There is a category of institutional failure that does not make the front page, does not trigger a press conference, and does not produce a single outraged headline on the day it occurs. It happens slowly, through missed deadlines, unprocessed correspondence, and the comfortable assumption that a law on paper is equivalent to a law in practice. The EU's NIS2 enforcement story is that category of failure, elevated to the level of a continent.
The NIS2 Directive, formally Directive 2022/2555, required every EU member state to transpose its cybersecurity obligations into national law by 17 October 2024. That deadline passed with 23 of 27 member states in breach. The European Commission has now referred France and Spain to the Court of Justice of the EU. What remains to examine is not just the legal procedure, but what the gap between the law that exists and the infrastructure that does not yet comply with it means for every organisation, government body, and individual whose data flows through European critical systems.
Status as of June 2026: France and Spain have been referred to the CJEU for failing to complete NIS2 transposition. France's legislative process remains active but not concluded. Spain is in a comparable position. Eight EU member states were still non-compliant as of March 2026. The Netherlands' Cyberbeveiligingswet is expected in Q2 2026 — making it one of the last major economies to complete the process.
What NIS2 Actually Requires
NIS2 is not a gentle suggestion. It is a legally binding directive that covers entities in 18 critical sectors including energy, transport, health, digital infrastructure, public administration, water and wastewater, financial market infrastructure, and manufacturing of critical products. It requires organisations in scope to implement risk management measures, maintain audit trails, report significant incidents within 24 hours, and demonstrate that their supply chains meet equivalent security standards.
It also introduced something the original NIS1 directive notably lacked: personal liability for senior management. Under NIS2, boards and executives of essential entities can be held directly responsible for cybersecurity failings. This is not a fine levied against a corporate entity that is absorbed as a cost of doing business. It is a mechanism for holding named individuals accountable.
NIS2 at a Glance — What the Directive Requires
The four member states that met the October 2024 deadline were Croatia, Belgium, Italy, and Hungary. The remaining 23 received letters of formal notice from the European Commission in November 2024. By May 2025, the Commission had escalated to reasoned opinions against 19 of those states. A reasoned opinion is the final procedural step before CJEU referral. It is, in EU infringement language, the last letter before the lawyers arrive.
The Enforcement Timeline
NIS2 Enforcement — Documented Sequence
The Netherlands appeared on the March 2026 non-compliant list. The Cyberbeveiligingswet, the Dutch national implementation, was submitted to the House of Representatives in June 2025 and was expected to enter into force in Q2 2026. That window has now closed, or is closing, depending on when this piece is read. The Dutch NCSC published a control framework in anticipation. The legal reality, however, is that for a significant portion of the period during which the Odido breach occurred, the Wbni framework rather than the full NIS2 obligations governed Dutch operators.
This is not a technicality. It is the gap between where the law was supposed to be and where it actually was when attackers were already through the door.
The Connection to What ETH Has Already Documented
This article does not stand alone. It is the regulatory layer that connects the pattern of evidence ETH has been building across multiple investigations.
The Odido breach investigation happened inside that compliance gap. ShinyHunters walked into a Salesforce CRM environment using voice phishing, exfiltrated data on an estimated six to eight million customers, and had the data in hand before anyone noticed. The breach involved IBANs, passport numbers, dates of birth, and plaintext verification codes. The NIS2 obligation to protect exactly this class of data in exactly this class of operator was technically still pending in Dutch national law on the day it happened.
The Opt-In Illusion documented how consent architecture is used to create the appearance of legal compliance while the practical reality is systematic data harvesting. NIS2's supply chain obligations directly address the third-party data flows that piece examined. When a Dutch government body contracts its infrastructure to Solvinity, which is acquired by Kyndryl, which is a US entity subject to the CLOUD Act, the NIS2 question is not academic. It is: does this supply chain meet the directive's security standards, and who is verifying that?
The EU Wall examined the regulatory convergence across cash, VPN, chat scanning, and digital identity. NIS2 is part of the same architecture — the legislative layer beneath the infrastructure controls that article traced. The compliance gap documented here is the soft underbelly of that convergence: the EU builds the wall of regulation while member states leave the gates unmanned.
The EU builds the regulatory architecture. Member states are supposed to enforce it. When they do not, the gap is not theoretical. It is the exact space where breaches happen, where data moves without accountability, and where institutional assurances dissolve on contact with reality.
Where Each Major Economy Stands
As of the most recently verified data, the transposition landscape across key EU economies looks as follows:
What the CJEU Can Actually Do
When the European Commission refers a member state to the Court of Justice of the EU for failing to transpose a directive, the court can impose financial penalties. These are not symbolic. In precedent cases involving other directives, daily penalty payments have been levied against member states until compliance is achieved. The size of the penalty is calculated based on the severity of the breach, the duration of non-compliance, and the member state's ability to pay.
For France, with an estimated 15,000 to 18,000 entities that would fall under NIS2 scope, and with French critical infrastructure operators currently operating without the full legal framework NIS2 was designed to provide, the gap between paper and practice is not a bureaucratic inconvenience. It is a live security risk for those organisations and the populations they serve.
The Commission's January 2026 proposal to amend NIS2 to "increase legal clarity" and ease compliance for smaller entities is relevant context here. It suggests the Commission recognises that the directive as originally drafted created implementation friction that contributed to the delays. This does not excuse 19 member states missing a binding deadline. It does suggest the enforcement picture is more complex than a simple failure of political will.
The Question That Does Not Have a Comfortable Answer
ETH does not specialise in comfortable answers. So the question worth sitting with is this: if the primary EU directive designed to protect critical infrastructure across 27 member states could not achieve basic transposition compliance after a 24-month implementation window, what does that imply about the credibility of the regulatory promises being made across the rest of the EU's digital legislative programme?
NIS2 is not the only directive in this category. DORA, the Digital Operational Resilience Act for financial entities, has its own compliance challenges. The AI Act, the eIDAS 2.0 framework, the Data Act — each carries the same structural dependency: member states must translate Brussels law into domestic law, domestic regulators must enforce it against domestic entities, and the gap between directive adoption and actual practice is where risk lives.
The Odido breach happened in that gap. The DigiD infrastructure questions raised in the Opt-In Illusion exist in that gap. The regulatory convergence documented in the EU Wall is being built on top of that gap. The court cases now proceeding against France and Spain are the first direct institutional acknowledgement that the gap is real, measurable, and legally consequential.
What the Commission cannot do is sue the gap itself. It can sue the states that failed to close it. It is doing exactly that. Whether that produces the outcome the directive was designed to achieve is a question that will be answered not in the courtroom, but in the security posture of organisations that still do not know whether they are in scope, which national authority supervises them, and what their obligations actually are.
Legenda
Key terms used in this article, with links to primary sources where available.
Sources & Primary References
- European Commission press release, 28 November 2024: Letters of formal notice to 23 member states
- European Commission press release, 7 May 2025: Reasoned opinions to 19 member states
- European Commission, 20 January 2026: Proposed NIS2 amendments for legal clarity
- Infosecurity Magazine, 18 March 2026: Eight countries face EU action over NIS2 failings — Ireland, Spain, France, Bulgaria, Luxembourg, Netherlands, Portugal, Sweden
- Politico EU: EU to take France and Spain to court over NIS2 delay
- Wavestone NIS2 transposition tracker, updated January 2026: wavestone.com
- NIS2 Directive transposition — France, nis-2-directive.com, updated March 12, 2026
- ECSO NIS2 Directive Transposition Tracker: ecs-org.eu
- ETH, February 24, 2026: The Open Door. What the Odido Breach Tells Us About Cyber Complacency.
- ETH, April 25, 2026: The Opt-In Illusion
- ETH, May 9, 2026: The Wall They Are Building
Is Your Organisation in Scope?
NIS2 covers 18 critical sectors across the EU. Once your member state completes transposition, compliance obligations apply. ENISA publishes sector-specific guidance and the Commission maintains a public transposition tracker.
ENISA NIS2 Resources → Follow ETH on X →