Geo-Specific,
Regulation,
Standards, Regulations & Compliance
European Commission Sues 4 Countries for Not Implementing NIS2

The European Commission has decided to take legal action against several member states for their failure to enact vital cybersecurity legislation. According to a recent announcement, Ireland, Spain, France, and the Netherlands are now facing a lawsuit due to their non-compliance with the second version of the Network and Information Security Directive, commonly referred to as NIS2. The Commission accentuated that this directive mandates all EU member states to develop national cybersecurity strategies while enhancing protection for critical infrastructure across various sectors including energy, transportation, and cloud computing.
Member states were originally given a deadline of mid-October 2024 to implement their national legislation in accordance with NIS2. Despite this, a significant number of countries have yet to meet this requirement. As of January earlier this year, the European Commission reported that only seven of the EU’s member states had not conveyed any measures for transposing the directive into their national laws. Among these, Bulgaria, Sweden, and Luxembourg have rolled out the necessary legislation within the first half of the year, leaving four countries, including Ireland and Spain, vulnerable to legal repercussions. The Commission has submitted its request for penalties to the Court of Justice, the EU’s highest judicial authority, which includes both a lump sum and ongoing daily fines until the directive is fully implemented.
The importance of the NIS2 directive cannot be overstated. It aims to fortify cybersecurity across the EU by establishing stringent standards for entities across 18 critical sectors such as health, energy, and public services. The Commission emphasized that comprehensive implementation is crucial for bolstering the EU’s resilience and enhancing the incident response capabilities of both public and private organizations. This objective becomes even more pressing in light of rising cyber threats that have become a potent risk to national and international security.
In a further measure against non-compliance, the Commission has initiated infringement procedures against Spain, France, and Latvia concerning another critical piece of cybersecurity legislation—the Digital Operational Resilience Act Regulation. Commonly known as DORA, this regulation standardizes cybersecurity measures within the financial sector and officially came into effect in mid-January 2025.
Unlike directives, regulations such as DORA apply uniformly across the EU, ensuring that compliance is consistent among all member states, regardless of their individual legislative processes. However, national governments are still expected to make necessary adjustments to their existing laws to enforce DORA effectively. The regulations require that national authorities submit their proposed legislative modifications to the European Commission, alongside various financial regulatory bodies, by January 2025 to maintain adherence to the newly established standards.
The Commission has underscored that the provisions enshrined in DORA encompass administrative penalties and available remedial avenues, including the powers vested in competent authorities where member states opt for criminal penalties instead of administrative sanctions. The establishment of an effective enforcement framework through DORA is heralded as essential in strengthening the digital operational resilience of financial entities, such as banks, insurance firms, and investment companies, particularly in a landscape increasingly dependent on digitization.
Following the notification letters issued by the Commission, Spain, France, and Latvia have been granted a two-month window to respond. Should their responses be deemed unsatisfactory, this process may progress to “reasoned opinions,” leading eventually to further negotiations with the Court of Justice as seen with the NIS2 directive.
France’s challenges with NIS2 and DORA stem from the country’s decision to consolidate both laws, alongside the EU’s Critical Entities Resilience Directive, into a single comprehensive legislative framework. This draft bill was first introduced in late 2024, with subsequent drafts appearing through September of the following year. However, as of now, the passage of this bill has not materialized as anticipated.
Similarly, while the Spanish government has approved a draft implementation law for NIS2 as of January 2025, it has yet to present this bill to the Spanish parliament. Reports suggest that the delay might be strategic, as the government appears to be waiting to integrate additional cybersecurity requirements emerging from ongoing legislative discussions at the EU level.
Ireland, conversely, is working on its own implementation bill for NIS2, which is currently under review by parliamentary committees following previous delays linked to a national election. Concerns have arisen from civil liberties advocates regarding aspects of the proposed law, which some argue extend beyond the requirements of NIS2 and could impose significant surveillance measures.
On a positive note, the Netherlands is approaching compliance with NIS2. The Dutch parliament has made strides in passing the necessary legislation, with the Senate following shortly thereafter. The anticipated enforcement date is projected for mid-August, which could influence the Commission’s stance regarding the Netherlands and its previously imposed referral to the Court of Justice.
In addition to these developments, the European Union Agency for Cybersecurity (ENISA) has released recommendations aimed at assisting national authorities in addressing emerging challenges posed by AI-driven cyber threats. According to ENISA, entities covered under NIS2 will need to significantly enhance their defenses against sophisticated threats like adaptive phishing and supply-chain attacks, emphasizing the importance of rapid incident reporting to bridge existing gaps in vulnerability detection and coordinated responses.
