The European Commission has decided to refer Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to notify the measures transposing the SRI 2 Directive on the security of network and information systems into national law [Directive (EU) 2022/2555].
The Directive strengthens the EU’s cybersecurity by setting out strict rules for organisations operating in eighteen critical sectors, such as healthcare, energy, transport and the public sector. Its full implementation is essential to improving the EU’s resilience and the incident response capabilities of public and private entities operating in these critical sectors, as well as those of the EU as a whole.
Member States had until 17 October 2024 to transpose this Directive. Although most met this deadline, Spain, France, Ireland and the Netherlands have not yet notified the Commission of full transposition. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025. The referrals include a request to the Court to impose financial penalties consisting of a lump sum and daily fines until notification of full transposition is provided.
Background
Cybersecurity involves protecting networks and information systems, users and affected individuals against cyber incidents and threats. Given that cyber threats are on the rise, the SRI 2 Directive requires Member States to strengthen their cybersecurity capabilities and introduce risk management measures and incident reporting obligations for organisations in eighteen critical sectors.
On 20 January 2026, as part of a cybersecurity package, the Commission proposed specific amendments to the SRI 2 Directive to provide greater legal clarity. The amendments make it easier for companies operating in the EU to comply with cybersecurity standards and risk management requirements.







Leave a Reply