NIS 2 Delay: France Referred to the European Court of Justice
Transposition of the NIS 2 directive into French law was finally supposed to move forward this summer. That will not happen. The “Resilience” bill is not on the agenda for the extraordinary July 2026 session, pushing its review back to the fall. At the earliest, it will be September. Meanwhile, Brussels has stopped waiting: on July 8, the European Commission referred France to the Court of Justice of the European Union for failure to transpose the directive. Here is what we know.
Table of Contents
Brussels refers the case to the CJEU
On July 8, 2026, the European Commission announced that it was taking four Member States to the Court of Justice of the European Union (CJEU) for failing to notify the full transposition of the NIS 2 directive (Directive (EU) 2022/2555): France is on the list of laggards, along with Ireland, Spain, and the Netherlands.
It has to be said that France is badly behind. According to the official statement, Member States had until October 17, 2024 to transpose the text. With no response, Brussels sent formal notices on November 28, 2024, then reasoned opinions on May 7, 2025. Referral to the Court of Justice is the next step. The European Commission is now seeking financial penalties, in the form of a lump sum plus daily fines, until the complete transposition is notified.
The amounts of these penalties are not known, and perhaps France will never have to pay them. This is probably an additional lever to pressure the French political class.
A text stuck in the National Assembly, review postponed until the fall
In France, the NIS 2 directive was not transposed on its own. The government decided to fold it into the bill on the resilience of critical infrastructure and the strengthening of cybersecurity. This is the Resilience law, which also transposes the CER directive on critical entities and the DORA regulation for the financial sector. Adopted by the Senate, the text is now waiting for debate in public session at the National Assembly.
That debate will not take place this summer, even though it was expected. The decree convening Parliament in extraordinary session starting on July 1 does not mention the bill. There is a strong chance that review will be pushed back to September, when Parliament returns, but this has not been confirmed by the government.
Why is it taking so long? We hear a lot about NIS 2, but the months go by and nothing changes. In reality, there is one sticking point that keeps coming back every time: Article 16 bis on backdoors. It is a source of tension. On one side are those who support their use, especially intelligence services, in order to fight organized crime; on the other, NIS 2 forbids them. This disagreement leaves us in a deadlock.
NIS 2, a quick recap
As a reminder, NIS 2 replaces the original 2016 NIS directive and significantly broadens its scope.
- The number of covered sectors rises to 18, including healthcare, energy, transportation, and the public sector.
- In France, the number of regulated entities jumps from a few hundred under NIS 1 to more than 15,000, including local authorities.
- The text distinguishes two categories, essential entities and important entities, depending on size and sector.
- Organizations in scope will have to document their risk management and report incidents, under the supervision of ANSSI and under penalty of sanctions.
In any case, do not wait for the law to take action. It will eventually be adopted, and it is moving in the right direction when it comes to securing infrastructure (risk analysis, vulnerability management, etc.).
Here are links to the two official resources:


