President of the European Investment Bank Nadia Maria Calvino Santamaria and the EU Commissioner for Tech Sovereignty, Security and Democracy Henna Virkkunen. Thierry Monasse/Getty Images

News

EU takes France and Spain to court over cybersecurity law delay

The directive sets common security standards for companies and public bodies operating in critical sectors across the EU.

Share

The European Commission has referred France and Spain to the European Union’s highest court for failing to bring in the bloc’s flagship cybersecurity law more than a year after the deadline passed.

Both governments stand accused of not writing the NIS2 Directive into national law. The directive sets common security standards for companies and public bodies operating in critical sectors across the EU.

The two countries now face financial penalties if the Court of Justice of the European Union (CJEU) rules against them. The court can impose lump-sum fines and daily charges on member states that ignore EU law.

NIS2 replaced an earlier 2016 directive and widened the rules to cover sectors such as energy, transport, banking, health, digital infrastructure and public administration. Member states were required to transpose it by October 17, 2024.

Most missed that deadline. Only four member states met it, leaving the bloc with a patchwork of cybersecurity rules that the Commission has spent more than a year trying to close.

The Commission opened infringement proceedings against 23 countries on November 28, 2024, sending formal warning letters. It escalated the case on May 7, 2025, issuing reasoned opinions to 19 governments that had still not complied, including France and Spain.

Referral to the CJEU is the final stage of that process. The court is the only body that can order a member state to pay for breaching EU law.

Spain has yet to enact its law. The Council of Ministers approved a draft cybersecurity bill in January 2025, though the final text has not been published and is expected to take effect during 2026.

France has followed a more complex route, folding the directive into a broader law on critical infrastructure that has not been fully promulgated.

The delays have left businesses in legal limbo. Industry groups have warned that firms operating across several member states face uncertainty over which obligations apply and when.

Once in force, NIS2 carries fines of up to €10 million or 2 per cent of global annual turnover for essential entities, with senior managers held personally liable.

The Commission has meanwhile sought to ease the burden. On January 20, 2026, it proposed amendments to simplify compliance, even as several governments were still struggling to adopt the original text.

What to read next

EU parliament votes to replicate Spain's consent rape law
News

EP votes to replicate Spain’s consent rape law – which freed more than 100 convicted sex offenders

France’s top officials and civil servants will ditch foreign‑owned messaging apps in favour of a home‑grown alternative, amid mounting concerns over cyber‑attacks and espionage. Getty
News

France orders officials to drop foreign messaging apps over cybersecurity fears

Leo XIV uses first address to Spain's parliament to send Europe a message
News

Pope Leo XIV uses first address to Spain’s parliament to send Europe a message on life

Madrid activates emergency plan for Pope Leo XIV's visit
News

Spain mobilises 15,000 police for Pope Leo XIV’s visit