France and Spain Referred to the CJEU Over NIS2: What Suppliers Should Do Now

On 9 June 2026, the European Commission referred France and Spain to the Court of Justice of the European Union for failing to transpose NIS2 into national law. More than 18 months after the deadline, the EU's two largest economies still don't have the directive on their statute books — and now the only body that can fine a member state for ignoring EU law is involved.

If you advise organisations operating in France or Spain, this is not a story about Brussels procedure. It changes how you should be scoping NIS2 readiness work in those markets right now. Here's what the referral actually means and what to tell your clients this week.

The referral is the last stop, not a warning shot

The Commission doesn't go to the CJEU first. The path to a referral is long and deliberate, and France and Spain have now travelled all of it.

The transposition deadline was 17 October 2024. Only four member states met it. The Commission opened infringement proceedings against 23 countries on 28 November 2024 with formal letters of notice. It escalated on 7 May 2025, issuing reasoned opinions to 19 governments — the formal "you have two months to comply" stage. France and Spain were on that list, didn't comply, and have now been referred to the court.

Referral is the final stage. The CJEU is the only body that can order a member state to pay for breaching EU law, through lump-sum fines and daily penalty charges that accrue until the law is fixed. That financial pressure is now bearing down on Paris and Madrid, which means national transposition is far more likely to land in 2026 than to slip again.

NIS2 Implementation Status by Country (2025–2026)
✅
Fully in force
🇧🇪Belgium
🇭🇷Croatia
🇭🇺Hungary
🇱🇹Lithuania
🇱🇻Latvia
🇮🇹Italy
6 countries
📋
Adopted — late 2025
🇩🇪Germany
🇨🇿Czech Republic
🇫🇮Finland
3 countries
⏳
In progress — expected 2026
🇳🇱Netherlands
🇫🇷France
🇪🇸Spain
🇵🇱Poland
🇦🇹Austria
🇸🇪Sweden
🇮🇪Ireland
7 countries

France and Spain took different roads to the same place

The two delays don't have the same cause, and that matters for how you predict the timeline.

Spain approved a draft cybersecurity bill in the Council of Ministers in January 2025, but the final text still hasn't been published. The law is expected to take effect at some point during 2026. The framework exists on paper — what's missing is promulgation.

France folded NIS2 into a broader law on the resilience of critical infrastructure, a wider legislative package that has not been fully promulgated. The directive is tied to a larger, slower-moving vehicle, which is why France's timing is harder to call.

For a consultant, the practical read is this: both countries will almost certainly have law in force within the next 12 months, and the CJEU referral makes further slippage politically expensive. Treat the absence of a national law as a timing question, not a reason to wait.

"No national law yet" is the most dangerous thing a client can believe

The single biggest risk in France and Spain right now is the client who reads the headlines and concludes they have a reprieve. They don't.

NIS2 obligations don't only flow from the country a company is headquartered in. If your client sells to, or operates infrastructure for, entities in member states that have transposed — Germany, Italy, Belgium, the Netherlands, and most of the bloc — those obligations already apply through the supply chain. A French managed service provider serving German essential entities is being asked for Article 21 evidence today, regardless of what France has or hasn't passed.

The directive's supply-chain provisions are the mechanism. Essential and important entities must manage the security of their suppliers, which means they push contractual security requirements down to vendors irrespective of where those vendors sit. The obligation cascades from the compliant jurisdiction into the non-compliant one.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose
▼
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to
▼
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

So the honest message to a French or Spanish client is: the national law is coming, your customers in other member states are already bound, and the contractual requirements are reaching you now. The gap between "our country hasn't transposed" and "we have no obligations" is exactly where unprepared organisations get caught.

Determining scope when the national text isn't final

The wrinkle in France and Spain is that the final national definitions — sector annexes, size thresholds, the line between essential and important entities — aren't locked. Scope determination normally leans on the transposing law's specifics. Here you don't have them yet.

Work from the directive itself. NIS2's sector lists and the medium-enterprise threshold (50+ employees or €10m+ turnover, with carve-outs for certain critical providers regardless of size) are set at EU level and won't move much in transposition. A client that is clearly in scope under the directive will be in scope under the French or Spanish law. Build the readiness assessment on the directive's baseline now, and treat the eventual national text as a refinement rather than a starting point.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

This is also where you protect your own credibility. Tell clients which conclusions are firm (driven by the directive and unlikely to change) and which are provisional (dependent on national specifics still to be published). A gap analysis built on the directive will be 90% durable; flag the 10% that may shift.

What to do with French and Spanish clients this week

The referral is a prompt, not a fire drill. Concrete moves:

Map customer exposure first. For each client, list the member states their customers and operations touch. Any compliant jurisdiction in that list means live obligations today, national law or not. This is usually the fastest way to show a sceptical client why "we'll wait for the law" is the wrong posture.

Run the gap analysis against the directive baseline. Don't wait for the national text. The Article 21 measures — risk management, incident handling, business continuity, supply-chain security, vulnerability handling, basic cyber hygiene, MFA — are EU-level and stable. Assess against those.

Get supplier contract language in order. The supply-chain cascade arrives through contracts. Clients on the receiving end of new security clauses from their German or Italian customers need to be able to answer them. Clients who are themselves essential or important entities need to start pushing requirements down to their own vendors.

Document the readiness posture now so that when the French or Spanish law is published — likely with a short runway to enforcement — your client moves from "starting" to "demonstrating" rather than scrambling. Organisations that treated the delay as breathing room will find the enforcement window uncomfortably tight.

The CJEU referral tells you the delay is ending. The member states that dragged their feet are the ones whose enforcement is most likely to be sharp once the law lands, precisely because the Commission has already lost patience. Position your clients to be ready before the text is final, not after.

If you want a fast, structured read on whether a client is in scope and where the biggest gaps sit, run them through the NIS2 readiness quick scan — it works off the directive baseline, which is exactly what you need while France and Spain finish their national laws.

For the wider picture on how the directive's supply-chain obligations move between jurisdictions, see our guide to NIS2 supply chain security and supplier contracts under Article 21.