European Commission Takes Member States to Court over Cybersecurity Failings

The 2022 Russian invasion of Ukraine laid bare Europe's vulnerabilities in both physical and cyber defense. Whereas the former has received much focus, the latter is proving slower going for some.

The Court of Justice of the European Union is hearing the Commission\'s case against four member states.

The Court of Justice of the European Union is hearing the Commission\'s case against four member states. Photo: Reuters/Francois Lenoir

The European Commission announced 8 July that it is referring France, Ireland, Spain and the Netherlands to the Court of Justice of the European Union (CJEU) over their failure to transpose a major EU cybersecurity directive into their national laws.

According to the Commission, it included a request in its referral to the Court that financial sanctions be imposed, consisting of a “lump sum and daily penalties until notification of complete transposition”.

The countries are accused of failing to implement the NIS2 Directive on securing network and information systems. 

The Commission views the measures contained within it as central to improving the EU’s cybersecurity, including developing the “incident response capacity” of entities in 18 sectors marked out as “critical”.

Enforced Compliance

Member states had until 17 October 2024 to transpose the directive, but the majority failed to meet the deadline. As a result, the European Commission on that occasion launched infringement proceedings against 23 countries, followed by the issuance of reasoned opinions to 19 member states that had still failed to comply by May 2025.

Most have now incorporated the directive into national law, leaving the four countries targeted by the Commission open to legal proceedings.

The Commission states that the NIS2 Directive establishes a “unified legal framework” to support cybersecurity in the 18 critical sectors across the EU.

Brussels Wants Citizens to Save Power for the AI Age

You might be interested Brussels Wants Citizens to Save Power for the AI Age

It also requires member states to develop national cybersecurity strategies and collaborate with the EU and other member states for cross-border cybersecurity enforcement.

The latest directive replaces an earlier iteration, 2016’s NIS1, and came in the wake of Russia’s 2022 invasion of Ukraine and the heightened cybersecurity risk that it presented to European countries.

The directive is primarily concerned with enhancing member states’ cybersecurity capabilities, including developing policies for supply chain security, vulnerability management and cybersecurity education and awareness. 

Member states are also required to establish and update a list of operators of “essential services”, ensuring that such entities comply with the directive's requirements.

NIS1 applied rules to the energy, transport, healthcare, finance, water management and digital infrastructure sectors. This was expanded upon by NIS2 to include providers of public electronic communications, more digital services (such as online social platforms), waste and wastewater management, critical product manufacturing, postal and courier services, public administration at both central and regional levels, and the space sector. 

Medium-sized and large entities in these sectors must take “appropriate cybersecurity risk-management measures” and notify national authorities of “significant incidents”, particularly those that could cause notable disruption or damage to the services or products they provide.

AI's Role in Cybersecurity Takes Center Stage

The cybersecurity-related scrutiny comes as the Commission devotes greater attention to the topic, a trend amplified by the proliferation of artificial intelligence (AI) and related technologies.

The Commission published 7 July an action plan intended to address the risks and opportunities of advanced AI models for cybersecurity. According to officials, it is intended to complement the NIS2 Directive and the Union’s Cyber Resilience Act.

Tech Giant Anthropic Echoes Musk With Call for Global AI Pause

You might be interested Tech Giant Anthropic Echoes Musk With Call for Global AI Pause

“New advanced AI models are redefining cybersecurity”, a Commission spokesperson said following the launch of the plan.

“AI can be misused to identify vulnerabilities, automate attacks and increase the scale and speed of cyber incidents at an unprecedented speed”, the official added.

To “promote the safe use of advanced AI”, the Commission explained that, in line with its AI Act, it will strengthen Europe’s capacity to evaluate AI models before they are placed on the EU market.

The European Union Agency for Cybersecurity (ENISA) is also to be engaged to develop a scheme for “secure access to advanced AI systems for cybersecurity purposes” and establish a “secure testing platform” to help organizations in the designated critical sectors test and deploy AI for their operations.

Another element of the AI cybersecurity action plan involves the launch of an EU “Grand Challenge” on AI for cybersecurity, “bringing together companies, researchers and other stakeholders to develop innovative AI-powered cybersecurity solutions”.

According to the Commission, “the EU will also continue investing in sovereign AI capabilities, building on initiatives such as AI Factories and future Gigafactories, while encouraging private investment to help scale up European AI technologies”.

Commenting on the plan’s publication, Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen said that “AI is transforming the meaning of cybersecurity” and that Europe “must keep pace”.

“The EU has strong foundations in place to adapt its response in the face of vulnerabilities that emerging tech brings with it”, Virkkunen added, noting that Europe needs to “harness and focus existing capabilities, networks and the legal framework to fortify the cybersecurity protecting our digital landscape”.