Ireland Ireland DPC GDPR enforcement Big Tech HQ

Ireland's Own Cybersecurity Law Lags the NIS2 Deadline It Now Faces Court Over

The EU referred Ireland to the CJEU for missing the NIS2 deadline just as it takes the Council presidency on a 'competitiveness and security' platform.

Ireland's Enforcement Gap People of Internet Research · Ireland 4 States still not transposed Ireland, Spain, France and the Net… ~21 Months past NIS2 deadline Transposition deadline was 17 Octo… €4.04B GDPR fines issued by DPC Cumulative fines since 2018, mostl… ~0.5% Share of fines actually collected Only around €20 million of €4.04 b… peopleofinternet.com
Ireland's Enforcement Gap People of Internet Research · Ireland 4 States still not transposed ~21 Months past NIS2 deadline €4.04B GDPR fines issued by DPC ~0.5% Share of fines actually collect… peopleofinternet.com

Key Takeaways

A presidency that opens in the dock

On 8 July 2026, the European Commission referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive — the EU's baseline cybersecurity law for 18 critical sectors, from energy and health to public administration. The Commission is asking the Court for a lump-sum penalty plus daily fines that will keep accruing until each country notifies full transposition. The timing could hardly be worse: Ireland took over the rotating presidency of the EU Council on 1 July, campaigning on a platform of "competitiveness and security," and within a week found itself named in the referral for the very security directive it is supposed to be championing.

The transposition deadline was 17 October 2024. The Commission sent Ireland a letter of formal notice on 28 November 2024, followed by a reasoned opinion on 7 May 2025 — the standard escalation ladder before a case reaches Luxembourg. Twenty months after the deadline, Ireland is one of only four member states still without a domestic NIS2 statute on the books, alongside Spain, France and the Netherlands.

The bill that never quite arrives

Ireland's vehicle for transposition, the National Cyber Security Bill, has been "in progress" for two years. The General Scheme was published on 30 August 2024, placing the National Cyber Security Centre (NCSC) on a statutory footing and designating national competent authorities for each covered sector. But a general scheme is not a law — it is pre-legislative scrutiny material, and that scrutiny has itself been interrupted. The NCSC's own transposition page acknowledges the gap plainly: Ireland "continues to work through the transposition requirements of the Directive," with the older NIS1 regime remaining the operative law for critical operators in the interim, per ncsc.gov.ie.

To be fair to Dublin, the delay is not unique or reckless — 19 of 27 member states had failed to transpose by May 2025, and Germany, among others, only recently caught up. NIS2 asks a lot: mandatory incident reporting within 24 hours, board-level accountability for cybersecurity risk, and supervisory regimes across sectors that in many states have no existing regulator. Legislating that correctly, rather than quickly, has some genuine merit — a rushed transposition that gets governance structures wrong would be worse for firms than a delayed one that works. That is the strongest version of the case for patience, and it deserves to be stated before it's dismissed.

Why the excuse runs thin for Ireland specifically

But Ireland's position is different from, say, a smaller member state working through capacity constraints. Ireland is EU headquarters to more regulated multinational tech and cloud infrastructure than almost any other member state, and it has spent the past decade building a regulatory brand around being the trusted, competent home for that industry. A country whose entire pitch to global tech investment is "we regulate you here, and we do it well" cannot simultaneously be two years late on the field's foundational cybersecurity statute without cost to that brand — especially while holding the Council presidency gavel on security policy for the next six months.

The pattern is not new. Ireland's Data Protection Commission has issued €4.04 billion in cumulative GDPR fines since 2018 — more than half of every GDPR fine issued across the EU, largely against Meta, TikTok, LinkedIn and WhatsApp — yet as of the DPC's own reporting, only about €20 million, roughly 0.5%, has actually been collected, with the rest tied up in appeals working through Irish and EU courts. The headline enforcement numbers look aggressive; the follow-through is thin. A NIS2 transposition delay layered on top of that record reinforces a specific criticism of Irish tech regulation: strong on the announcement, slow on the mechanics that make enforcement real.

The proportionate case

None of this means Brussels should be indifferent to correct process. Rushing NIS2 into Irish law purely to beat a court date would risk exactly the kind of poorly-drafted incident-reporting and liability provisions that create compliance chaos for the very firms Ireland is trying to keep onshore — a bad outcome for innovation and for security both. The proportionate path is for the Oireachtas committee currently handling pre-legislative scrutiny to set and hit a hard public date for Bill publication, rather than the open-ended "engagement" language used so far, and for the Commission to keep daily penalties calibrated to genuine delay rather than symbolic punishment of a state that is visibly working the file.

What the referral mainly does is strip away the coincidence of good timing. Ireland can still lead credibly on EU tech competitiveness this presidency — but doing so requires closing the gap between the enforcement Ireland projects abroad and the legislative and collection follow-through it delivers at home. A published Bill with a real date, not another scrutiny cycle, is the fastest way to make that credible again.

Sources & Citations

  1. European Commission — referral to CJEU on NIS2 (digital-strategy.ec.europa.eu)
  2. Ireland NCSC — NIS2 transposition status
  3. Silicon Republic — Commission refers Ireland to CJEU
  4. Irish Times — DPC owed more than €4 billion in fines