking in the name of cybersecurity, nor that it could enable mass data retention – a tactic that the European Court of Justice has repeatedly struck down – by forcing telecommunications providers and datacenter operators to install surveillance equipment.
The Netherlands is relatively close to transposing NIS2. The Dutch parliament approved that country’s implementing law in April. The Senate followed suit earlier this week, and the law will enter into force in mid-August, which may prompt the commission to withdraw its referral of the Netherlands to the Court of Justice.
Also this week, ENISA – the EU cybersecurity agency – published recommendations to help national authorities grapple with the looming impact of high-velocity, artificial intelligence-enabled cyberthreats. The agency said in the document that providers covered by NIS2 now have to “harden operations against AI-scale threats such as adaptive phishing, model poisoning and supply-chain pivots,” adding that NIS2 incident reporting could “help close the gap between vulnerability disclosure to coordinated response.”