Tuesday

17th Sep 2019

Focus

EU countries miss cybersecurity deadline

  • EU member states agreed in 2016 to an EU directive aimed at prevent hackers disrupting essential public services (Photo: Santiago Zavala)

European Union member states agreed in 2016 to take measures to prevent cyber attacks from disrupting essential services, like railway traffic control services or water suppliers.

However, a majority of EU member states missed the deadline to transpose the EU directive into national law.

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 18 year's of archives. 30 days free trial.

... or join as a group

Moreover, it is unclear to what extent a specific measure – concerning fines for breaking the new cybersecurity rules – has been implemented.

The 'directive concerning measures for a high common level of security of network and information systems across the union' – NIS directive for short – was adopted on 6 July 2016 after three years of negotiations.

Representatives of the EU's 28 national government unanimously approved the text.

However, some of those same governments now appear to have reneged on what they promised.

According to the directive, member states need to identify, before 9 November 2018, which organisations connected to the internet provide vital services to the public.

They also need to make sure that the operators of these so-called essential services do everything in their power to manage the risks of being hacked – and report to the authorities if there is a cybersecurity breach.

Member states were also required to tell the European Commission, by 9 May this year, how they would punish any infringements.

The same day, EUobserver filed an access to documents request, asking the EU executive which member states had complied with the penalties notification requirement.

As often, the EU directive has left it to member states themselves to determine the legal levels of penalties, which has repeatedly led to a patchwork of fines varying across the bloc.

In a reply sent earlier this month, the commission said that it had no list of which member states had submitted their respective potential penalties.

The commission did say that it had received "several submissions from member states comprising transposition measures in relation to the NIS directive".

However, it noted that the commission was still studying those submissions, and that it expected "to have a more complete overview of the penalty provisions by the end of 2018".

"At this stage, the commission services have not identified such penalty provisions in the transposing measures already notified," the commission said.

In progress

In addition to setting penalties, member states had a whole range of requirements to fulfil by 9 May. A majority has apparently still not done so, despite having had two years to prepare.

According to a commission-run website, last updated on 6 June, only eight EU states have fully transposed the directive into national law: the Czech Republic, Estonia, Finland, Germany, Italy, Slovakia, Slovenia, and the United Kingdom.

Denmark, France, Hungary, and Lithuania had "partially" transposed the directive, while transposition was "in progress" in the others.

On 19 July, the commission announced that it has sent warning letters to 17 EU member states, telling them to fully transpose the cybersecurity directive.

The countries are Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, and Spain.

They have two months to respond.

This article was updated on 1 August to add that the European Commission had sent letters to 17 member states.

Interview

Greece keen to keep EU cybersecurity agency

Greek official welcomed proposal to give the agency a bigger role, downplayed its kitchen sink problems, and said he was himself the victim of a computer virus.

EU to beef up cybersecurity agency

The Commission's president proposed to set up a European Cybersecurity Agency. The EU already has an agency for Network and Information Security.

EU agency to fight election hacking

A new-model EU cybersecurity agency could help states defend their elections against "hybrid attacks", the Commission has said.

News in Brief

  1. Von der Leyen defends 'way of life' slogan
  2. Court hears case on UK's pre-Brexit parliament shutdown
  3. Nato rings alarm on Gulf 'escalation'
  4. Luxembourg mockery of British leader sparks 'anger'
  5. Majority of Belgians against excluding Vlaams Belang
  6. Greece: time for EU to step up on migration
  7. Germany prepared to top up post-Brexit EU budget
  8. New Saudi attack threats, but EU and US still divided

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. Nordic Council of MinistersNew programme studies infectious diseases and antibiotic resistance
  2. UNESDAUNESDA reduces added sugars 11.9% between 2015-2017
  3. International Partnership for Human RightsEU-Uzbekistan Human Rights Dialogue: EU to raise key fundamental rights issues
  4. Nordic Council of MinistersNo evidence that social media are harmful to young people
  5. Nordic Council of MinistersCanada to host the joint Nordic cultural initiative 2021
  6. Vote for the EU Sutainable Energy AwardsCast your vote for your favourite EUSEW Award finalist. You choose the winner of 2019 Citizen’s Award.
  7. Nordic Council of MinistersEducation gets refugees into work
  8. Counter BalanceSign the petition to help reform the EU’s Bank
  9. UNICEFChild rights organisations encourage candidates for EU elections to become Child Rights Champions
  10. UNESDAUNESDA Outlines 2019-2024 Aspirations: Sustainability, Responsibility, Competitiveness
  11. Counter BalanceRecord citizens’ input to EU bank’s consultation calls on EIB to abandon fossil fuels
  12. International Partnership for Human RightsAnnual EU-Turkmenistan Human Rights Dialogue takes place in Ashgabat

Latest News

  1. Hungary claims EU 'witch-hunt' over rule of law hearing
  2. Trumpworld In Europe
  3. How EU firms and banks help fund Amazon fires
  4. Amazon fires mean EP must rethink Mercosur trade deal
  5. EU must give full support to Ukraine to dissuade Kremlin
  6. EU divided on how to protect rule of law
  7. Nordic region to become world's most sustainable and integrated
  8. In detail: Belgium's EU nominee faces crime probe

Stakeholders' Highlights

  1. Nordic Council of MinistersNew campaign: spot, capture and share Traces of North
  2. Nordic Council of MinistersLeading Nordic candidates go head-to-head in EU election debate
  3. Nordic Council of MinistersNew Secretary General: Nordic co-operation must benefit everybody
  4. Platform for Peace and JusticeMEP Kati Piri: “Our red line on Turkey has been crossed”
  5. UNICEF2018 deadliest year yet for children in Syria as war enters 9th year
  6. Nordic Council of MinistersNordic commitment to driving global gender equality
  7. International Partnership for Human RightsMeet your defender: Rasul Jafarov leading human rights defender from Azerbaijan
  8. UNICEFUNICEF Hosts MEPs in Jordan Ahead of Brussels Conference on the Future of Syria
  9. Nordic Council of MinistersNordic talks on parental leave at the UN
  10. International Partnership for Human RightsTrial of Chechen prisoner of conscience and human rights activist Oyub Titiev continues.
  11. Nordic Council of MinistersNordic food policy inspires India to be a sustainable superpower
  12. Nordic Council of MinistersMilestone for Nordic-Baltic e-ID

Join EUobserver

Support quality EU news

Join us