The European Commission has referred France, Ireland, the Netherlands, and Spain to the Court of Justice of the European Union after the four countries failed to implement the NIS2 cybersecurity directive within the required deadline. The directive was due to be transposed into national law by October 17, 2024, but the four member states have yet to complete the process.
NIS2 is the European Union’s updated cybersecurity framework aimed at strengthening the protection of organizations operating in critical sectors. The rules apply to industries including healthcare, energy, finance, transport, digital infrastructure, public administration, and telecommunications, requiring organizations to adopt stronger cybersecurity measures and report significant cyber incidents.
The European Commission said the directive is essential for improving the resilience of both public and private organizations against cyber threats. It also establishes closer cooperation between EU member states through information sharing and coordinated incident response, while introducing stricter risk management and reporting obligations for affected entities.
By referring the four countries to the EU’s highest court, the Commission is seeking to enforce compliance with the bloc’s cybersecurity legislation. If the Court of Justice rules against the member states and they continue to delay implementation, they could face financial penalties.
Most other EU countries have already adopted national legislation implementing the directive. The Netherlands, however, recently made progress after both chambers of parliament approved the country’s Cybersecurity Act, which incorporates the NIS2 requirements into Dutch law. The legislation is expected to take effect on August 15, bringing more than 8,000 Dutch organizations under the new cybersecurity framework.
Once implemented, NIS2 will require covered organizations to strengthen their cybersecurity governance, improve supply chain security, establish incident response procedures, and report significant cyber incidents within prescribed timeframes. Company executives may also face increased accountability for cybersecurity oversight under the directive’s governance requirements.