Ireland, Spain, France and the Netherlands are the only member states yet to incorporate the NIS2 directive into national law.
Ireland is one of four countries being referred to the highest court in the European Union for failing to adopt cybersecurity directives into law. The European Commission’s move comes as Ireland commences its six-month rotational presidency heading the EU Council.
The Network and Information Security 2 (NIS2) Directive entered into force in January 2023 and sets high security standards across 18 critical sectors, including health, energy, transport and the public sector, mandating organisations to implement appropriate security measures and report any relevant incidents to the authorities.
However, directives must be incorporated into national legislation by EU member states before gaining effect. Member states had until October 2024 to carry out the transposition.
But by late November 2024, 23 member states, including Denmark, Germany, Finland and Sweden, were yet to transpose the directive, while by May 2025, 19 had still not done so.
In its referral yesterday (8 July), which also includes Spain, France and the Netherlands, the Commission requested the Court of Justice of the European Union to impose financial sanctions on infringing member states, consisting of lump sum and daily penalties until NIS2 is incorporated into national legislation.
The cybersecurity threat landscape is fast evolving, as newer technologies such as AI provide bad actors with advanced tools to commit phishing attacks, scams and infrastructure break-ins, while breaches go underreported in Ireland, according to a recent Compliance Institute report.
“While Ireland is not alone in having missed the deadline, this is not a great start for Ireland to our presidency of the Council of the European Union,” said Dentons partner David Kirton.
“The Government has listed competitiveness and security as two of its three key pillars for the presidency, so putting this legislation into effect would be a strong symbol of that commitment.”
The Government published a general scheme of the National Cyber Security Bill in August 2024, and a National Digital and AI Strategy this February, where it committed to “prioritising legislation to implement the EU NIS2 Directive”, but did not provide a timeline.
The bill remains in pre-legislative scrutiny and is only expected to go before the Oireachtas by September at the earliest.
Transposing the directive will not be straightforward, Kirton said, “as parts of the legislation are technical in nature and present a major change in empowering the National Cyber Security Centre to act in an enforcement role alongside other competent authorities”.
“The Government will need to prioritise the preparation of a bill, which has been promised by the Minister for Justice for later this year, which will no doubt provoke further debate as it proceeds through the legislative process before entering into force,” he added.
Earlier this year, the Commission proposed amendments to simplify NIS2 as part of its digital omnibus overhaul that aims to cut regulatory red tape and make business in the bloc easier.
Amendments to NIS2 aim to increase legal clarity by simplifying jurisdictional rules, streamlining the collection of data on ransomware attacks and facilitating the supervision of cross-border entities, the EU argued.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.








You must be logged in to post a comment Login