Ireland to be referred to EU Court of Justice for failing to implement cybersecurity directive
The EU Commission said members were given until October 17, 2024 to transpose the directive.
Ireland is to be taken to the European courts over its failure to implement a landmark EU cybersecurity directive.
The European Commission said its referral of four countries, including Ireland, to the Court of Justice of the European Union included a recommendation to impose fines.
In a statement, the commission said the Network and Information Security (NIS) 2 Directive strengthens cybersecurity across 18 critical sectors, including health, energy, and transport.
It said the directive does this by setting “high standards for entities” operating in these sectors.
“Its full implementation is key to improving the EU's resilience and the incident response capacity of public and private entities operating in these critical sectors, and of the EU as a whole,” the statement said.
It said that members were given until October 17, 2024 to transpose the directive.
“While most complied, Spain, France, Ireland, and the Netherlands have yet to notify full transposition,” the statement said.
It said the commission sent letters of formal notice on November 28, 2024 and reasoned opinions to the errant governments on May 7, 2025.
“The referrals include a request to the court to impose financial sanctions, consisting of a lump sum and daily penalties until notification of complete transposition,” the statement said.
The commission states that the NIS 2 Directive establishes “a unified legal framework” to uphold cybersecurity in the 18 critical sectors.
It also requires members to define national cybersecurity strategies and collaborate with the EU for “cross-border reaction and enforcement”.
In addition to the sectors covered by NIS 1 — energy, transport, healthcare, finance, water management and digital infrastructure — NIS 2 also applies to providers of public electronic communications, more digital services (such as social media platforms), waste and wastewater management, critical product manufacturing, postal and courier services, and public administration at both central and regional levels, as well as the space sector.
As a rule, medium-sized and large entities in these critical sectors will have to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents, described as those that could cause significant disruption or damage.
The directive also includes provisions for supervision and enforcement, and introduces accountability of the top management for non-compliance with cybersecurity risk.
In Ireland, the National Cyber Security Bill is supposed to transpose NIS 2.
The general scheme of this bill was published in August 2024.
The Department of Justice told the in May that the full bill was at “a very advanced stage” and that a memo would go to the Cabinet shortly.
The bill also sets up the National Cyber Security Centre on a statutory basis, with significantly increased remit and powers.



