The Anneau and the forecourt, Court of Justice of the European Union. Image: © European Union 2016

Ireland, Spain, France and the Netherlands are the only ones left to incorporate the NIS2 into national law.

Ireland is among the countries being referred to the highest court in the European Union for failing to adopt cybersecurity directives into law. The European Commission’s move comes as Ireland commences its six-month rotational presidency heading the EU Council.

The Network & Information Security 2 (NIS2) Directive entered into force in January 2023 and sets high security standards across 18 critical sectors, including health, energy, transport and the public sector, mandating organisations to implement appropriate security measures and report any relevant incidents to the authorities.

However, directives must be incorporated into national legislation by EU member states before gaining effect. Member states had until October 2024 to carry out the transposition.