The European Commission has issued warnings to seventeen European Union countries because the countries involved missed a deadline to adopt an EU directive aimed at boosting cybersecurity and fighting cyberattacks. The directive is designed to ensure the security of digital networks, but the commission had to send warning letters to 17 EU countries, telling them to speed their adoption of the directive on the security of network and information systems known as NIS Directive, 2016/1148/EU. The missed deadline was May 9.
The NIS Directive requires authorities in EU countries to take steps to ensure the protection of vital economic activities against cyberattacks. Countries must list operators of essential services in sectors including energy, utilities, banking, transportation, and health care, and to require them to take cybersecurity precautions and notify the authorities of cyberattacks. The directive also covers search engines, cloud computing services, and online marketplaces, where a cyberattack could potentially affect a large number of users.
The warnings sent to countries July 19 are the first step in proceedings that could end up in the EU Court of Justice. EU countries that fail to put in place the bloc’s laws could be fined, but the great majority of cases are resolved after warnings. EU countries face another deadline of November 9 under the NIS Directive, when they must list companies that would be required to report cyberattacks. The countries targeted by European Commission July 19 warning letters were Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania and Spain. These countries have two months to respond or face further proceedings.