EU countries miss cybersecurity deadline
-
EU member states agreed in 2016 to an EU directive aimed at prevent hackers disrupting essential public services (Photo: Santiago Zavala)
By Peter Teffer
European Union member states agreed in 2016 to take measures to prevent cyber attacks from disrupting essential services, like railway traffic control services or water suppliers.
However, a majority of EU member states missed the deadline to transpose the EU directive into national law.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Don't miss out on
Our exclusive news stories and investigations. Influential. Investigative. Independent.
Why join?
Watch our founder Lisbeth Kirk explain the reasons in this 30-second video.
Already a member?
Moreover, it is unclear to what extent a specific measure – concerning fines for breaking the new cybersecurity rules – has been implemented.
The 'directive concerning measures for a high common level of security of network and information systems across the union' – NIS directive for short – was adopted on 6 July 2016 after three years of negotiations.
Representatives of the EU's 28 national government unanimously approved the text.
However, some of those same governments now appear to have reneged on what they promised.
According to the directive, member states need to identify, before 9 November 2018, which organisations connected to the internet provide vital services to the public.
They also need to make sure that the operators of these so-called essential services do everything in their power to manage the risks of being hacked – and report to the authorities if there is a cybersecurity breach.
Member states were also required to tell the European Commission, by 9 May this year, how they would punish any infringements.
The same day, EUobserver filed an access to documents request, asking the EU executive which member states had complied with the penalties notification requirement.
As often, the EU directive has left it to member states themselves to determine the legal levels of penalties, which has repeatedly led to a patchwork of fines varying across the bloc.
In a reply sent earlier this month, the commission said that it had no list of which member states had submitted their respective potential penalties.
The commission did say that it had received "several submissions from member states comprising transposition measures in relation to the NIS directive".
However, it noted that the commission was still studying those submissions, and that it expected "to have a more complete overview of the penalty provisions by the end of 2018".
"At this stage, the commission services have not identified such penalty provisions in the transposing measures already notified," the commission said.
In progress
In addition to setting penalties, member states had a whole range of requirements to fulfil by 9 May. A majority has apparently still not done so, despite having had two years to prepare.
According to a commission-run website, last updated on 6 June, only eight EU states have fully transposed the directive into national law: the Czech Republic, Estonia, Finland, Germany, Italy, Slovakia, Slovenia, and the United Kingdom.
Denmark, France, Hungary, and Lithuania had "partially" transposed the directive, while transposition was "in progress" in the others.
On 19 July, the commission announced that it has sent warning letters to 17 EU member states, telling them to fully transpose the cybersecurity directive.
The countries are Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, and Spain.
They have two months to respond.
This article was updated on 1 August to add that the European Commission had sent letters to 17 member states.
