Critical Infrastructure Security , Government , Industry Specific

EU Nations That Missed NIS2 Deadline Put On Notice

European Commission Opens Infringement Procedures Against 23 EU Member States
EU Nations That Missed NIS2 Deadline Put On Notice
Image: Shutterstock

The European Commission on Thursday opened infringement procedures against more than 20 member states for failing to implement two key cyber regulations designed to strengthen critical infrastructure resilience in the trading bloc.

See Also: OnDemand | Agency Armor: Cybersecurity Compliance Essentials for Resource-Constrained Teams

The measures from the commission came after countries including Germany, France, Ireland and 20 other European Union member states missed the Oct. 17 deadline to transpose the European Union's Network and Information Security Directive, or NIS2, into national law (see: Most EU Nations to Miss Upcoming NIS2 Deadline).

The NIS2 Directive imposes cybersecurity risk management and incident reporting obligations for organizations operating across a range of critical sectors, including finance, energy, healthcare, space, IT and public administration.

"The commission therefore sent letters of formal notice to the 23 member states," the European Commission said. "They now have to reply within two months, complete the implementation of the directive and notify the commission of the measures. Otherwise, the commission may decide to send reasoned opinions to these countries."

If the countries fail to adequately respond within two months, the European Commission can refer the matter to the Court of Justice. The court could issue a compliance order and if the countries still fail to comply, impose penalties. Officials said most such cases get resolved before being referred to the court.

The commission is also seeking responses from 24 member states, including Germany, for missing a separate mid-October deadline requiring them to assess risks to critical infrastructure, as mandated under the Critical Entities Resilience Directive.

The new directive expands the number of critical sectors from 2 to 11.

"The directive ensures the provision of vital services for our society and our economy in key sectors, such as energy, transport, health, water, banking and digital infrastructure, by strengthening the resilience of critical infrastructure and critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats or sabotage," the European Commission said.

NIS2 Implementation Delay

On the NIS2 front, the EU says the directive "aims to ensure a high level of cybersecurity across the EU."

So far, only six countries - Belgium, Croatia, Greece, Hungary, Latvia and Lithuania - have transposed NIS2 into national statutes.

The German federal government approved a proposed NIS2 national bill in July, but the initial parliamentary debate for the proposal only took place a week before the implementation deadline. Similarly, the French Parliament has not finalized a draft regulation amid a reported lack of political consensus among lawmakers.

Most countries that missed the October deadline said they will be ready to implement the directive by March 2025.

The NIS2 Directive categorizes critical sectors as "essential" and "important," based on size, sector and criticality. The regulation recommends that enforcement agencies within EU member states conduct security inspections, issue warnings about violations and report cybersecurity incidents within 24 hours. National cybersecurity emergency response teams are required to share information on cyberthreats, vulnerabilities and incidents.

Any violation of the regulation could cost organizations designated as being essential 10 million euros ($10.6 million) or 2% of their global annual revenue, whichever is greater. The maximum penalty for important services is 7 million euros ($7.4 million) or 1.4% of the organization's global annual revenue.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.