Most European countries far behind on critical cyber rules

Only seven of the EU's 27 countries have fully transposed cybersecurity rules for critical entities, months after an October deadline, a spokesperson for the European Commission said on Thursday. 

The spokesperson told Euronews that Belgium, Italy, Croatia, Romania, Slovakia, Lithuania and Greece have the national rules in place, while six others – Latvia, Germany, Czechia, Austria, Denmark and Poland – have partly introduced the rules. 

In October, only Belgium and Croatia were ready to apply the Network and Information Security Directive 2 (NIS2), which was approved back in 2022 with the aim to protect critical entities, such as energy, transport, banking, water and digital infrastructures, against major cyber incidents.

During a debate in the European Parliament in Strasbourg on Thursday, European Commissioner Glenn Micallef – who is in charge of intergenerational Fairness, Youth, Culture and Sport – called on the member states urgently to implement NIS2 as to improve EU preparedness and resilience during hybrid crises - such as the recent attacks on underseas cables in the Baltic Sea. 

He said the transposition and implementation of the NIS2 directive is “still slow” as is that of the Critical Entities Resilience Directive, made to protect the functioning of essential services such as energy and transport. “We continue to support member states and call on them to transpose both directives as soon as possible,” he added. 

Infringement procedure

The Commission sent letters of formal notice in November, which is the first step in an infringement procedure. Countries had until late January to reply, the EU executive is now in the process of reviewing answers, and could decide to take further steps.

The government of the Netherlands, one of the countries that failed to meet the deadline, said in a letter to parliament earlier this week that the rules are expected to enter into force in the third quarter of 2025.

The Commission proposed NIS2, an overhaul of NIS1, with the aim to keep up with increased digitisation and an evolving cybersecurity threat landscape. Companies need to issue a warning within 24 hours and deliver an incident report within 72 hours in case of incidents that cause serious operational disruptions.  

In case of non-compliance, companies face fines up to €10 million, or 2% of worldwide revenue, whichever is higher.