The European Commission has launched “infringement procedures” against a majority of its member states for failing to meet an October deadline to enact EU cyber security regulations. The regulations come in two packages: the NIS2 Directive, aimed at enhancing cyber security and the Critical Entities Resilience (CER) Directive, focused on safeguarding critical infrastructure.
“The Commission is sending a letter of formal notice to those Member States who have failed to notify national measures transposing (cyber security regulation) directives, whose transposition deadline expired recently. In this case, there are 26 Member States who have not yet notified full transposition measures for two EU directives in the field of digital economy and migration, home affairs and security union. Member States concerned now have two months to reply to the letters of formal notice and complete their transposition, or the Commission may decide to issue a reasoned opinion,” according to this EU press release.
We’ve reported on the forthcoming regulations, including in June when risk management company Bitsight announced new products and services to help enterprises comply with the regulations.
NIS2 Directive
The NIS2 Directive (Directive 2022/2555) aims to strengthen the EU’s cyber security framework, expanding its scope to include sectors such as public electronic communications, digital services, energy, health and transport. With an emphasis on risk management and system resilience, it aims to create a harmonized cybersecurity landscape across the Union.
Crirical infrastructure is the focus of CER Directive (Directive 2022/2557), which addresses physical and operational resilience in sectors such as energy, transport, health, and digital infrastructure, with the goal of ensuring they can withstand crises ranging from natural disasters to terrorism and cyberattacks.
Six Countries
Reports indicate only six countries have incorporated the NIS2 regulations into their legal systems. They are Belgium, Croatia, Greece, Hungary, Latvia and Lithuania.
The bureaucratic wrangling is likely confusing for cyber insurance providers and companies. The latter will face fines of millions of dollars for failing to comply with the regulations when they are in full effect.