NIS2 enforcement enters a new phase: four states head to court
Twenty months after the deadline, Brussels moved from warning letters to the Court of Justice, and national regulators are no longer just registering entities. They are supervising them
For most of 2024 and 2025, NIS2 lived in an awkward limbo: a directive that legally applied across the EU, yet one that many Member States had still not written into national law. That gap is now closing the hard way, through the courts and through active supervision. Three developments in the first half of July 2026 mark the shift from paper deadlines to real consequences.
None of the three is a footnote. Together they tell compliance leads that the enforcement phase of NIS2 has begun, that the first wave targets the most basic and least defensible failures, and that the reporting landscape is about to become more uniform.
One: four Member States referred to the Court of Justice
On 8 July 2026 the European Commission decided to refer Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to notify the full measures transposing the NIS2 Directive (Directive (EU) 2022/2555) into national law. The Commission has asked the Court to impose financial sanctions, a lump sum plus daily penalties, that keep running until each country confirms complete transposition.
This did not happen overnight. Member States had until 17 October 2024 to transpose the directive. The Commission sent letters of formal notice on 28 November 2024, then reasoned opinions to the laggards on 7 May 2025. The July referral is the final escalation step in the EU infringement procedure, the point at which non-compliance stops being a diplomatic matter and starts carrying a price tag.
Two: where transposition actually stands
The headline should not obscure the wider picture. The majority of the bloc has already transposed. As of mid 2026, roughly two thirds of the 27 Member States have completed transposition, with a handful still finishing the legislative process. The four referred states are the outliers, and even they are moving.
The Netherlands Senate approved the Cyberbeveiligingswet, its NIS2 implementation, on 7 July 2026, with the law due to enter into force on 15 August 2026. Ireland has signalled it expects to notify transposition by the end of 2026. France and Spain remain in their respective legislative procedures.
Your obligations do not wait for the slowest state. If you fall in scope in a country that has already transposed, you are already subject to the full regime. Greece transposed NIS2 through Law 5160/2024, so in scope entities there face the complete set of obligations today.
Three: regulators move from registration to supervision
The most consequential change for day to day compliance is quieter than a court case. National authorities have started to supervise, not just collect registrations. As of mid 2026 no headline administrative fines against named entities had been publicly disclosed, so enforcement has so far stayed at the supervisory notice stage, but the machinery is clearly warming up.
Germany’s BSI began issuing formal orders (Anordnungen) in late 2025 to entities that had failed to register or designate a point of contact. Italy’s ACN identified a large population of entities that missed the 28 February 2026 annual registration deadline and is pursuing them through enforcement proceedings.
The pattern is telling. The first enforcement wave everywhere targets the easiest failure to prove: you did not register, or you did not name a contact. These failures are binary, documented and hard to defend. If your organisation is in scope and has not completed registration with the relevant national authority, that is the single highest probability enforcement trigger you face right now.
Management liability is the sharp edge. NIS2 makes management bodies personally responsible for approving and overseeing cyber risk measures, and for completing training. Compliance is no longer something the board can fully delegate to IT.
Four: incident reporting is being standardised
A long standing pain point for multinational entities has been divergent incident reporting formats, a different form and sometimes a different interpretation in every country. At its 39th Plenary in Cyprus, the NIS Cooperation Group agreed common templates for incident reporting under Article 23, giving cross border entities a single uniform format instead of a patchwork. The Commission intends to make these templates binding through an implementing act.
For any entity operating in more than one Member State this is genuinely good news. It reduces the reporting overhead and the risk of getting the format wrong under the pressure of a live incident. It is worth aligning your incident response playbook to the common template now, before it becomes mandatory.
Five: reform is already on the horizon
Even as it enforces the current text, the Commission has signalled a potential NIS2 reform and simplification as part of its broader digital simplification agenda. Nothing here weakens the obligations that apply today, but it is a reminder that the framework is still moving. Build your compliance programme around durable capabilities, risk management, governance, incident handling and evidence, rather than around the precise wording of any single national statute, and you will absorb future changes with far less rework.
What compliance leads should do now
1. Confirm scope and registration. Establish whether you are an essential or important entity in every country you operate in, and verify that registration and point of contact designation are complete. This is the number one enforcement trigger today.
2. Get the board on record. Document management approval of your risk management measures and evidence that directors have completed cybersecurity training. Liability sits with them.
3. Align incident reporting to the common template. Update your incident response playbook to the Article 23 format the Cooperation Group has agreed, so a real incident does not turn into a reporting failure.
4. Keep evidence audit ready. Regulators are shifting to supervision. Assume you may be asked to demonstrate, not just assert, that measures exist and work.
5. Do not wait for the slowest state. If you are in scope where transposition is already done, the obligations already apply.
The enforcement phase has begun
For most of the last two years, the practical risk under NIS2 sat in an uncomfortable grey zone. That is over. The Commission is now willing to take Member States to court, national regulators are issuing orders, and the reporting rules are converging on a single format. The direction of travel is unambiguous.
The organisations that will struggle are those that treated the October 2024 deadline as someone else’s problem. The organisations that will do well are those that have already registered, put their board on record, and built an evidence base they can show on request. None of that is complicated. It just has to be done before a regulator asks.
If this was useful, subscribe for plain language analysis of NIS2, ISO 27001, GDPR and DORA. Not sure where your organisation stands under NIS2? AVSec Advisory maps your scope, registration status and the gaps that carry the most enforcement risk. Book a free 30 minute assessment.
Sources
2. European Commission, Shaping Europe’s Digital Future: NIS2 Directive transposition in EU countries
4. Morrison Foerster: Flipping the NIS2 Switch, What Germany’s Implementation Means for 2026 Compliance
5. Greek National Cybersecurity Authority: NIS2 and Law 5160/2024
6. Law Society of Ireland Gazette: Cyber centre’s guidance on EU directive, July 2026
7. European Commission: NIS2 Directive and the NIS Cooperation Group (Article 23 incident reporting)
This analysis is informational and does not constitute legal advice. Some transposition dates and national statuses draw on official trackers and secondary reporting, and may change. Verify against your national authority before acting.

