On July 9, 2026, the European Commission referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive (Directive (EU) 2022/2555) into national law. The transposition deadline was 17 October 2024. The four member states are now more than twenty months late, and the Commission has moved past warnings: it is asking the Court to impose a lump sum and daily penalty payments on each country, running until each one notifies complete transposition.

These are the first NIS2 cases to reach the Court. The Commission opened infringement procedures against 23 member states in November 2024, narrowed the list to 19 reasoned opinions on 7 May 2025, and has now escalated against the four that still cannot show a finished law. The defendants are not peripheral economies: Ireland hosts the European headquarters of much of the global technology sector, France and Spain are the EU’s second- and fourth-largest economies, and the Netherlands is one of Europe’s densest digital-infrastructure hubs. Between them, the four account for tens of thousands of entities that NIS2 was written to cover — and that today, in a strict legal sense, still have no national NIS2 law to comply with.

That last sentence is where this story stops being about governments and starts being about companies. The financial penalties, if imposed, will be paid out of national treasuries. The operational consequences of twenty months of legal limbo — fragmented obligations for cross-border groups, registration deadlines that will land with little warning, supervisors expecting day-one maturity — are paid by the private sector. This article covers the referral, the state of play in each country, the penalty mechanics under Article 260(3) TFEU, and the answer to the question every covered entity in these jurisdictions is asking: do we wait for the law, or build now? The answer is build now.

What the Commission Did

The Commission’s press release (IP/26/1499) is short and procedural, but the substance is significant. The Commission decided to refer the four member states to the Court of Justice for failing to notify measures fully transposing NIS2, and — critically — it coupled the referral with a request for financial sanctions: a lump sum reflecting the period of non-compliance already elapsed, plus a daily penalty payment accruing from the Court’s judgment (or, if the Court so orders, from an earlier date) until transposition is complete and notified.

The Commission’s framing emphasizes what is at stake: NIS2 lays down cybersecurity risk-management and incident-reporting obligations across 18 critical sectors — including health, energy, transport, digital infrastructure, and public administration — and its purpose is a high common level of cybersecurity across the Union. Every member state that has not transposed it is a soft spot in a shared perimeter. The Commission has spent 2026 arguing that European cybersecurity is a single fabric — it proposed a major revision of the Cybersecurity Act and targeted NIS2 simplification amendments on January 20, 2026, which we analyzed when the package landed — and a referral with penalties attached is the enforcement counterpart of that argument.

How We Got Here: The Timeline

The procedural history matters, because it shows how much patience preceded this escalation — and how little runway the four states have left.

  • 16 January 2023 — NIS2 enters into force at EU level.
  • 17 October 2024 — Deadline for member states to adopt and publish national transposition measures. Only a handful meet it.
  • 28 November 2024 — The Commission opens infringement procedures, sending letters of formal notice to 23 member states that had not fully transposed the directive.
  • 7 May 2025 — The Commission sends reasoned opinions to 19 member states — including Ireland, Spain, France, and the Netherlands — giving them two months to complete transposition.
  • January 2026 — By this point, roughly 20 of 27 member states have completed transposition. The stragglers are shrinking in number but not accelerating in pace.
  • 9 July 2026 — The Commission refers the four remaining laggards among the reasoned-opinion group that could not demonstrate completion to the Court of Justice, requesting lump sums and daily penalties.

Twenty months of non-transposition is not a technicality. It is two full budget cycles in which entities in four major economies could lawfully defer investment their competitors elsewhere in the EU were legally required to make. The escalation is as much about restoring a level playing field as it is about cybersecurity.

The Four Countries: Where Each One Actually Stands

The four defendants are not equally delinquent. One of them arguably finished the race two days before the referral was filed. The differences matter for planning.

The Netherlands: finished, but not fast enough

The Dutch case is the strangest of the four. The Cyberbeveiligingswet — the Dutch NIS2 implementation law — passed the Tweede Kamer on 15 April 2026 and was adopted by the Eerste Kamer on 7 July 2026, roughly forty-eight hours before the Commission’s referral was announced. The law is slated to enter into force on 15 August 2026, alongside its companion Wet weerbaarheid kritieke entiteiten (transposing the CER Directive), and it comes with a detail that should focus minds: no transition period. It will apply to an estimated 8,000-plus organizations directly, with supply-chain effects reaching tens of thousands of suppliers, and covered entities are expected to register with the national CSIRT apparatus via the NCSC portal.

For Dutch entities, the referral is close to moot — the Commission typically withdraws cases once transposition is notified, and the Netherlands will likely notify within weeks. But the Dutch endgame is the cleanest illustration of the trap this article is about: after twenty months of “the law isn’t in force yet,” Dutch entities now face a statute that arrives at full strength on a fixed date with no grace period. Organizations that treated the delay as a compliance holiday have five weeks left.

Ireland: committee stage, with a Presidency deadline

Ireland’s National Cyber Security Bill — which transposes NIS2, puts the National Cyber Security Centre (NCSC) on a statutory footing, assigns competent-authority functions across sectoral regulators, designates CSIRT-IE, and establishes the enforcement and penalty framework — was still at committee stage in the Oireachtas as of June 2026. The 2024 general election disrupted the original legislative timetable, and the bill has moved slowly since.

The Minister for Justice, Home Affairs and Migration has indicated Ireland expects to notify transposition by the end of 2026, and there is an added political incentive: Ireland holds the EU Council Presidency in the second half of 2026, and presiding over the Council while being litigated for non-transposition of the EU’s flagship cybersecurity directive is not a look Dublin wants to sustain. For companies, the realistic planning assumption is an enacted Irish law in Q4 2026, with commencement and registration obligations following quickly. Ireland’s exposure is amplified by its role as EU home to a large share of the global technology sector — many of the multinationals headquartered there are in NIS2’s digital-infrastructure and ICT-service-management sectors and have been complying with other member states’ transpositions for over a year already.

France: a bill stuck in parliament

France is, on current evidence, the furthest from the finish line among the four. The projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité — a combined transposition of NIS2, CER, and DORA-adjacent provisions — was adopted by the Senate in March 2025 and has been stalled in the legislative process since, with final adoption repeatedly slipping. As of late June 2026 the law had not been adopted, and the bill did not appear on the agenda of the extraordinary parliamentary session opening 1 July 2026. Reporting attributes part of the blockage to a contentious debate over encryption-related provisions attached to the legislative vehicle — a dispute that has little to do with NIS2’s substance but everything to do with its timetable.

In the vacuum, ANSSI has done what a regulator can do without a statute: it published version 2.5 of its Référentiel Cyber France (ReCyF) in March 2026, setting out the recommended technical measures for meeting the directive’s security objectives, and it operates the MonEspaceNIS2 portal so entities can assess their status. French entities therefore have detailed technical expectations available today, with the legal obligations still pending — an inversion that makes waiting even harder to defend.

Spain: approved by the government, still not in parliament’s hands as law

Spain’s Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad was approved by the Council of Ministers on 14 January 2025. It is an ambitious text — it merges NIS2 transposition with the CER (Critical Entities Resilience) framework and restructures national cyber governance around a new Centro Nacional de Ciberseguridad. But ambition has not translated into enactment: as of mid-2026 the law had not completed the parliamentary process and had not been published in the BOE, despite the government granting the bill urgent legislative status. Spain’s fragmented parliamentary arithmetic makes forecasting risky, but the referral — and the daily penalties it seeks — is designed precisely to change the political calculus in Madrid.

The Compliance Paradox: What Non-Transposition Means for Companies

Here is the legal position, stated plainly, and then the reasons it is a trap.

A directive that has not been transposed generally cannot be enforced against private parties. Directives bind member states as to results; they become enforceable against companies through national implementing law. It is settled EU doctrine that a member state cannot invoke its own failure to transpose a directive to impose obligations on individuals or companies — there is no “inverse vertical direct effect.” So an essential entity in France or Spain today cannot be fined under NIS2 as such by a national authority for lacking multi-factor authentication or missing a 24-hour early warning. In four member states, the EU’s flagship cybersecurity law is — domestically, formally — a dead letter for now.

Anyone who converts that legal observation into a business decision to wait is making a serious mistake, for at least five reasons.

1. The old law never went away. All four countries transposed the original NIS Directive of 2016. Ireland’s 2018 NIS regulations, France’s loi NIS, Spain’s Real Decreto-ley 12/2018, and the Dutch Wbni all remain in force and enforceable. Operators of essential services and digital service providers under those regimes have live security and incident-notification obligations today. Non-transposition of NIS2 is a gap between the old baseline and the new one — not an absence of law.

2. Direct effect is not entirely off the table — sideways. While NIS2 cannot be enforced against companies without transposition, sufficiently clear directive provisions can be invoked by private parties against the state and its emanations, and national courts must interpret existing national law in conformity with the directive wherever possible. In practical terms: procurement disputes, negligence litigation after an incident, and supervisory interpretation of existing NIS1-era duties can all be colored by NIS2’s standards well before a transposition statute exists. Courts and regulators read the directive as the definition of the current state of the art. So will plaintiffs.

3. Cross-border groups never had the option of waiting. A company operating in twenty member states does not get to run its French and Irish subsidiaries to a 2018 standard while its German, Belgian, and Italian entities comply with NIS2 transpositions that took effect in 2024-2025. Group-level security architectures, incident-reporting pipelines, and supplier requirements are built once, to the strictest applicable standard. For any multinational, the four laggard states were already inside a NIS2-shaped program; the referral changes nothing except the urgency of the last-mile local registrations. And sectoral EU regulations — DORA for financial entities above all, which applies directly without transposition — have been enforceable in all four countries since January 2025 regardless, a dynamic we examined in our analysis of NIS2’s October 2026 milestones and management-body liability.

4. When the law lands, it lands fast — and supervisors will not grade on a curve. The Dutch precedent is instructive: adoption on July 7, entry into force August 15, no transition period, registration obligations immediate. Late-transposing states do not add grace periods to compensate for their own delay; if anything, political pressure to demonstrate compliance to the Commission pushes the other way. Entities in Ireland, France, and Spain should expect the same pattern — a compressed interval between enactment and applicability, with registration windows measured in weeks and supervisory expectations calibrated to a directive that has been public since December 2022. “We were waiting for the national law” will be received by supervisors the way “we were waiting for the exam date” is received by examiners.

5. The directive’s core obligations are already fixed and knowable. Nothing that matters to an implementation program is uncertain. The scope — 18 sectors across Annexes I and II, split between essential and important entities, generally capturing organizations at or above the medium-size threshold plus certain critical entities regardless of size — is set by the directive. The Article 21 minimum measures are set: risk analysis and security policies; incident handling; business continuity, backup, and crisis management; supply-chain security; secure development and vulnerability handling; effectiveness assessment; cyber hygiene and training; cryptography; access control and asset management; and multi-factor authentication and secured communications. The Article 23 reporting cadence is set: an early warning within 24 hours of awareness of a significant incident, an incident notification within 72 hours, and a final report within one month. The Article 20 governance duties — management bodies approving and overseeing risk measures, and training for it — are set, backed by penalty ceilings of €10 million or 2% of worldwide turnover for essential entities and €7 million or 1.4% for important entities, plus personal accountability mechanisms. National transpositions adjust the machinery — which regulator, which registration portal — not the substance. A company that implements to the directive baseline today will need days, not months, of adjustment when the national statute arrives.

That is the paradox resolved: the obligations are not yet enforceable in four countries, and it makes almost no commercial or legal sense to behave as if that matters.

Article 260(3) TFEU: How the Penalties Work

The referral’s teeth come from Article 260(3) of the Treaty on the Functioning of the European Union, a provision designed for exactly this scenario. Normally, financial penalties against a member state require two rounds of litigation: a first judgment finding infringement (Article 258), then a second case for non-compliance with that judgment (Article 260(2)). Article 260(3) short-circuits this for one specific offense — failure to notify measures transposing a legislative directive — by allowing the Commission to request financial penalties in the first referral. One case, one judgment, penalties attached.

The Commission is requesting both available instruments:

  • A lump sum, which sanctions the period of non-compliance that has already elapsed — here, running from the October 2024 deadline. Lump sums are calculated from a standard formula combining a flat rate, a seriousness coefficient, the duration of the infringement, and an “n” factor reflecting the member state’s GDP and institutional weight — which means France’s exposure is calculated on a much larger base than Ireland’s. Each member state also has a minimum lump sum floor, so even immediate compliance after referral does not necessarily zero out the bill.
  • A daily penalty payment, which accrues until the member state notifies complete transposition. Its function is coercive rather than punitive: every day the national law is not finished has an explicit price. The Court may impose the penalty from the date of its judgment and cannot exceed the amount the Commission specified.

Historical practice softens the picture somewhat: member states referred under Article 260(3) usually complete transposition during the proceedings, and the Commission then withdraws the case or the lump sum lands at the lower end. The Netherlands will very likely exit this way; Ireland intends to. But the mechanism has force precisely because governments know the meter is running — and for companies, that coercive pressure is the most reliable predictor that the remaining national laws will now move quickly. The referral is, paradoxically, the best evidence yet that entities in France and Spain are closer to a binding national law than the parliamentary calendars suggest.

One more consequence deserves attention. When these late transpositions arrive under litigation pressure, they will arrive into a regulatory environment already debating simplification — EU data protection regulators have publicly backed streamlining NIS2’s compliance and reporting requirements, and the Commission’s January 2026 amendment package points the same direction. Late-country entities may find themselves implementing the original directive’s requirements just as Brussels refines them. That is untidy, but it is not a reason to wait: the Article 21 and Article 23 core is stable across every reform proposal on the table.

What Covered Entities in the Four Countries Should Do Now

For essential and important entities in Ireland, Spain, and France — and for Dutch entities staring at August 15 — the program is the same, and it is the cheapest available path: implement to the directive baseline now, and treat the national statute as a configuration step.

  1. Settle your scoping question this quarter. Map every group entity in the four countries against the 18 sectors of Annexes I and II and the size thresholds, and classify each as essential, important, or out of scope. Do the same for EU establishments elsewhere — the main-establishment rules determine which regulator leads for digital-infrastructure and ICT providers. If you have not done this by mid-2026, you are behind entities in the 23 transposed states by more than a year.
  2. Implement the Article 21 measures as your floor. All ten measure families, evidenced. Where national guidance already exists — ANSSI’s ReCyF in France, NCSC guidance in Ireland and the Netherlands, the CCN’s corpus in Spain — align to it, because it previews the supervisory expectations that the statute will formalize.
  3. Build the Article 23 reporting pipeline before you are asked for it. A 24-hour early warning is an operational capability, not a policy. Decide today who detects, who qualifies “significant,” who drafts, and who submits — and wire the workflow so that inserting the national CSIRT’s portal endpoint is the only change needed at transposition.
  4. Watch the registration windows. Entity registration is the first concrete obligation each national law will impose, and the Dutch example shows the interval can be weeks. Assign an owner now to monitor the Oireachtas bill, the French projet de loi, and the Spanish parliamentary process, with a pre-approved playbook for registration day.
  5. Put the management body on notice — formally. Article 20 makes cyber risk oversight a personal duty of directors, with training obligations and liability exposure that national laws (Ireland’s bill included) are carrying through. Boards of entities in the four countries should approve the risk-management framework now, minute it, and complete training before the national law makes it mandatory. Our management-liability readiness analysis sets out the failure modes supervisors elsewhere in the EU are already acting on.
  6. Push the baseline into the supply chain. Article 21(2)(d) makes supplier security your problem. Entities in transposed member states are already flowing NIS2 requirements into contracts with Irish, French, Spanish, and Dutch vendors — if you are such a vendor, NIS2 has been reaching you through procurement for a year regardless of what your parliament has done.

Conclusion

The July 9 referral is a story about four governments, but its lesson belongs to companies. For twenty months, entities in Ireland, Spain, France, and the Netherlands have operated in a legal gap that looked like a reprieve: obligations visible on the horizon, none of them domestically enforceable. The Commission has now attached a daily price to that gap, and the endgame is predictable — the Netherlands has already legislated, Ireland has promised delivery under its Council Presidency, and France and Spain now face the specific pressure that Article 260(3) exists to generate. The national laws are coming, they are coming faster because of this referral, and the Dutch precedent shows how they arrive: on a fixed date, at full strength, with no transition period.

The economics of the decision facing covered entities were never close. The directive’s requirements have been fixed since December 2022, and the cost of implementing them on a planned, multi-quarter schedule is a fraction of the cost of doing it in the panicked weeks between enactment and a registration deadline — to say nothing of doing it after an incident, in front of a supervisor asking why an obligation published four years earlier came as a surprise. The four governments ran out of road on July 9. The companies they regulate should act as if they already have.

Sources: European Commission — Commission refers Ireland, Spain, France and the Netherlands to the Court of Justice (IP/26/1499), The Record — EU takes member states to court over unimplemented cybersecurity law, European Commission — Commission calls on 19 Member States to fully transpose the NIS2 Directive (May 2025), European Commission — NIS2 Directive transposition tracker, Silicon Republic — Commission refers Ireland to CJEU for failing to enact cyber rules, IAPP — NIS2 and Ireland’s National Cyber Security Bill, Legiscope — Transposition NIS2 en France : loi, calendrier 2026, DSN — Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad, NCSC-NL — De Cyberbeveiligingswet in laatste fase van vaststelling

This article is provided for informational purposes only and does not constitute legal advice.