Latest news with #NetworkandInformationSecurityDirective2


Euronews
6 days ago
- Business
- Euronews
Eight EU countries still missing cyber rules for critical sectors
Bulgaria, France, Ireland, Luxembourg, the Netherlands, Portugal, Spain, Sweden have all yet to adopt cybersecurity rules for critical sectors almost a year after an EU deadline, according to the latest data, meaning they face potential legal action. The Network and Information Security Directive 2 (NIS2), which was approved back in 2022 aims to protect critical entities, such as energy, transport, banking, water and digital infrastructures, against major cyber incidents. Countries had to transpose the rules into national legislation by 17 October last year. The EU executive began an infringement procedure in May against 19 member states for failing to adopt the rules. The countries had two months to take the necessary measures, or else face referral to the EU Court of Justice. Eleven member states have now done the work, but the remaining eight face potential further Commission action. A spokesperson for the institution told Euronews that the Commission is 'monitoring member states' replies" and 'once assessed, will propose either closure or in the absence of a satisfactory response [...] next steps of the infringement procedure.' Under NIS2, companies need to issue a warning within 24 hours and deliver an incident report within 72 hours in case of incidents that cause serious operational disruptions. In case of non-compliance, companies face fines up to €10 million, or 2% of worldwide revenue, whichever is higher. In December, the Commission will present an 'omnibus' simplification package in a bid to identify reporting obligations in existing digital legislation that can be cut to ease pressure on enterprises, particularly SMEs. Cyber rules are expected to be part of that.


Euronews
13-02-2025
- Business
- Euronews
Most European countries far behind on critical cyber rules
Only seven of the EU's 27 countries have fully transposed cybersecurity rules for critical entities, months after an October deadline, a spokesperson for the European Commission said on Thursday. The spokesperson told Euronews that Belgium, Italy, Croatia, Romania, Slovakia, Lithuania and Greece have the national rules in place, while six others – Latvia, Germany, Czechia, Austria, Denmark and Poland – have partly introduced the rules. In October, only Belgium and Croatia were ready to apply the Network and Information Security Directive 2 (NIS2), which was approved back in 2022 with the aim to protect critical entities, such as energy, transport, banking, water and digital infrastructures, against major cyber incidents. During a debate in the European Parliament in Strasbourg on Thursday, European Commissioner Glenn Micallef – who is in charge of intergenerational Fairness, Youth, Culture and Sport – called on the member states urgently to implement NIS2 as to improve EU preparedness and resilience during hybrid crises - such as the recent attacks on underseas cables in the Baltic Sea. He said the transposition and implementation of the NIS2 directive is 'still slow' as is that of the Critical Entities Resilience Directive, made to protect the functioning of essential services such as energy and transport. 'We continue to support member states and call on them to transpose both directives as soon as possible,' he added. Infringement procedure The Commission sent letters of formal notice in November, which is the first step in an infringement procedure. Countries had until late January to reply, the EU executive is now in the process of reviewing answers, and could decide to take further steps. The government of the Netherlands, one of the countries that failed to meet the deadline, said in a letter to parliament earlier this week that the rules are expected to enter into force in the third quarter of 2025. The Commission propos ed NIS2, an overhaul of NIS1, with the aim to keep up with increased digitisation and an evolving cybersecurity threat landscape. Companies need to issue a warning within 24 hours and deliver an incident report within 72 hours in case of incidents that cause serious operational disruptions. In case of non-compliance, companies face fines up to €10 million, or 2% of worldwide revenue, whichever is higher.