There is a category of institutional failure that does not make the front page, does not trigger a press conference, and does not produce a single outraged headline on the day it occurs. It happens slowly, through missed deadlines, unprocessed correspondence, and the comfortable assumption that a law on paper is equivalent to a law in practice. The EU's NIS2 enforcement story is that category of failure, elevated to the level of a continent.

The NIS2 Directive, formally Directive 2022/2555, required every EU member state to transpose its cybersecurity obligations into national law by 17 October 2024. That deadline passed with 23 of 27 member states in breach. The European Commission has now referred France and Spain to the Court of Justice of the EU. What remains to examine is not just the legal procedure, but what the gap between the law that exists and the infrastructure that does not yet comply with it means for every organisation, government body, and individual whose data flows through European critical systems.

EU NIS2 enforcement

Status as of June 2026: France and Spain have been referred to the CJEU for failing to complete NIS2 transposition. France's legislative process remains active but not concluded. Spain is in a comparable position. Eight EU member states were still non-compliant as of March 2026. The Netherlands' Cyberbeveiligingswet is expected in Q2 2026 — making it one of the last major economies to complete the process.

What NIS2 Actually Requires

NIS2 directive sector scope

NIS2 is not a gentle suggestion. It is a legally binding directive that covers entities in 18 critical sectors including energy, transport, health, digital infrastructure, public administration, water and wastewater, financial market infrastructure, and manufacturing of critical products. It requires organisations in scope to implement risk management measures, maintain audit trails, report significant incidents within 24 hours, and demonstrate that their supply chains meet equivalent security standards.

It also introduced something the original NIS1 directive notably lacked: personal liability for senior management. Under NIS2, boards and executives of essential entities can be held directly responsible for cybersecurity failings. This is not a fine levied against a corporate entity that is absorbed as a cost of doing business. It is a mechanism for holding named individuals accountable.

NIS2 at a Glance — What the Directive Requires

Sectors covered18 critical sectors, public and private
Incident reporting window24 hours (initial), 72 hours (full)
Management liabilityPersonal — named executives, not just entities
Supply chain obligationsExtended to third-party suppliers
Estimated entities in scope (EU-wide)~160,000 organisations
Estimated entities in scope (France alone)15,000 to 18,000
Transposition deadline17 October 2024
States compliant by deadline4 of 27

The four member states that met the October 2024 deadline were Croatia, Belgium, Italy, and Hungary. The remaining 23 received letters of formal notice from the European Commission in November 2024. By May 2025, the Commission had escalated to reasoned opinions against 19 of those states. A reasoned opinion is the final procedural step before CJEU referral. It is, in EU infringement language, the last letter before the lawyers arrive.

The Enforcement Timeline

NIS2 enforcement escalation timeline

NIS2 Enforcement — Documented Sequence

Oct 2024
Deadline passes. Only 4 member states — Croatia, Belgium, Italy, Hungary — have fully transposed NIS2 into national law.
Nov 28, 2024
Letters of formal notice. European Commission opens infringement proceedings against 23 member states. Two months to comply or face escalation. Source: European Commission press release.
May 7, 2025
Reasoned opinions issued. 19 states still non-compliant receive the final pre-CJEU warning. Two further months to "respond and take necessary measures." Source: European Commission press release.
Jan 20, 2026
Commission proposes NIS2 amendments. Targeted changes to "increase legal clarity" and ease compliance for approximately 28,700 companies including 6,200 micro and small enterprises. Source: European Commission digital strategy page.
Mar 18, 2026
Eight states still non-compliant. Ireland, Spain, France, Bulgaria, Luxembourg, Netherlands, Portugal and Sweden identified by the Commission as still failing. Source: Infosecurity Magazine.
2026
CJEU referral. France and Spain referred to the Court of Justice of the EU. Financial penalties now possible. Source: Politico EU.

The Netherlands appeared on the March 2026 non-compliant list. The Cyberbeveiligingswet, the Dutch national implementation, was submitted to the House of Representatives in June 2025 and was expected to enter into force in Q2 2026. That window has now closed, or is closing, depending on when this piece is read. The Dutch NCSC published a control framework in anticipation. The legal reality, however, is that for a significant portion of the period during which the Odido breach occurred, the Wbni framework rather than the full NIS2 obligations governed Dutch operators.

This is not a technicality. It is the gap between where the law was supposed to be and where it actually was when attackers were already through the door.

The Connection to What ETH Has Already Documented

NIS2 compliance gap between directive and national law

This article does not stand alone. It is the regulatory layer that connects the pattern of evidence ETH has been building across multiple investigations.

The Odido breach investigation happened inside that compliance gap. ShinyHunters walked into a Salesforce CRM environment using voice phishing, exfiltrated data on an estimated six to eight million customers, and had the data in hand before anyone noticed. The breach involved IBANs, passport numbers, dates of birth, and plaintext verification codes. The NIS2 obligation to protect exactly this class of data in exactly this class of operator was technically still pending in Dutch national law on the day it happened.

The Opt-In Illusion documented how consent architecture is used to create the appearance of legal compliance while the practical reality is systematic data harvesting. NIS2's supply chain obligations directly address the third-party data flows that piece examined. When a Dutch government body contracts its infrastructure to Solvinity, which is acquired by Kyndryl, which is a US entity subject to the CLOUD Act, the NIS2 question is not academic. It is: does this supply chain meet the directive's security standards, and who is verifying that?

The EU Wall examined the regulatory convergence across cash, VPN, chat scanning, and digital identity. NIS2 is part of the same architecture — the legislative layer beneath the infrastructure controls that article traced. The compliance gap documented here is the soft underbelly of that convergence: the EU builds the wall of regulation while member states leave the gates unmanned.

The EU builds the regulatory architecture. Member states are supposed to enforce it. When they do not, the gap is not theoretical. It is the exact space where breaches happen, where data moves without accountability, and where institutional assurances dissolve on contact with reality.

Where Each Major Economy Stands

EU member states NIS2 compliance status

As of the most recently verified data, the transposition landscape across key EU economies looks as follows:

Belgium
Transposed on time
Croatia
Transposed on time
Italy
Transposed on time
Hungary
Transposed on time
Germany
Transposed (late, 2025)
Netherlands
Cyberbeveiligingswet — Q2 2026
France
CJEU referral
Spain
CJEU referral
Ireland
Still pending (Mar 2026)
Portugal
Still pending (Mar 2026)
Sweden
Still pending (Mar 2026)
Luxembourg
Still pending (Mar 2026)

What the CJEU Can Actually Do

When the European Commission refers a member state to the Court of Justice of the EU for failing to transpose a directive, the court can impose financial penalties. These are not symbolic. In precedent cases involving other directives, daily penalty payments have been levied against member states until compliance is achieved. The size of the penalty is calculated based on the severity of the breach, the duration of non-compliance, and the member state's ability to pay.

For France, with an estimated 15,000 to 18,000 entities that would fall under NIS2 scope, and with French critical infrastructure operators currently operating without the full legal framework NIS2 was designed to provide, the gap between paper and practice is not a bureaucratic inconvenience. It is a live security risk for those organisations and the populations they serve.

The Commission's January 2026 proposal to amend NIS2 to "increase legal clarity" and ease compliance for smaller entities is relevant context here. It suggests the Commission recognises that the directive as originally drafted created implementation friction that contributed to the delays. This does not excuse 19 member states missing a binding deadline. It does suggest the enforcement picture is more complex than a simple failure of political will.

The Question That Does Not Have a Comfortable Answer

EU directive on paper versus enforcement in practice

ETH does not specialise in comfortable answers. So the question worth sitting with is this: if the primary EU directive designed to protect critical infrastructure across 27 member states could not achieve basic transposition compliance after a 24-month implementation window, what does that imply about the credibility of the regulatory promises being made across the rest of the EU's digital legislative programme?

NIS2 is not the only directive in this category. DORA, the Digital Operational Resilience Act for financial entities, has its own compliance challenges. The AI Act, the eIDAS 2.0 framework, the Data Act — each carries the same structural dependency: member states must translate Brussels law into domestic law, domestic regulators must enforce it against domestic entities, and the gap between directive adoption and actual practice is where risk lives.

The Odido breach happened in that gap. The DigiD infrastructure questions raised in the Opt-In Illusion exist in that gap. The regulatory convergence documented in the EU Wall is being built on top of that gap. The court cases now proceeding against France and Spain are the first direct institutional acknowledgement that the gap is real, measurable, and legally consequential.

What the Commission cannot do is sue the gap itself. It can sue the states that failed to close it. It is doing exactly that. Whether that produces the outcome the directive was designed to achieve is a question that will be answered not in the courtroom, but in the security posture of organisations that still do not know whether they are in scope, which national authority supervises them, and what their obligations actually are.

Legenda

Key terms used in this article, with links to primary sources where available.

NIS2 — Network and Information Security Directive 2
EU Directive 2022/2555. Required transposition into national law by 17 October 2024. Covers 18 critical sectors. Introduces personal management liability. European Commission page →
Transposition
The process by which EU member states convert a directive into their own national law. Unlike EU regulations, which apply automatically, directives require each state to legislate. The gap between directive adoption and national transposition is where NIS2's enforcement problem lives.
Letter of Formal Notice
The first step in the EU's infringement procedure. Sent by the Commission to a member state in breach. The state has two months to respond before escalation to a reasoned opinion.
Reasoned Opinion
The second and final step before CJEU referral. The Commission explains in detail why the state is in breach. Two months to comply or face court action.
CJEU — Court of Justice of the European Union
The EU's highest court. Can impose daily financial penalties on member states until compliance is achieved. curia.europa.eu →
Cyberbeveiligingswet
The Dutch national implementation of NIS2. Expected to enter into force Q2 2026. Prior to this, the Wbni (Wet beveiliging netwerk- en informatiesystemen) governed Dutch critical infrastructure operators. Rijksoverheid →
Essential Entity vs Important Entity
NIS2's two-tier classification. Essential entities (large operators in high-criticality sectors) face stricter supervision and higher penalties. Important entities face lighter-touch oversight. The distinction affects which national authority supervises you and what proactive audits you can expect.
DORA — Digital Operational Resilience Act
A parallel EU regulation for financial entities. Entered into force January 2025. Shares NIS2's logic but applies specifically to banks, insurers, and financial market infrastructure, with its own compliance timeline and supervisory architecture.
ENISA
The EU Agency for Cybersecurity. Tracks NIS2 transposition status, publishes technical guidance, and coordinates cross-border incident response across member states. enisa.europa.eu →

Sources & Primary References

  1. European Commission press release, 28 November 2024: Letters of formal notice to 23 member states
  2. European Commission press release, 7 May 2025: Reasoned opinions to 19 member states
  3. European Commission, 20 January 2026: Proposed NIS2 amendments for legal clarity
  4. Infosecurity Magazine, 18 March 2026: Eight countries face EU action over NIS2 failings — Ireland, Spain, France, Bulgaria, Luxembourg, Netherlands, Portugal, Sweden
  5. Politico EU: EU to take France and Spain to court over NIS2 delay
  6. Wavestone NIS2 transposition tracker, updated January 2026: wavestone.com
  7. NIS2 Directive transposition — France, nis-2-directive.com, updated March 12, 2026
  8. ECSO NIS2 Directive Transposition Tracker: ecs-org.eu
  9. ETH, February 24, 2026: The Open Door. What the Odido Breach Tells Us About Cyber Complacency.
  10. ETH, April 25, 2026: The Opt-In Illusion
  11. ETH, May 9, 2026: The Wall They Are Building

Is Your Organisation in Scope?

NIS2 covers 18 critical sectors across the EU. Once your member state completes transposition, compliance obligations apply. ENISA publishes sector-specific guidance and the Commission maintains a public transposition tracker.

ENISA NIS2 Resources → Follow ETH on X →