Search
Close this search box.
Search
Close this search box.

European Commission Initiates Infringement Procedures Against Cyprus and Other Member States on Cybersecurity Directives.

Brussels: A large number of member states, including Cyprus, have been given two months to transpose two crucial directives on cybersecurity and the protection of critical infrastructure into national law, following the expiration of the transposition deadline, as per a decision by the European Commission published on Thursday. This move is part of a special infringement package focusing on the lack of communication by member states regarding measures taken to implement EU directives into national law, initiating with the sending of formal notice letters to these states. This marks the initial stage in the EU’s infringement procedure, which could potentially lead to the Commission bringing the case before the Court of Justice of the EU.

According to Cyprus News Agency, the letters have been dispatched to member states yet to notify full transposition measures for two EU directives concerning the digital economy, migration, home affairs, and security union. Member states now have a two-month window to respond
to these formal notice letters and complete their transposition. Failing this, the Commission may proceed to issue a reasoned opinion, representing the second phase in the process, preceding the potential appeal to the Court of Justice.

Firstly, the Commission has initiated infringement procedures against 23 member states for their failure to fully transpose the NIS2 Directive (Directive 2022/2555), which seeks to ensure a high level of cybersecurity across the EU. Letters have been sent to countries including Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, and Sweden. The deadline for member states to transpose the NIS2 Directive into national law was 17 October 2024. This directive encompasses entities operating in critical sectors like public electronic communications services, ICT service management, digital services, wastewater and waste management, spac
e, health, energy, transport, manufacturing of critical products, postal and courier services, and public administration. The full implementation of this legislation is crucial for enhancing the resilience and incident response capabilities of public and private entities in these sectors, as well as for the EU overall, the Commission emphasizes.

Secondly, the Commission has commenced infringement procedures against 24 member states for not notifying national measures transposing the Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive). These states include Belgium, Bulgaria, Czechia, Denmark, Germany, Greece, Spain, France, Croatia, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, and Sweden. The CER Directive had to be transposed by 17 October 2024. It repeals the Council Directive (2008/114/EC) on the identification and designation of European critical infrastructures and the assessment of the
need to improve their protection. The new directive shifts focus from merely protecting critical infrastructure to enhancing the resilience of the entities operating that infrastructure, while broadening the sectoral scope from two to eleven sectors. This directive ensures the provision of essential services for society and the economy in key areas such as energy, transport, health, water, banking, and digital infrastructure by fortifying the resilience of critical infrastructure and entities against various threats, including natural hazards, terrorist attacks, insider threats, or sabotage.