The European Commission is giving a large number of member states, including Cyprus, two months to transpose into national law two directives whose transposition deadline has recently expired, and which concern cyber security and the protection of critical infrastructures, according to announcement made public on Thursday.
The special set of decisions, concerning the absence of notification by the Member States of the measures taken to transpose the EU directives into national law, entails the sending of a letter of warning, which is the first stage of the infringement procedure which can end up and in an appeal to the Court of Justice of the EU.
In this case, the letters concern member states that have not yet notified full transposition measures for two EU directives in the area of the digital economy and migration, home affairs and security union.
Member states now have two months to respond to the warning letters and complete their transposition, otherwise the Commission may decide to issue a reasoned opinion, the second step in the process and the last before an appeal to the CJEU.
First, the Commission is launching infringement proceedings for the incomplete transposition of the NIS2 Directive (Directive 2022/2555), which aims to ensure a high level of cyber security across the EU. The procedures concern 23 Member States (Bulgaria, Czech Republic, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden).
Member States had to transpose the NIS2 Directive into their national law by 17 October 2024. The Directive covers entities operating in critical sectors such as public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, critical goods manufacturing, postal and courier services and public administration.
Full implementation of the legislation is key to further improving the resilience and incident response capabilities of public and private actors operating in these critical sectors and the EU as a whole, it said.
Second, the Commission is launching infringement procedures against Member States for not notifying national measures transposing Directive (EU) 2022/2557 on the protection of critical infrastructure and the resilience of critical entities (CER Directive). The proceedings concern 24 Member States, Belgium, Bulgaria, Czech Republic, Denmark, Germany, Greece, Spain, France, Croatia, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden.
Member States had to transpose the CER Directive into national law by 17 October 2024. The Directive repeals Council Directive (2008/114/EC) on the identification and characterization of European critical infrastructure and the assessment of the need improving their protection. The new directive shifts the approach from the protection of critical infrastructure to strengthening the resilience of the bodies that operate that infrastructure, while expanding the sectoral scope from 2 to 11 sectors.
The directive ensures the provision of vital services for society and the economy in key sectors such as energy, transport, health, water, banking and digital infrastructure, enhancing the resilience of critical infrastructure and critical entities against various threats , including natural hazards, terrorist attacks, insider threats or sabotage.
Source: KYPE