EU drags 4 nations to court over cybersecurity law they ignored for months
Most EU Member States complied, but four have failed to do so.

Tourists use folding fans near the Eiffel Tower during hot weather. Annice Lyn/Getty Images.
- The European Commission sued France, Ireland, the Netherlands, and Spain for missing the October 2024 deadline to implement the NIS2 cybersecurity directive.
- NIS2 requires organizations in critical sectors like healthcare, energy, and finance to report cyberattacks and meet stricter security standards.
- The directive creates shared threat intelligence between EU countries and a European vulnerability database to improve collective cyber defense.
- Over 8,000 Dutch organizations must comply with new cybersecurity rules when the law takes effect in August 2026 after late approval.
The European Commission has brought 4 EU Member States before the Court of Justice of the European Union because they failed to transpose the NIS2 Directive into national legislation in time.
NIS is short for Network and Information Security. NIS2 is the successor to the first NIS Directive. NIS2 aims to increase the digital resilience of companies and organizations in Europe and to harmonize the security of network and information systems across the European Union.
Among other things, NIS2 focuses on digital threats to network and information systems, such as cyberattacks, zero-day exploits, and ransomware. The directive stipulates that both private and public organizations in critical sectors, such as healthcare, energy, finance, digital infrastructure, and public administration, will be subject to a duty of care and a reporting obligation.
In addition, agreements have been reached on the exchange of threat intelligence between member states, and a European database for vulnerabilities will be established. Lastly, companies and organizations must comply with stricter cybersecurity requirements.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The deadline for the implementation of the NIS2 Directive into national legislation was October 2024. While most EU Member States complied, France, Ireland, the Netherlands, and Spain have failed to do so.
For that reason, the European Commission has decided to refer these 4 EU Member States to the Court of Justice of the European Union.
“Its full implementation is key to improving the EU’s resilience and the incident response capacity of public and private entities operating in these critical sectors, and of the EU as a whole,” the Commission says in a statement.
In April 2026, the House of Representatives in the Netherlands approved the legislative proposal for the Cybersecurity Act, which incorporates the NIS2 Directive into national law. Last Tuesday, the Senate also greenlit the proposal.
The European directive will enter into force in the Netherlands on August 15th, 2026, requiring over 8,000 Dutch organizations to comply with the new cybersecurity requirements.