The European Commission has referred France, Ireland, the Netherlands, and Spain to the Court of Justice of the European Union after the four countries failed to implement the NIS2 Directive before the October 2024 deadline.
The Commission says fully implementing the NIS2 Directive is essential to strengthen cybersecurity across the European Union and improve the ability of critical sectors to respond to cyber threats.
What Is the NIS2 Directive?
The NIS2 Directive, short for Network and Information Security Directive, replaces the EU’s original NIS framework with stricter cybersecurity requirements.
Its goal is to improve the digital resilience of organizations across Europe while creating a more consistent approach to protecting network and information systems.
The directive focuses on defending organizations against threats such as:
- Cyberattacks
- Ransomware
- Zero-day exploits
- Other attacks targeting critical digital infrastructure
New Cybersecurity Rules for Critical Sectors
Under the NIS2 Directive, both public and private organizations operating essential services must meet stronger cybersecurity obligations.
The rules apply to sectors including:
- Healthcare
- Energy
- Finance
- Digital infrastructure
- Public administration
Organizations covered by the directive must implement stronger security measures, report significant cyber incidents, and improve their overall cyber resilience.
The legislation also introduces a framework for sharing threat intelligence between EU member states and establishes a European vulnerability database to improve collective cyber defense.
Four Countries Missed the Deadline
EU member states had until October 2024 to transpose the NIS2 Directive into national law.
While most countries met the deadline, France, Ireland, the Netherlands, and Spain failed to complete the process on time.
As a result, the European Commission has referred all four countries to the Court of Justice of the European Union.
In a statement, the Commission said full implementation remains critical for improving incident response capabilities across both public and private organizations that operate essential services.
Netherlands Approves New Cybersecurity Law
Although the Netherlands missed the original deadline, lawmakers have now completed the legislative process.
The Dutch House of Representatives approved the Cybersecurity Act in April 2026, while the Senate passed the legislation earlier this week.
The new law incorporates the NIS2 Directive into Dutch national legislation and will officially take effect on August 15, 2026.
More Than 8,000 Organizations Must Comply
Once the legislation takes effect, more than 8,000 Dutch organizations must comply with the new cybersecurity requirements.
Affected organizations will need to strengthen security controls, improve incident reporting procedures, and meet the broader obligations introduced under the NIS2 Directive.
The Commission believes consistent implementation across all member states will strengthen Europe’s collective cyber defenses, improve information sharing, and create a more coordinated response to increasingly sophisticated cyber threats.


0 responses to “EU Sues Four Countries Over Delayed NIS2 Directive”