All EU member states have been urged to implement the directive on a high common level of cybersecurity across the Union (NIS 2), so that the entire bloc is protected from cyberattacks. Cyprus is just a few months into full implementation, following non-compliance procedures.

However, until all 27 incorporate the NIS 2 directive, everyone remains vulnerable, the European Commission said.

Responding to questions during the midday briefing, Commission spokesperson Thomas Regnier said “the Commission has been closely monitoring the cyberattack, both over the weekend and today [Monday] which has disrupted check-in and boarding systems at multiple airports. While passengers continue to face delays, air traffic safety and control remain unaffected.”

“On our side, I can confirm that the Commission is working with Eurocontrol, Enisa, national authorities, airports and airlines to restore operations and support affected passengers.”

Cyprus had previously faced EU infringement proceedings for delayed transposition, receiving a warning letter in November 2024 alongside 22 other states and a reasoned opinion in May 2025 with 19 others.

It has now fully incorporated NIS 2 into national law, according to updated Commission data as of September 22, 2025. The 12 compliant member states are Belgium, Croatia, Cyprus, Denmark, Greece, Italy, Latvia, Lithuania, Malta, Romania, Slovakia and Slovenia.