Filenews 28 November 2024
The European Commission has given a large number of member states, including Cyprus, two months to transpose two directives whose transposition deadline has recently expired, on cybersecurity and the protection of critical infrastructure, according to a statement released on Thursday.
The specific set of decisions, concerning the failure by Member States to notify measures taken to transpose EU directives, entails sending a letter of formal notice, which is the first step in infringement proceedings that can even lead to recourse to the Court of Justice of the EU.
In this case, the letters concern Member States that have not yet notified full transposition measures for two EU directives in the area of the digital economy and migration, home affairs and security union.
Member States now have two months to reply to the letters of formal notice and complete their transposition, otherwise the Commission may decide to issue a reasoned opinion, the second step in the procedure and the last before recourse to the CJEU.
First, the Commission is launching infringement procedures for failing to fully transpose the NIS2 Directive (Directive 2022/2555) into national law, which aims to ensure a high level of cybersecurity across the EU. The proceedings concern 23 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden).
Member States had to transpose the NIS2 Directive into national law by 17 October 2024. The directive covers entities operating in critical sectors such as public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services and public administration.
Full implementation of the legislation is key to further improving the resilience and incident response capacities of public and private actors active in these critical sectors and of the EU as a whole.
Second, the Commission is launching infringement procedures against Member States for failing to communicate national measures transposing Directive(EU) 2022/2557 on critical infrastructure protection and the resilience of critical entities (CER Directive). The proceedings concern 24 Member States, Belgium, Bulgaria, Czechia, Denmark, Germany, Greece, Spain, France, Croatia, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden.
Member States had to transpose the CER Directive into national law by 17 October 2024. The Directive repeals the Council Directive (2008/114/EC) on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. The new Directive shifts the approach from critical infrastructure protection to strengthening the resilience of operators of critical infrastructure, while broadening the sectoral scope from 2 to 11 sectors.
The Directive ensures the provision of vital services for society and the economy in key sectors such as energy, transport, health, water, banking and digital infrastructure, strengthening the resilience of critical infrastructure and critical entities against various threats, including natural hazards, terrorist attacks, insider threats or sabotage.
CNA
