The Commission calls on 23 Member States to fully transpose the NIS2 Directive

Today, the European Commission decided to open infringement procedures by sending a letter of formal notice to 23 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden) for failing to fully transpose the NIS2 Directive (Directive 2022/2555).

GettyImages © solarseven

Member States had to transpose the NIS2 Directive into national law by 17 October 2024. The NIS2 Directive aims to ensure a high level of cybersecurity across the EU. It covers entities operating in critical sectors such as public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services, and public administration.

Full implementation of the legislation is key to further improving the resilience and incident response capacities of public and private entities operating in these critical sectors and the EU as a whole. The Commission is therefore sending letters of formal notice to the other 23 Member States concerned that now have two months to respond and to complete their transposition and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may decide to issue a reasoned opinion.

Read more information:

• NIS2 Directive (2022/2555)
• NIS2 Directive - Policy page
• The Commission's cybersecurity policies

Related topics