The European Commission has decided to bring an action before the Court of Justice of the European Union against Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain, and Sweden for failing to transpose the Directive on the resilience of critical entities (“the Critical Infrastructure Resilience Directive”) and for failing to notify the Commission of the national measures taken to transpose it.
The aim of the CSP Directive is to ensure the continuous provision of services that are vital to the EU’s society and economy in key sectors such as energy, transport, healthcare, water supply, banking, and digital infrastructure. It requires Member States to conduct regular risk assessments to identify critical entities and ensure that these entities implement appropriate measures to safeguard the continuous provision of essential services. The Directive adopts an all-hazards approach, covering both natural and man-made risks, such as terrorist attacks, cyber threats, criminal infiltration, and sabotage. Critical entities designated as such under the Directive must regularly conduct risk assessments and take measures to ensure their resilience. The Directive also provides for measures to enable the identification and mitigation of cross-border risks.
The CSP Directive is part of broader efforts to strengthen the EU’s ability to withstand systemic disruptions and ensure the continuity of essential services. The swift transposition of the Directive is essential to achieving this important common goal.
Member States were required to transpose the CIP Directive into their national legislation by October 17, 2024. To date, most EU Member States have notified the Commission of the full transposition of the Directive. However, this does not apply to Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain, and Sweden.
In November 2024, the Commission sent formal letters of notice to these Member States, followed by reasoned opinions in July 2025. Since the Commission has not received notification of national transposition measures, it is bringing an action against these Member States before the Court of Justice of the European Union, asking the Court to impose financial penalties on each of them.
Context
As explained in the European Internal Security Strategy ProtectEU, the EU must improve its resilience against hybrid threats by protecting critical infrastructure, strengthening cybersecurity, and combating online threats.
This directive is part of a package of legislative measures to improve the resilience and incident response capabilities of public and private entities in the EU in the areas of critical infrastructure protection and cybersecurity.
The Council also issued a recommendation on a coordinated EU-level approach to strengthening the resilience of critical infrastructure in December 2022.
For more information
Database of infringement decisions and map and charts on infringements
Infringement proceedings as of April 2026
Infringement proceedings: for Bulgaria (INFR(2024)0258).
