The European Commission has referred Ireland to the EU’s Court of Justice for failing to transpose a directive on cybersecurity into national law.
Spain, France, and the Netherlands have also been referred to the court, which can impose financial sanctions – including daily penalties until the commission is notified that the transposition is complete.
The NIS2 directive sets cybersecurity standards for entities operating in 18 critical sectors – including health, energy, transport, and the public sector.
Member states had until 17 October 2024 to transfer the measure into national law.
The referrals come after the commission sent letters of formal notice to the countries in late 2024, followed by reasoned opinions setting out its concerns in May 2025.
The Government published a draft bill to transpose the directive in 2024 and it was listed for priority publication in the summer legislative programme, which stated that “work is ongoing’ on the bill.