The European Commission has revealed that only seven of the European Union’s 27 member states have fully implemented the necessary cybersecurity rules to protect critical entities, months after an October deadline.
These countries include Belgium, Italy, Croatia, Romania, Slovakia, Lithuania, and Greece. Meanwhile, six other countries – Latvia, Germany, Czechia, Austria, Denmark, and Poland – have only partially introduced the regulations.
The rules in question stem from the Network and Information Security Directive 2 (NIS2), which was approved in 2022 to safeguard sectors like energy, transport, banking, water, and digital infrastructure from significant cyberattacks. Despite the October deadline, Belgium and Croatia were the only countries fully prepared to apply NIS2 by then.
During a debate in the European Parliament, European Commissioner Glenn Micallef, who is responsible for intergenerational fairness, youth, culture, and sport, emphasized the urgency of implementing NIS2. He underscored the need for improved EU preparedness, particularly during hybrid crises such as the recent attacks on undersea cables in the Baltic Sea. Micallef noted that progress on transposing NIS2 and the Critical Entities Resilience Directive has been “slow,” and called on member states to speed up implementation to protect vital services such as energy and transport.
The European Commission had sent formal notice letters to non-compliant countries in November, starting the first stage of infringement procedures. These countries had until the end of January to respond, and the Commission is now reviewing those responses. If necessary, further steps could be taken.
One of the countries that missed the deadline, the Netherlands, stated that its rules will be in place by the third quarter of 2025.
NIS2, which updates the earlier NIS1 directive, aims to keep pace with the growing digitalization of critical sectors and evolving cybersecurity threats. Under these new rules, companies are required to report serious operational disruptions within 24 hours and provide a detailed incident report within 72 hours. Failure to comply could lead to fines of up to €10 million or 2% of global revenue, whichever is greater.
