The Commission decided today to send a letter of formal notice to 17 Member States to fully transpose into national laws the first piece of EU-wide legislation on cybersecurity. This decision affects the following Member States: Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, and Spain.

The objective of the Directive on Security of Network and Information Systems (NIS Directive; Directive 2016/1148/EU) is to achieve evenly high level of security of network and information systems across the EU through the development of national cybersecurity capabilities, increasing EU-level cooperation and incident reporting obligations for operators of essential services and digital service providers. Member States had to transpose the NIS Directive into national laws by 9 May 2018 as it entered into force in August 2016. So far 11 Member States have notified the European Commission of the full transposition of the Directive and are in the process of a transposition check with a view to confirm the full transposition. The other Member States have two months to respond to the formal notice sent by the Commission; otherwise, the Commission may decide to send a reasoned opinion.