The European Commission has referred France and Spain to the European Union’s highest court for failing to bring in the bloc’s flagship cybersecurity law more than a year after the deadline passed.
Both governments stand accused of not writing the NIS2 Directive into national law. The directive sets common security standards for companies and public bodies operating in critical sectors across the EU.
The two countries now face financial penalties if the Court of Justice of the European Union (CJEU) rules against them. The court can impose lump-sum fines and daily charges on member states that ignore EU law.
NIS2 replaced an earlier 2016 directive and widened the rules to cover sectors such as energy, transport, banking, health, digital infrastructure and public administration. Member states were required to transpose it by October 17, 2024.
Most missed that deadline. Only four member states met it, leaving the bloc with a patchwork of cybersecurity rules that the Commission has spent more than a year trying to close.
The Commission opened infringement proceedings against 23 countries on November 28, 2024, sending formal warning letters. It escalated the case on May 7, 2025, issuing reasoned opinions to 19 governments that had still not complied, including France and Spain.
Referral to the CJEU is the final stage of that process. The court is the only body that can order a member state to pay for breaching EU law.
Spain has yet to enact its law. The Council of Ministers approved a draft cybersecurity bill in January 2025, though the final text has not been published and is expected to take effect during 2026.
France has followed a more complex route, folding the directive into a broader law on critical infrastructure that has not been fully promulgated.
The delays have left businesses in legal limbo. Industry groups have warned that firms operating across several member states face uncertainty over which obligations apply and when.
Once in force, NIS2 carries fines of up to €10 million or 2 per cent of global annual turnover for essential entities, with senior managers held personally liable.
The Commission has meanwhile sought to ease the burden. On January 20, 2026, it proposed amendments to simplify compliance, even as several governments were still struggling to adopt the original text.
