The European Commission referred Ireland, Spain, France, and the Netherlands to the EU's top court on Wednesday, July 8, 2026, over their failure to bring a key cybersecurity directive into national law.

The Commission, acting from Brussels, sent the four cases to the Court of Justice after each country failed to notify it of national measures implementing Directive (EU) 2022/2555, commonly known as NIS2. That directive sets binding rules for the security of network and information systems across the bloc.

Member states were required to incorporate NIS2 into their domestic legal frameworks, but none of the four governments notified the Commission that they had done so. The absence of those notifications triggered the referral process.

The Court of Justice will now take up the cases against all four countries. Ireland, Spain, France, and the Netherlands each face proceedings before the court for the same underlying failure to transpose the directive.