EC takes action against member states over NIS2 cybersecurity rules
Only four EU countries have put the new rules in place
The majority of European Union countries have failed to transpose new cybersecurity rules under the NIS2 Directive, according to the European Commission (EC) as it opened infringement proceedings against 23 member states.
NIS2, which sets higher cybersecurity standards and risk management requirements in critical sectors, including manufacturing, should have been transposed into national law across all 27 member states by 17 October 2024.
But the EC said Bulgaria, the Czech Republic, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden have yet to fully transpose the rules, and have been sent letters of formal notice calling for them to take action. They have two months to respond and complete the implementation of the directive or face the next step of infringement procedures.
“Full implementation of the legislation is key to further improving the resilience and incident response capacities of public and private entities operating in these critical sectors and the EU as a whole,” the EC said.