European Commission's Penalizes Four EU Members for Missing NIS2 Deadline

The referral documents filed Monday, July 13, at the Court of Justice of the European Union (EU) name Ireland, Spain, France, and the Netherlands, and cite a failure to transpose a cybersecurity directive, in respect to the NIS2 directive requirements, that has been on the books long enough that non-compliance can no longer be charitably attributed to administrative delay.  

Brussels has stopped extending that charity. 

Though the penalties they seek are substantial, the legal filings do not quite capture the standstill that has very little to do with administrative delay and more with an argument that European democracies have been conducting in secret rooms. 

Europe’s cybersecurity crackdown has turned into a legal and political standoff, as France’s delayed NIS2 rollout exposes a deeper fight over encryption, state surveillance, AI security, and whether governments should reach communications built to remain private from official access forever.

The European Commission has referred France, Ireland, Spain, and the Netherlands to the Court of Justice of the European Union after they failed to notify national measures implementing NIS2 directive requirements. 

France’s Encryption Safeguard Turns Cybersecurity into a Surveillance Fight

NIS2 was designed to raise cybersecurity standards across 18 critical sectors, including energy, health, transport, and public administration. It requires risk management, incident reporting, and stronger response capacity. On paper, this is compliance.

In France, the implementing law has become a battle over access to protected data.

Article 16bis was inserted into France’s Resilience Bill as an end-to-end encryption safeguard intended to stop authorities from forcing communication providers to weaken encryption or create backdoors. The clause treats encryption as a shield that must remain intact, even when agencies seek access for investigations. France’s parliamentary intelligence delegation opposes that protection, warning it interferes with state services. An amendment filed in the National Assembly said the original wording “poses difficulties that are now known” and risks disrupting sensitive government work.

This explains why the French delay cannot be reduced to administrative laziness. The country is not only late in applying for an EU directive. It is debating whether cybersecurity law should protect encrypted systems from everyone, including the state, or leave room for legally controlled interception. 

Civil liberties supporters argue that a backdoor built for government use does not remain safely limited to government use. Once encryption is weakened, the same technical opening can become a target for hostile states, criminal groups, and commercial spyware operators. Intelligence services answer that fully protected communications can hide terrorists, organized crime networks, and foreign agents from lawful surveillance.

The dispute leaves lawmakers facing a choice. Mathematical protection works because it does not distinguish between a democratic authority, a criminal attacker, or a foreign spy. But intelligence work depends on distinctions created by law, warrants, and state power. The encryption safeguard attempts to settle that conflict in favor of the technology itself.

The deadlock comes as the European Commission pushes a plan for advanced AI in cybersecurity. Through the NIS2 Directive requirements, Brussels wants EU countries, industry, and European agencies to evaluate powerful models, test them in secure environments, find vulnerabilities faster, and expand domestic AI capacity through factories, future gigafactories, and a cybersecurity challenge.

That strategy assumes Europe has a stable legal foundation beneath its new tools. NIS2 is meant to provide that foundation by forcing critical operators to manage risks and report incidents. Yet the referral of four member states shows that Europe can announce faster AI defenses while still struggling to agree on the legal limits of state access.

The pressure extends beyond encryption. A legal opinion warns that the proposed Cybersecurity Act could expose member states to compensation claims if Chinese technology suppliers are excluded from European ICT markets.

Professor Christoph Schreuer stated, “Member States would remain bound by their respective BITs with China in the event of a conflict between their obligations under the CSA and those arising under the BITs.”

His warning shows another fault line in Europe’s cybersecurity push. EU governments may be required to remove suppliers labelled high risk while remaining bound by bilateral investment treaties that protect Chinese investors from discriminatory treatment or expropriation. According to the opinion, EU legislation would not automatically erase those international obligations.

The report also argues that ending such treaties would not quickly remove the danger because many contain clauses protecting existing investments for another 10 to 20 years. Schreuer’s conclusion is that member states could become trapped between European cybersecurity rules and international investment law, with liability possible whichever path they follow.

France now represents the sharper ideological conflict. Intelligence agencies want data visibility when national security is at stake. Encryption defenders want a statutory lock that even government cannot quietly open. Brussels sees an overdue cybersecurity law. Paris sees a decision about whether state surveillance should stop where cryptography begins.

The EU NIS2 Directive requirements have become more than a compliance deadline, as the Union tries to secure key networks, deploy AI against attacks, reduce foreign technology risks, and protect private communications at the same time. Until lawmakers decide which security threat matters most, the legislation will remain caught between public defense and private freedom. 


Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.

Join our WhatsApp Channel WhatsApp Channel