Ireland Referred to EU Court of Justice Over Delayed Cybersecurity Law

Ireland has been referred to the EU Court of Justice over delayed transposition of the NIS2 cybersecurity directive, the European Commission says.

Ireland Referred to EU Court of Justice Over Delayed Cybersecurity Law

The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to notify measures transposing the NIS2 Directive on network and information systems security into national law.

The referral concerns Directive (EU) 2022/2555, known as NIS2, which strengthens cybersecurity requirements across the EU. The directive sets high standards for entities operating in 18 critical sectors, including health, energy, transport and the public sector. Its full implementation is intended to improve the resilience and incident response capacity of public and private bodies in these sectors, and of the EU as a whole.

Member States had until 17 October 2024 to transpose the directive into national law. While most complied, Ireland, Spain, France and the Netherlands have yet to notify complete transposition. The Commission sent letters of formal notice to the four countries on 28 November 2024, followed by reasoned opinions on 7 May 2025. As complete transposition has still not been notified, the Commission has now referred the matter to the Court of Justice.

The referral includes a request for the Court to impose financial sanctions on each country, comprising a lump sum and daily penalties, until complete transposition is notified.

As background, the Commission notes that on 20 January 2026, as part of a wider cybersecurity package, it proposed targeted amendments to the NIS2 Directive intended to provide greater legal clarity and make compliance easier for companies operating in the EU.

Follow our WhatsApp ChannelLive Alerts