EU Cracks Down on Member States for NIS2 Directive Non-Compliance
The European Commission is taking legal action against Spain, France, Ireland, and the Netherlands for failing to implement the NIS2 Directive on cybersecurity.

The European Commission has initiated legal proceedings against four member states – Ireland, Spain, France, and the Netherlands – for their failure to transpose the Network and Information Security Directive (NIS2) into national law by the mandated deadline. This significant enforcement action underscores the EU's commitment to bolstering cybersecurity resilience across the bloc and signals a stricter approach to compliance.
The NIS2 Directive, which entered into force in January 2023, aims to enhance cybersecurity standards for critical infrastructure and essential services across 18 key sectors, including energy, transport, health, and cloud services. Member states were required to have national legislation implementing the directive in place by October 15, 2024. While many nations have since enacted their laws, the commission's action targets those that have lagged significantly, potentially exposing critical sectors to heightened cyber risks.
The commission has referred the case to the Court of Justice of the European Union, seeking a fine comprising a lump sum and daily penalties until the countries fully notify their transposition measures. This move highlights the directive's importance in establishing high cybersecurity standards and improving the EU's overall resilience and incident response capabilities.
In parallel, the commission has also opened infringement procedures against Spain, France, and Latvia for failing to enact national laws implementing the Digital Operational Resilience Act (DORA) regulation. DORA, which automatically applies across the EU since mid-January 2025, standardizes cybersecurity measures within the financial sector. While regulations are directly applicable, they often require national legislative adjustments for effective enforcement, particularly concerning administrative penalties and the powers of competent authorities.
Spain, France, and Latvia have a two-month period to respond to the commission's letters of formal notice. Failure to provide a satisfactory response could lead to further legal steps, including reasoned opinions and eventual referral to the Court of Justice, similar to the NIS2 non-compliance cases.
Delays in implementation appear to stem from complex legislative processes. France, for instance, is attempting to consolidate NIS2, DORA, and the Critical Entities Resilience Directive into a single legislative package, a process that has encountered unforeseen delays. Spain's government approved a draft NIS2 law in January 2025 but has yet to submit it to parliament, possibly awaiting further EU legislative developments.
Ireland's implementation of NIS2 is also facing scrutiny. While a bill was published in 2024, it is currently under parliamentary review. Civil liberties advocates have raised concerns that the proposed Irish legislation may exceed NIS2 requirements, granting broad surveillance powers to the National Cyber Security Centre.
The commission's robust enforcement actions against these member states demonstrate a clear intent to ensure that all EU countries meet their cybersecurity obligations. The successful and timely implementation of directives like NIS2 and regulations like DORA is crucial for building a cohesive and resilient digital single market, capable of withstanding the evolving landscape of cyber threats.