Position
on the European Commission’s consultation concerning
the Inception Impact Assessment on Cybersecurity – review of EU rules on the security of network and information systems
Bundesverband der Deutschen Industrie e.V. / Federation of German Industries EU Transparency Register: 1771817758-48
Version: 10th August 2020 www.bdi.eu
Feedback on Inception Impact Assessment NIS Directive
Strengthening cyber-resilience, creating a level-playing field for operators of essential services German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for operators of essential services (OES) across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. German industry advocates a holistic, overlap-free, EU-wide harmonised regulatory framework on cybersecurity that finds the right balance between enhancing the EU’s cyber-resilience while avoiding over-regulation and imposing unduly high burdens on European companies. Therefore, German industry calls on the European Commission to adopt at least option 3, i.e. targeted regulatory interventions and alterations to the NIS Directive, as outlined in the EU Commission’s document. However, when amending/revising the current NIS Directive, the EU Commission should work towards a holistic regulatory framework supporting Operators of Essential Services (OES) and Digital Service Providers (DSP) in constantly maintaining and increasing the cyber-resilience of their infrastructure and services. To this end, the EU Commission should also consider the interplay between cyberresilient OES and DSP as well as cyber-resilient and trustworthy products, services, processes and systems. Revising the NIS Directive: Towards enhanced EU-wide harmonisation of cybersecurity requirements When introducing more harmonised elements in the process of identifying OES, as well as expanding the scope of the Directive with the aim to cover further sectors or services, the process should follow a risk-based and layered approach combined with an impact assessment of the potential implications for the competitiveness of European companies. The existing inconsistencies in applying the NIS Directive should not just be addressed by simply extending these areas of application to all member www.bdi.eu
Bundesverband der Deutschen Industrie e.V. Federation of German Industries Member association of BUSINESSEUROPE
Address Breite Straße 29 10178 Berlin Postal Address 11053 Berlin Contact Steven Heckler T: +493020281523 F: +493020282523 Website www.bdi.eu E-Mail S.Heckler@bdi.eu
Feedback on Inception Impact Assessment NIS Directive
states, as most of them stem from services only identified in some but not all the member states. The NIS Directive deliberately provides a flexible framework for the identification of sectors of OES, allowing member states a certain degree of flexibility and allowing for national and sectoral specificities. A targeted regulatory intervention should, therefore, strive for an EU-wide harmonisation of cybersecurity regulations (incl. definitions of sectors falling under the scope of the NIS Directive). While harmonising the scope of the NIS is important, national authorities should nonetheless be provided with a certain leeway in the identification process so that national and sectoral specificities can be accommodated. The same considerations should apply in the context of a future alignment at the EU-level of thresholds above which a company operating in an OES-sector has to fulfil the requirements stipulated in the NIS Directive or the national regulation implementing the NIS, respectively. The methodologies for identifying OES and setting the thresholds should be clear, transparent and comparable. Irrespective of whether the identification process is carried out by the competent authorities of the member state themselves or as part of a self-identification, it should be possible for the OES falling under the scope of the NIS to verify by themselves whether they meet the requirements. In addition, the NIS Directive should only introduce base-line requirements for all those areas and sectors that are not regulated yet. In areas and sectors, which are already regulated, such as aviation security (cf. Implementing Regulation 2019/1583) and telco companies, the guidelines introduced by these sector-specific regulations should prevail over the NIS Directive, as these sector regulations take into account the specificities of the respective sector and are henceforth, better equipped to address its requirements of the subject matter. In case of contradictions and overlaps, the sectorspecific EU regulatory acts should be the relevant ones. This explicitly refers only to EU-wide regulations and not to any national sector-specific regulations that undermine the EU-wide level playing field (e.g. by lower standards). Moreover, in areas where a sector-specific regulation exists, the relevant competent authority should also be the competent responsible authority for the application of the NIS Directive. This would ensure that companies have one competent authority which applies a holistic approach. In addition, the NIS Directive should reference existing and to-be-established industry standards. Companies should be provided with sufficient leeway when deciding which standard they want to use.
www.bdi.eu
Page 3 of 13
Feedback on Inception Impact Assessment NIS Directive
Taking everything into account, the European Commission should promote an EU-wide level playing field for OES and DSP when it comes to the regulation of cybersecurity. Such a move would clearly be beneficial to the creation of a European Digital Single Market. Current cybersecurity situation A high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitised processes, networkable products and services. This is because the damage caused by cyber security incidents is tremendous, both in the private sector and in industry. Current estimates suggest that in 2021, the annual global costs emanating from cyber-crime and state-motivated cyber-attacks will amount to six trillion US dollars. This would be a doubling of the damage estimated for 2015. 1 These figures show that there is a close correlation between the increasing degree of connectivity and the expected level of damage caused by cyber security incidents. For German companies alone, the damage caused by cyber-attacks has been immense. In the past two years, sabotage, data theft and espionage have caused 205.7 billion euros of damage to German industry. 2 Over the same period of time, three quarters of all German companies have been confronted with digital or analogue types of data theft, industrial espionage or sabotage. Successful cyber-attacks – often entailing phishing or DDoS attacks or infection with various types of malware – have caused a damage to seven out of ten companies over the past years. The damage to private households is much more difficult to quantify, as cybercrime is often unreported and the damage cannot always be directly linked to an incident. The reasons for successful cyber-attacks are also extremely diverse and are by no means solely due to characteristics inherent to products (hardware and software): Rather, a careless handling of data, a lack of knowledge about potential attack vectors, as well as a lack of willingness to install updates, all significantly contribute to the success of the attacks. The potential threat of cyber-attacks is unlikely to diminish. Rather, as our daily lives are becoming smarter, i.e. more digital and thus more networked, – the best-known buzzwords in this regard are: Smart Home, Cybersecurityventures. 2018. Cybercrime Damages $6 Trillion By 2021. URL: https://cybersecurityventures.com/cybercrimedamages-6-trillion-by-2021/ (Accessed: 3. Juli 2019) 2 Bitkom. 2019. Wirtschaftsschutz in der digitalen Welt. URL: https://www.bitkom.org/sites/default/files/201911/bitkom_wirtschaftsschutz_2019_0.pdf 1
www.bdi.eu
Page 4 of 13
Feedback on Inception Impact Assessment NIS Directive
Smart Mobility and Industry 4.0 – the potential target for cyber-criminals is growing immensely. According to current estimates, the number of networked objects worldwide is expected to rise to 125 billion by 2030. This compares to 27 billion networked objects in 2017. 3 By 2022, every German will have around 9.7 networked devices. 4 The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups. However, digitalisation also poses numerous challenges with regard to safety and security, as well as privacy. These can result in additional risks for everyone’s health and safety, as well as for the environment, the economy and public safety at large. These risks can be countered by targeted technical, regulatory and behavioural measures (such as security-by-design). Through a targeted application of state of the art measures to strengthen resilience, the remaining residual risks are kept within acceptable limits. Therefore, the European Union should adopt a holistic approach on cybersecurity. Germany’s go-alone: Towards an IT-Security Law 2.0 Germany’s current grand coalition agreed in their coalition agreement in 2018 on revising the German IT-Security Law. On May 7, 2020, the draft for the IT-Security Law 2.0 was leaked. Especially considering the EU Commission’s intention to review the EU’s Network and Information Security Directive by the end of 2020, German industry takes a rather critical view of the German go-alone. While unambiguous and supplier-neutral security requirements for 5G components are urgently needed, a national goalone – as foreseen in the leaked draft of the IT-Security Law 2.0 – on new OES sectors, definitions of critical components, the introduction of the category “companies of special public interest” as well as a catalogue of fines should be avoided. According to German industry’ perspective, the following three aspects to be introduced by the German IT-Security Law should be considered when conducting the NIS review: ▪
New sectors of essential services /critical infrastructures: The German government is planning to introduce the new critical infrastructure sector “waste disposal”. The introduction of the new sector “waste disposal” does make sense, especially in view of the latest developments in the course of the corona pandemic. However,
IHS Markit. 2017. The Internet of Things: A movement not a market. URL: https://cdn.ihs.com/www/pdf/IoT_ebook.pdf CISCO. 2019. Visual Networking Index: Forecast Highlights Tool. URL: https://www.cisco.com/c/m/en_us/solutions/serviceprovider/vni-forecast-highlights.html# 3 4
www.bdi.eu
Page 5 of 13
Feedback on Inception Impact Assessment NIS Directive
German industry would appreciate if an extension of the scope of the OES / critical infrastructure was done at European level. When including “waste disposal” as an essential services sector, it would be of particular importance to distinguish between the different material flows. ▪
Companies of special public interest: The German government aims at introducing the new category “companies of special public interests. This category includes three types of companies: (1) armament industry and its suppliers, (2) companies of outstanding economic importance, and (3) companies as stated in the German Regulation on Hazardous Substances. These companies will inter alia be required to register with the German Cybersecurity Agency (BSI) and will have to inform BSI about cyber-attacks. German industry recommends refraining from a national introduction of the category “companies of special public interest”. The criteria according to which a company should fall into the category of “outstanding economic importance” cannot be derived from qualitative or quantitative criteria. This proposal would lead to further significant inconsistencies and fragmentation of the regulatory landscape in the EU, which may undermine the level playing field for some operators and lead to further fragmentation of the single market. Furthermore, the government’s proposal completely ignores that German companies are often integrated into European and international value chains. In addition, foreign suppliers would not fall under the scope of the regulation. Henceforth, German industry calls on the EU Commission to discuss with the German government, how such inconsistencies can be avoided. Both the EU Commission and the German government should strive for a level playing field that ensures that no company inside the single market encounters regulatory requirements that have negative repercussions for competition.
▪
Disproportionate fines foreseen: The German IT-Security Law 2.0 foresees fines for non-compliance with certain requirements stipulated in the IT-Security Law 2.0, such as registration with the BSI, mirroring those introduced by the GDPR. These are completely disproportionate. Already the GDPR’s fines can lead to a company’s bankruptcy. While an OES failing to comply with the obligation to register with BSI could be confronted with fines up to 10 million euros, a supplier of critical components for OES and DSP violating the trustworthiness declaration would not be subject
www.bdi.eu
Page 6 of 13
Feedback on Inception Impact Assessment NIS Directive
to a fine. In addition, the German government’s proposed maximum level of fines (up to 20 million euros, or up to four per cent of total annual revenues), which could be imposed on a company not complying with the German IT Security Law 2.0, would be significantly higher than those introduced by other EU member states. For example, the Spanish legal system only foresees fines up to one million euros, and the Italian system even only fines up to 150,000 euros. This comparison illustrates the need for introducing EU-wide comparable fines. These should not exceed the current maximum level applicable in Spain. The EU Commission should ensure that OES, DSP and operators of critical infrastructures are confronted with an EU-wide level playing field when it comes to maximum fines, since the current developments hamper the idea of a European Single Market with comparable competitive conditions across the European Union. Non-coordinated, individual national measures can result in enormous additional costs and thus competitive disadvantages for globally active companies. This would cause lasting damage to Germany as a business location. The long-term goal of European harmonisation in the field of IT-security is made more difficult by the German government’s IT-Security Law 2.0. Therefore, the EU Commission should strive to work towards an EUwide level playing field for OES and DSP when revising the NIS Directive.
Operators of Essential Services (OES) Bearing the above stated evaluation of the German government’s initiative for a second IT Security Law in mind, the Federation of German Industry urges the EU Commission to limit the extension of the sectors being characterised as “operators of essential services” (i.e. critical infrastructures) as far as possible. At the same time, EU member states should harmonise their understanding of who falls under such a definition as much as possible. Thereby, creating a level playing field for companies across Europe. In addition, new regulations should only address those sectors, in which there are currently regulatory gaps, instead of highly regulated sectors like the telco providers and network operators. As the recent Covid-19 pandemic has demonstrated, the telco sector is well prepared to provide high quality of services even in times of crises, during which there is a significant increase in demand of telecommunication services.
www.bdi.eu
Page 7 of 13
Feedback on Inception Impact Assessment NIS Directive
The framework regulating OES should be clear, unambiguous and directly state in the regulation which companies fall and hence, which do not fall under the scope of such a definition.
Digital Service Providers (DSP) Furthermore, the scope of the revised directive should be in accordance with the most serious threats for network and information security. In the case of OES, member states are allowed to impose stricter security and notification requirements than those enshrined in the current Directive. This does, however, not account for DSP. German industry continues to favour a “light-touch” regulatory approach as the appropriate way forward concerning DSP, especially in light of their rapidly changing nature and connected potential for innovation. Beyond critical infrastructures – Towards a holistic approach on cybersecurity: German industry’s 5 principles for regulating the cyber-resilience of products, services and systems The strengthening of cyber-resilience in Europe can only succeed if legislators agree on a regulatory framework that provides companies with clear and unambiguous, mutually complementary, and ideally overlap-free requirements. Only regulations that adhere to these characteristics will enable companies to utilise internal processes in such a way as to ensure compliance with the respective regulatory framework(s). While the current NIS Directive has an exclusive focus on OES, i.e. infrastructures whose functioning is integral for modern life, if the European Commission should aim to adopt a more holistic approach when reviewing the NIS Directive, German industry advocates the five principles as outlined below. As cyber-resilient components are a prerequisite for the secure functioning of critical infrastructures, the interplay between company-related legislative acts (i.a. NIS Directive) and product-related legislative acts (EU Cybersecurity Act) need to be accounted for. Consequently, any future EU directive or regulation concerning cybersecurity should go beyond critical infrastructures, OES and DSPs, and rather, might address the interplay between products, services, systems and infrastructures as well. When adopting such a holistic approach to regulating cybersecurity, the EU Commission should ensure that any future legislative act addressing the cyber-resilience of products, services and systems helps companies to offer and procure cyber-resilient products and services on the Single www.bdi.eu
Page 8 of 13
Feedback on Inception Impact Assessment NIS Directive
Market. Consequently, security-by-design, security-by-default, the regular checking of products and services for potential security gaps, as well as the provision (for a limited and pre-defined period of time) of security updates or operational support to maintain cyber-resilience should become core features of any product- and service-related cybersecurity regulation. Against this background, German industry recommends that the EU Commission observes the following five principles when drafting regulatory specifications for cyber security requirements which address the cyber-resilience of products, services and systems: 1. Ensure coherent legal requirements to strengthen Europe's cyber resilience while avoiding competitive disadvantages for European companies Coherent legal requirements are the key to maintaining the competitiveness of German and European industry internationally. It is important to avoid hasty additions and extensions to legal requirements on cyber-resilience. Rather, an approach is required that takes into account that products, processes, services and systems often fall under more than one legislative act. Only content-wise coherent legal requirements can ensure that economic players can apply and fulfil the requirements applicable to their products, processes, services and systems. Specifications for production processes in particular should be congruent with those for products and services. Therefore: ▪ New legislative acts should only address those areas, in which there are currently regulatory gaps. ▪
It is important to avoid introducing new legislative requirements for the same product, process, service or system respectively.
▪
Legislative requirements should demand the current state of the art of technology and not a specific technological approach, as the latter move would undermine innovation. Furthermore, international recognised standards have to be considered rather than reinventing the wheel in each jurisdiction.
▪
Where regulatory areas overlap, consistency of content of all requirements and clarity of responsibilities (of supervisors) should be ensured.
www.bdi.eu
Page 9 of 13
Feedback on Inception Impact Assessment NIS Directive
â–Ş
Products and services are integrated into sometimes highly complex systems and, consequently, the interaction of seemingly clearly separate legislative acts must also be considered.
2. Give precedence to European over national unilateral regulatory approaches, in order not to endanger the success of the European Single Market Cybersecurity is a global challenge. Consequently, national solo attempts are not effective - even if there may be a close and well networked national community in which quick agreements can be reached and good results achieved. Nevertheless, it is always important to develop cyber-safety-related requirements internationally, or at least on a European level. Only then, can they achieve the necessary broad impact. The European single market is a successful model that must be continued - especially in the digital age. The Internal Market is a model for other markets and regularly sets benchmarks for product requirements and conformity assessment procedures that allow rapid market access and are innovation-friendly. Therefore, the BDI opposes regulatory fragmentation of the European internal market and special national approaches. Maintaining the cyber-resilience of products, processes, services and systems, requires European regulatory efforts that are globally connectable. 3. Choose a risk-based approach to ensure adequate and effective protection Protective measures and resilience against cyber-attacks must be geared to the likely application, and hence, the associated threat situation. Therefore, cyber security requirements should be raised to the same level as environment, health and safety requirements. In addition, the different application scenarios must be taken into account in European regulatory efforts. In addition, also in future, every form of regulation must provide companies with a certain leeway to develop their own solutions. In order to ensure that innovative solutions are implemented, cyber security regulations must therefore always be technology-open and flexible. Innovative solutions also require conformity assessment procedures that allow fast and cost-effective market access. This also applies in www.bdi.eu
Page 10 of 13
Feedback on Inception Impact Assessment NIS Directive
connection with update obligations, which serve to maintain resilience against cyber-attacks. Legal requirements that exclude or require the use of certain technologies are already inadequate to meet the challenges of the analogue world. This is all the more true for the digital world. Static, technology-driven regulations would lead to a deterioration in the cyber resilience of products, services and systems. 4. Actively integrate European standardisation work, according to the principles of the New Legislative Framework (NLF) Requirements for resilience to cyber-attacks must be constantly adapted to changing threat scenarios and intensities. Rigid legal provisions alone cannot accomplish that. Rather, standards and regulations must work hand-in-hand. The successful regulatory model of the European Union – the New Legislative Framework – with its established processes and with its high temporal efficiency is suitable for addressing the challenges posed by maintaining cyber security, while at the same time ensuring system coherence. Based on the model of vertical division of work between legislators and normative rule makers, the legally defined, general protection goals for products are turned into Europe-wide harmonised standards based on the currently recognised state of the art technology. The resulting standards are practical and can therefore be effectively implemented by companies. 5. Actively involve all stakeholders – from hardware and software manufacturers to commercial operators and private users – to holistically strengthen the cyber resilience of products, processes, systems and services Everyone has to make their own contribution to cyber security: This includes manufacturers, as well as private and commercial users. Any attempt to enhance the cyber resilience of products, processes, services and systems can only be achieved if everyone cooperates and if the respective measures are coordinated. In addition, a coordinated approach must be made legally possible and put into practice. Through holistic cyber security strategies with efficient protective measures, the risk of cyber security incidents can be reduced and thus, the cyber resilience of products, processes, services and systems can be strengthened holistically. The goal must be to avoid dangerous gaps and vulnerabilities, through rapid and appropriate measures, so that they cannot be exploited by potential attackers. Such a holistic approach is more than the sum of the individual measures of each player. Therefore, we
www.bdi.eu
Page 11 of 13
Feedback on Inception Impact Assessment NIS Directive
should all strive for everyone to impart their pre-defined contribution towards a coordinated overall result. In addition to industry, government agencies and private users are also called upon to contribute to strengthening and maintaining the cyber resilience of products and services: â–Ş
The public sector must also contribute to safeguarding the cyber-resilience of products and services. Therefore, it is essential that government agencies immediately inform companies of any security vulnerabilities they become aware of. The retention of such information can have far-reaching consequences in an increasingly networked society.
â–Ş
Private users can support the cyber resilience of the products and services they use by installing updates and patches, as well as by adhering to the principles of cyber hygiene. Otherwise, industry's efforts, at least in the private user sector, will be futile.
www.bdi.eu
Page 12 of 13
Feedback on Inception Impact Assessment NIS Directive
About BDI The BDI conveys the interests of German industry to the political decisionmakers and in the process it provides support for business enterprises engaged in global competition. The BDI has at its disposal a widely branching network in Germany and Europe, in all important markets and in international organisations. The BDI takes care of the political flanking of international market opening. And it offers information and economic policy consultations for all topics related to industry. The BDI is the umbrella organization of German industry and industry-related services. It speaks for 40 trade associations and more than 100,000 enterprises with around 8 million employees. Membership is voluntary. 15 organisations in the regional states represent the interests of industry at the regional level. Imprint Bundesverband der Deutschen Industrie e.V. (BDI) Breite StraĂ&#x;e 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 Contact Steven Heckler Senior Policy Manager T: +49 30 2028-1523 s.heckler@bdi.eu BDI Document Number: D 1215
www.bdi.eu
Page 13 of 13