There were those 'registrars' created just for the EU launch that were found out later and action was never taken against as well. They should have lost all the domains again, not been granted a refund, and them, their directors, shareholders, and customers should have been barred from ever registering .eu again.
Ideally that should happen. But unfortunately, Eurid is run by a bunch of smurfs who seem to think that they've done no wrong. I'd go a bit further than that. I'd have .eu redelegated and the people in Eurid stripped of responsibility for the .eu gTLD for facilitating the fraud. The "just following orders" defence that Eurid has been using when questioned does not cut it with many hosters and domain owners in Europe who've seen their .eu domain squatted by these bogus registrars.
Though Eurid seems to have been made to accept the magnitude of the problem it facilitated. There is now a fast track procedure that can be used to dispute a registration where there is clear evidence that the registrant's data was bogus or the registrant was not entitled to register the domain.