POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
NIS 2-Directive German industry’s position on the EU Commission’s proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 March 2021 Executive Summary German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. While the EU Commission’s proposal strikes a good balance between targeted regulatory interventions and strengthening the EU’s cyber-resilience holistically, German industry proposes the following changes to the proposal for a NIS 2-Directive: Encryption (Number 54) Policy makers should refrain from measures that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU. Europe needs not fewer, but more trustworthy IT solutions to swiftly implement the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption. List of Essential and Important Entities (Annex I and II in conjunction with Article 2) German industry recognises the necessity to broaden the scope of the NIS 2-Directive. However, the European Commission should focus more on a company’s criticality for a supply chain rather than the size of an entity, and additionally should focus on those business units of a company that are paramount for operational continuity. While we appreciate the exemptions for micro and small enterprises, most medium-sized enterprises should be excluded from the scope as well, at least if they are not suppliers in critical supply chains. Coordinated vulnerability disclosure and European vulnerability registry (Article 6) German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby also pay closer attention to the cyber-resilience of products and services. The European Union should institutionalise coordinated vulnerability disclosure based on international industrial / de-facto standards, such as CVE introduced in 1999. Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | S.Heckler@bdi.eu | www.bdi.eu
NIS 2-Directive
Report on the state of cybersecurity in the Union (Article 15) ENISA should refrain from publishing a biennial report that includes mainly general information. Rather, ENISA should publish online up-to-date information on cybersecurity incidents. A daily updated, holistic situation picture as well as daily updated, sector-specific warnings would help essential and important entities to protect their companies. Management bodies of Essential and Important Entities (Article 17) BDI recognises that management bodies are responsible for the cybersecurity strategy of an entity. If a mandatory IT security training is regarded necessary for members of management bodies, the EU should publish EU-wide applicable information on what constitutes “sufficient knowledge and skills” and should provide funding for cybersecurity knowledge, dissemination especially for SMEs. A definition of management bodies is required. Cybersecurity risk management measures (Article 18) The EU Commission and national governments must ensure that IT security personnel can focus on IT security rather than on bureaucracy, i.e registering and reporting. We call on the co-legislators to introduce cybersecurity risk management measures that provide a high degree of legal certainty for essential and important entities, and to provide funding for initial risk management analysis, especially for SMEs. EU coordinated risk assessments of critical supply chains (Article 19) Based on the experience of the EU’s coordinated risk assessment on 5G, we welcome the proposal to conduct risk assessments of critical supply chains. However, measures based on such an analysis must be proportionate and foresee sufficient implementation period. Reporting obligations (Article 20) Essential and important entities only benefit from reporting obligations, if there is an institution that systemically classifies the threats, organises the automatic distribution of the threat information to participating parties, maintains strategic threat intelligence information, and reports about current trends. Entities require an efficient reporting channel, at least 72 hours for reporting an incident, and should only hand-in a final report if they have finished the forensic analysis and conducted measures necessary to ensure business continuity. Use of European cybersecurity certification schemes (Article 21) Instead of mandatory certification of ICT products based on EU CSA schemes, the European Commission should publish horizontal cybersecurity requirements based on the New Legislative Framework, which are then specified by European harmonised standards. Registry for essential and important entities (Article 25) We welcome an EU-wide registry for essential and important entities. However, the EU’s proposal will augment the administrative burden for these entities, as they already have to register at national level. Therefore, entities should only have to register once and ENISA should exchange the respective data with national competent authorities. General conditions for imposing administrative fines (Article 31) The introduction of administrative fines is justified. However, the maximum level of fines should be no higher than two million Euros without reference to annual turnover.
2
NIS 2-Directive
Table of Content Executive Summary ............................................................................................................................ 1 The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach .............................................................................................................................................. 4 In detail discussion of selected Articles from the EU Commission’s proposal for a NIS 2Directive ............................................................................................................................................... 5 Encryption (Number 54) ........................................................................................................................ 5 Scope: List of essential and important entities (Annex I and II) in conjunction with the exemptions for Micro and Small Enterprises stipulated in Article 2 n° 2 ....................................................................... 6 Minimum harmonisation (Article 3) ...................................................................................................... 10 Definitions (Article 4) ........................................................................................................................... 10 Coordinated vulnerability disclosure and a European vulnerability registry (Article 6) ....................... 11 National cybersecurity crisis management frameworks (Article 7) ..................................................... 12 Requirements and tasks of CSIRTs (Article 10) ................................................................................. 13 Report on the state of cybersecurity in the Union (Article 15) ............................................................. 13 Management bodies of Essential and Important Entities (Article 17) ................................................. 13 Cybersecurity risk management measures (Article 18) ...................................................................... 14 EU coordinated risk assessments of critical supply chains (Article 19) .............................................. 15 Reporting obligations (Article 20) ........................................................................................................ 16 Use of European cybersecurity certification schemes (Article 21) ...................................................... 17 Standardisation (Article 22) ................................................................................................................. 19 Jurisdiction and territoriality (Article 24) .............................................................................................. 19 Registry for essential and important entities (Article 25) ..................................................................... 20 Cybersecurity information-sharing arrangements (Article 26) ............................................................. 21 Voluntary notification of relevant information (Article 27) .................................................................... 21 Supervision and enforcement for essential entities (Article 29) .......................................................... 22 Supervision and enforcement for important entities (Article 30) ......................................................... 23 General conditions for imposing administrative fines on essential and important entities (Article 31) 23 Review (Article 35) .............................................................................................................................. 24 Imprint ................................................................................................................................................ 25
3
NIS 2-Directive
The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach A high degree of cyber-resilience is a prerequisite for the effective functioning of highly digitised processes, networkable products and services. This is because the damage caused by cybersecurity incidents is tremendous, both in the private sector and in industry. Current estimates suggest that in 2021, the annual global costs emanating from cybercrime and state-motivated cyberattacks will amount to six trillion US dollars. This would be a doubling of the damage estimated for 2015. 1 Both companies and households are targeted by cybercriminals. In the past two years, sabotage, data theft and espionage are estimated to have caused 200 billion Euro of damage to German industry alone. 2 Seven out of ten German companies experienced a cyberattack– often entailing phishing, DDoS attacks or infection with various types of malware – causing damage to their business operations over the past years. The damage to private households is much more difficult to quantify, as cybercrime is often unreported and the damage cannot always be directly linked to an incident. The reasons for successful cyberattacks are also extremely diverse and are by no means solely due to characteristics inherent to products (hardware and software): Rather, a careless handling of data, a lack of knowledge about potential attack vectors, and a lack of willingness to install updates, all significantly contribute to the success of cybercriminals. The potential threat of cyberattacks is unlikely to diminish. As our daily lives are becoming smarter, i.e. more digital and thus more networked, the potential target for cybercriminals is growing immensely. According to current estimates, the number of networked objects worldwide is expected to rise to 125 billion by 2030. This compares to 27 billion networked objects in 2017. 3 By 2022, every German will have around 9.7 networked devices. 4 The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups, while simultaneously posing new attack vectors that can potentially be exploited by criminals. Therefore, German industry welcomes the EU Commission’s holistic approach adopted in the EU’s Cybersecurity Strategy 2020. Hence, the NIS 2-Diretcive5 can only be a first step towards enhancing the EU-wide level of cyber-resilience. It should be swiftly accompanied by horizontal cybersecurity requirements based on the New Legislative Frameworks. To this end, we appreciate the European Commission’s announcement of introducing cybersecurity requirements for IoT devices outside the NIS 2-Directive. Together with DIN and DKE, the Federation of German Industries developed a proposal of how the cyber-resilience of products and services could be strengthened. 6 At the same time, it remains of utmost importance that governments refrain from holding back knowledge concerning vulnerabilities or from calling for measures that will weaken encryption.
1
Cybersecurityventures. 2018. Cybercrime Damages $6 Trillion By 2021. URL: https://cybersecurityventures.com/cybercrimedamages-6-trillion-by-2021/ 2 Bitkom. 2019. Wirtschaftsschutz in der digitalen Welt. URL: https://www.bitkom.org/sites/default/files/201911/bitkom_wirtschaftsschutz_2019_0.pdf 3 IHS Markit. 2017. The Internet of Things: A movement not a market. URL: https://cdn.ihs.com/www/pdf/IoT_ebook.pdf 4 CISCO. 2019. Visual Networking Index: Forecast Highlights Tool. URL: https://www.cisco.com/c/m/en_us/solutions/serviceprovider/vni-forecast-highlights.html# 5 Cf. Eurlex. 2020. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (COM/2020/823) final. URL. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52020PC0823 6 cf. BDI, DIN, DKE. 2021. EU-wide Cybersecurity Requirements. URL: https://english.bdi.eu/publication/news/eu-wide-cybersecurity-requirements/ 4
NIS 2-Directive
In detail discussion of selected Articles from the EU Commission’s proposal for a NIS 2-Directive Ensuring a high degree of cyber-resilience across the European Union is of outstanding importance in light of the increasing interlinkages between sectors and actors, and along supply-chains. Therefore, German industry regards the EU Commission’s proposal for repealing Directive (EU) 2016/1148 and proposing a Directive on measures for a high common level of cybersecurity across the Union (NIS 2Directive) as an important step. However, the European legislator has to strike the right balance between a high degree of cyber-resilience and companies’ abilities to fulfil the cybersecurity risk mitigating measures proposed in the draft NIS 2-Directive. On the following pages, German industry discusses several important dimensions of the EU Commission’s proposal for a NIS 2-Directive and calls on the EU Commission, the European Parliament and Member States to consider these remarks during the legislative process. Encryption (Number 54) Summary of legislative proposal: The European Commission emphasises the need to promote the usage of end-to-end encryption, which shall be obligatory for entities. Solutions for lawful access to end-to-end encrypted information shall maintain the effectiveness of such measures, while providing possibilities for public authorities to gain access to such information for criminal investigations. BDI’s position: Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools such as e-mails and messenger services. To protect companies from industrial espionage by third countries and citizens from cybercriminals, the EU should support the advancement and utilisation of cryptographic methods. German industry calls on the European Commission, the European Parliament and the EU Member States to promote encryption without demanding any measures that could weaken cryptographic procedures. While German industry recognises the importance to gain access to electronic evidence for competent authorities, in order to conduct successful investigations and thereby bring criminals to justice, but also to protect victims and help ensure security, national authorities must also see the potential downsides a weakening of encryption can have for Europe’s digital sovereignty. Moreover, weakening encryption in Europe could set a precedence for authoritarian regimes. Therefore, German industry urges policy makers to refrain from any measure that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU. Europe needs not fewer, but more trustworthy IT solutions to reap the benefits of the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption and should increasingly promote the development of post-quantum cryptography procedures to accommodate future requirements for secure communication. Proposed changes to the legislative text: In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. Authorities
5
NIS 2-Directive
across all Member States should promote the utilisation of cryptographic processes in order to ensure Europe’s digital sovereignty and digital transformation. By promoting encryption, the EU will set a positive role-model for other parts of the world. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime. Scope: List of essential and important entities (Annex I and II) in conjunction with the exemptions for Micro and Small Enterprises stipulated in Article 2 n° 2 Summary of legislative proposal: The scope of the NIS 2-Directive will be broader than the scope of Directive (EU) 2016/1148. The scope extents both to essential entities (Annex I), i.e. certain entities active in the sectors energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space, as well as important entities, i.e. entities active in the sectors postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing of (a) medical devices and in vitro diagnostic medical devices, (b) computer, (c) electronic and optical products, (d) electrical equipment, (e) machinery and equipment, (f) motor vehicles, trailers and semi-trailers and (g) transport equipment, digital providers, online marketplaces, online search engines, and social networking services platforms. Most micro and small entities, except those listed by member states, are exempt from the Directive. BDI’s position: In order to enhance Europe’s cyber-resilience holistically, it seems justified to broaden the scope of the Directive, in particular in light of the severe cyberattacks witnessed in recent months. However, the European Commission has to specify in greater detail the Directive’s protection goal and subsequently adjust the NIS 2-Directive’s scope accordingly. During the legislative process, the EU Commission, the European Parliament and Member States’ governments should consider the following points: -
more entities will fall under the scope than EU Commission’s estimations suggest: According to the EU Commission’s Impact Assessment, 110,000 entities, of which 43,000 are important entities, will fall under the Directive’s scope. As all entities in the sectors classified as “essential” or “important” and employing at least 50 people or have an annual turnover of at least 10 Mio. Euro will fall under the scope of the Directive, we assume the figure to be significantly higher. When only considering four out of six sectors which will be defined as “important entities”, already more than 11,600 German companies would classify as “important entities” (cf. Table 1).
-
adapting the size cap to exclude SMEs from the Directive’s scope by adopting a riskbased approach: We welcome the exemptions for micro and small enterprises as these often do not have the necessary financial means and capacities to fulfil the far-reaching obligations stipulated in the NIS 2-Directive. However, we expect that especially smaller SMEs (50 – 100 employees), which do not fall under the “size cap”, as they have 50 or more employees, or an annual turnover of more than 10 Mio. Euro, will have problems meeting the far-reaching risk management measures and reporting obligations. Therefore, we call on the co-legislators to 6
NIS 2-Directive
exempt all SMEs according to Commission Recommendation 2003/361/EC from the scope of the Directive, i.e. that all companies – at least those operational in sectors classified as “important” – with ≤ 250 employees or an annual turnover of less than 50 Mio. Euro. An exemption to this exclusion shall apply for SME that supply critical hardware and software solutions to essential entities or that can be defined as “critical” in supply chains any other regards. This adaptation would ensure that the NIS 2-Directive follows a functional risk-based approach, strengthens the EU’s cyber-resilience without putting unacceptably high burdens on smaller entities. -
enhancing SMEs’ cybersecurity capabilities: National competent authorities should empower micro, small and medium enterprises in upgrading their cybersecurity capacities as such entities are often the target of cybercriminals. A cooperative approach which focuses on empowerment, fostering awareness, and increasing cybersecurity skills, would help to significantly improve the EU-wide cyber-resilience of enterprises without introducing far-reaching, costly legal obligations.
-
differentiating between essential and important entities: The current proposal does not sufficiently distinguish between essential and important entities and the respective requirements they have to fulfil. According to the current proposal, both essential and important entities will have to implement the same measures regardless of their potential risk or criticality. German industry advocates a risk-based approach that urges all companies to ensure a level of cyber-resilience adequate to their potential risk for society and within supply chains.
-
focusing on concrete business processes and the criticality of a company: By following a company rather than a plant-focus, the EU Commission seems to aspire to protect operational continuity of factories, operational continuity of administrative and sales processes, know-how and trade secrets, as well as the reliability/quality of products. In their joined letter, the heads of state of Denmark, Estonia Finland and Germany urge the European Commission to “identify systems of critical technologies and strategic sectors”7. German industry supports this approach. Companies should not be included into the Directive’s scope solely based on NACE sectors or their size, but rather according to a product’s or service’s importance for the supply chain and an enterprise’s criticality for society. Otherwise, a huge amount of companies will compete for the very few IT security specialists available on the market. This would result in exorbitant costs for basic cybersecurity measures. Hence, especially smaller entities would have difficulties paying for IT security expertise. This, however, has the potential to weaken rather than strengthen Europe’s cyber-resilience.
-
harmonising the scope of the NIS 2 and the CER Directive with regard to essential/critical entities: German industry welcomes the European Commission’s approach to address cyber- and non-cyber-related concerns surrounding essential entities by simultaneously proposing the NIS 2-Directive and the Critical Entities Directive. However, it must be ensured that the scope of both directives as well as the respective definitions are congruent. Consequently, entities being classified as essential under the NIS 2-Directive should be classified as critical under the CER Directive. As a consequence, the European Commission and Member States should provide critical and essential entities with one single point of contact where these entities are supposed to register, and where they can notify both cyber-incidents and incidents according to Article 13 (1) of the CER Directive. Either member states should identify what constitutes both critical and essential in their country (CER-logic), or the EU should do so for
7
Cf. Prime Minister’s Office. 2021. Finland, Germany, Denmark and Estonia call on EU to accelerate digital transformation. URL: https://vnk.fi/en/-/finland-germany-denmark-and-estonia-call-on-eu-to-accelerate-digital-transformation 7
NIS 2-Directive
all Member States (NIS 2-logic). The current approach of different means to identify such entities risks creating a hotchpotch which increases implementation costs for these entities. -
focusing on municipal waste management: German industry recognises the importance of the waste management sector. However, we advocate to narrow the scope to municipal waste management, since the management of municipal waste is of paramount importance to maintain public health and safety.
-
clear definitions: A clear definition of the “type of entity” in Annex I and II would be desirable.
-
-
cloud computing service providers: The term “cloud computing service providers” (Annex I No.8) is too wide and imprecise. The current wording includes not only the providers of mere distributed storage and computing capacities, but also software providers who offer storage in a cloud in connection with their virtually usable software products. Due to a further virtualisation of information technology, the very broad definition could lead to an increasing number of services falling into this category. Hence, the NIS 2-Directive should distinguish between “digital service providers” on the one hand, and users, such as “enterprises” or “operators of essential services”, on the other hand, who in turn require “digital services” as a basis for providing their services. Only providers of cloud-based software products whose services enable essential utility services should fall under the Directive’s scope. In contrast, Companies which use a “digital service” to provide their SaaS without the focus of their own SaaS being on the provision of cloud capacity to users should be explicitly excluded from the Directive’s scope.
-
providers of online marketplaces: Providers of online marketplaces (Annex II No. 6) are classified as “important entities”. Again, the EU Commission does not explicitly distinguish between entities, whose service is primarily based on an online marketplace, and those entities, who merely “offer” an online marketplace as a subordinate service to another business activity. Such “second order” online marketplaces should be excluded from the Directive’s scope.
taking account of B2B relations: The current proposal does not sufficiently address the reality of B2B interactions, in which one essential service provider might be the client of another essential service provider. This could lead to legal ambiguity and overlap in reporting obligations. From our point of view, a business client acting as an essential entity, and that uses third-party digital servicers or digital infrastructure to serve multiple end users, would be better positioned to assess the impact and gravity of an incident than the essential entity providing the digital service or infrastructure. Under the current proposal, a cloud provider or any other digital infrastructure provider deemed as essential, would have to report to the regulator without having the necessary information or overview of end users affected.
8
NIS 2-Directive
type of entity / sector Postal and courier services
number of enterprises in Germany (≥ 50 employees) N/A
Waste management
7538
Manufacture, production and distribution of chemicals
8889
Food production, processing and distribution
2,78010
Manufacturing
7,59911
total Manufacture of medical devices and in vitro diagnostic medical devices
(484)
Manufacture of computer, electronic and optical products
(1,114)
Manufacture of electrical equipment
(1,398)
Manufacture of machinery and equipment n.e.c.
(3,845)
Manufacture of motor vehicles, trailers and semitrailers
(523)
Manufacture of other transport equipment
(235)
Digital providers total (important entities)
N/A 11,620
Table 1: Number of Important Entities in Germany
Proposed changes to the legislative text: Article 2: (1) This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro, and small and medium enterprises within the meaning of Commission Recommendation 2003/361/EC except for those SMEs that are suppliers of critical hardware and software to essential entities or that can be defined as critical in any other way. (7) We would also recommend to include a clarification in NIS 2 similar to the one in Art. 16(5) of the NIS Directive, “[ w]here an operator of essential services relies on a third-party digital service provider for the provision of a service which is essential for the maintenance of critical societal and economic activities, any significant impact on the continuity of the essential
8
https://www.destatis.de/DE/Themen/Branchen-Unternehmen/Energie/Beschaeftigte-Umsatz-Investitionen/Publikationen/Downloads-Beschaeftigte/beschaeftigung-umsatz-kostenstruktur-2040610187004.pdf?__blob=publicationFile 9 tabel 18b in https://www.vci.de/vci/downloads-vci/publikation/chemiewirtschaft-in-zahlen-print.pdf 10 https://www.destatis.de/DE/Themen/Branchen-Unternehmen/Industrie-Verarbeitendes-Gewerbe/Publikationen/DownloadsStruktur/betriebe-taetige-personen-2040412197004.pdf?__blob=publicationFile 11 Ibid. and VDA 9
NIS 2-Directive
services due to an incident affecting the digital service provider shall be notified by that operator.” In addition, liability exemptions or safe harbours for notifying incidents should be maintained in consistency with Articles 14(3) and 16(3) of the NIS Directive. Otherwise, with a mandated reporting obligation that would go against confidentiality and contractual obligations, there is a risk of reputational loss for both the client and the digital service provider. Annex I and II should only focus on those parts of a company that are important for operative continuity and the protection of know-how and trade secrets. Annex II should be revised as follows: 2. Municipal waste management: Undertakings carrying out waste management referred to in points (9) of Article 3 of Directive 2008/98/EC (29) of municipal waste but excluding undertakings for whom waste management is not their principal economic activity Furthermore, the following definitions in Article 4 needed to be revised: (17) ‘online marketplace’ means a digital service within the meaning of (insert correct reference, the current one seems to be incorrect). Excluded from this definition are services that only enable online contracting on a website as a minor service subordinated to the main service with a different focus. (19) ‘cloud computing service’ means a digital service that in its core function enables on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources. Excluded from this definition are services that only use cloud computing services of a third party as a partial performance to be able to provide their own service with a different focus. Minimum harmonisation (Article 3) Summary of legislative proposal: Member States may adopt or maintain provisions ensuring a higher level of cybersecurity. BDI’s position: German industry advocates a holistic, overlap-free, EU-wide harmonised regulatory framework on cybersecurity that strikes the right balance between enhancing the EU’s cyber-resilience while avoiding over-regulation and imposing unduly high burdens on European companies. Therefore, Member States should make limited use of the possibility to introduce more far-reaching requirements than those stated in the NIS 2-Directive. Such additional legislative requirements should be limited to sectors that are specific to or possess specific characteristics in one Member State. Definitions (Article 4) Summary of legislative proposal: Article four defines several terms, among them “network and information system”. BDI’s position: Clear and unambiguous definitions are of utmost importance in order to ensure legal certainty. To this end, German industry urges the European Commission, the European Parliament and the European 10
NIS 2-Directive
Council to revise the proposed definition of “network and information systems”. The current definition does not specify that the “device or group of inter-connected or related devices” described in letter 1 b are only those devices that are integrated into the IT or OT system of an essential or important entity. Since the aim of the NIS 2-Directive is to ensure the integrity, availability and operational capacity of essential and important entities, the respective definition of “network and information systems” should be limited to those devices that are of paramount importance for guaranteeing these goals. Proposed changes to the legislative text: ‘network and information system’ means: a) an electronic communications network within the meaning of Article 2(1) of Directive (EU) 2018/1972; b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, which are integrated into the IT- and/or OT-system of an essential or important entity pursuant to Article 2 of this directive and there fulfil functionalities that are of importance for the proper operational capacity, integrity and/or availability of the entity; c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; Coordinated vulnerability disclosure and a European vulnerability registry (Article 6) Summary of legislative proposal: The European Commission aspires to institutionalise coordinated vulnerability disclosure across the EU. Therefore, one CSIRT in each Member State shall coordinate coordinated vulnerability disclosure. The designated CSIRT shall function as a trusted intermediary and facilitate the interaction between the reporting entity, manufacturers or ICT-services-providers. Moreover, ENISA shall develop and maintain a European vulnerability registry, to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. BDI’s position: German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby, also to pay closer attention to the cyber-resilience of products and services. Any security vulnerability, regardless of whether it is an unintentional bug in the product or an intentional backdoor, should be included in the registry. Manufacturers of such products should not only be obliged to report security gaps, but also to swiftly close such security gaps. In order to keep the effort for everyone involved as low as possible, the European Commission needs to implement a lean and efficient reporting process. The European Union should institutionalise coordinated vulnerability disclosure based on international standards, such as ISO/IEC 29147: 2018 Information technology – Security techniques – Vulnerability disclosure, and CVE. Within CVE trustworthy organisations nowadays act as CVE Numbering Authorities around the world in a voluntary program, so that cybersecurity experts can more easily prioritise and address vulnerabilities. When disclosing vulnerabilities, ENISA must cooperate with the respective manufacturer of a product or the provider of a service and inform them prior to any public disclosure. Manufacturers of ICT products and providers of ICT services must have the chance to provide their customers with updates or patches to mitigate the risks of the respective vulnerability before a vulnerability is publicly disclosed by a third party. Otherwise, hackers could exploit the disclosed information which would have serious 11
NIS 2-Directive
repercussions for Europe’s cyber-resilience. Therefore, a timeframe should be established for how quickly ENISA must notify the manufacturer and how long the manufacturer has to review the requests, respond to them, and roll out a bug fix if necessary. Reporting vulnerabilities should not be a one-way road. Rather, public entities, including secret services, must be obliged to report their knowledge on vulnerabilities as well. German industry calls onto the European Commission to integrate into Article 6 a requirement that obliges government agencies from EU Members States to immediately report any information on vulnerabilities or backdoors in IT products to the respective manufacturers and/or ENISA. Currently it is the case that government agencies frequently hold back such knowledge which represents a significant threat to Europe’s cyberresilience. This is especially the case when serious vulnerabilities in ICT products or services utilised in critical entities are concerned. Moreover, CSIRTs must never have the power to suppress or delay the disclosure of a detected vulnerability. Proposed changes to the legislative text: 2. ENISA shall swiftly develop and maintain a European, yet internationally compatible, vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties after the producer of an ICT product or the provider of an ICT service had sufficient time to provide customers with an update or a patch. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. 3. CSIRTs, competent authorities pursuant to Article 8 of this Directive, and all other authorities of the EU and its Member States have to immediately inform by applying coordinated vulnerability disclosure principles the producer of an ICT product or the provider of an ICT service respectively of any vulnerability in such products or services they become aware of. No public authority in the Union shall hold back this information. National cybersecurity crisis management frameworks (Article 7) Summary of legislative proposal: Each Member States has to designate competent authorities responsible for the management of largescale incidents and crises. In addition, each Member State has to adopt a national cybersecurity incident and crisis response plan, containing (i) objectives of national preparedness measures and activities; (ii) tasks and responsibilities of the national competent authorities; (iii) crisis management procedures and information exchange channels; (iv) preparedness measures, including exercises and training activities; (v) relevant public and private interested parties and infrastructure involved; and (vi) national procedures and arrangements between relevant national authorities and bodies. BDI’s position: As the Solarwinds case as well as the attack on the Ukrainian power grid in December 2015 demonstrated, cyber incidents can have far-reaching repercussions. Therefore, German industry welcomes the EU Commission’s proposal that every Member State has to adopt a national cybersecurity incident 12
NIS 2-Directive
and crisis response plan. When developing and drafting such plans, Member States should be required to consult essential and important entities, as these companies provide vital services for society. Proposed changes to the legislative text: 5. Member States shall consult in a structured manner essential and important entities when developing the plans according to paragraph 2, in order to ensure the provision of the services provided by essential entities during large-scale incidents and crises. Requirements and tasks of CSIRTs (Article 10) Summary of legislative proposal: Article ten outlines the requirements CSIRTs have to comply with and the tasks they have to fulfil. CIRSTs shall (a) monitor cyberthreats, vulnerabilities and incidents at national level; (b) provide early warning, alerts, announcements and dissemination of information to essential and important entities as well as to other relevant interested parties on cyberthreats, vulnerabilities and incidents; (c) respond to incidents; (d) provide dynamic risk and incident analysis and situational awareness regarding cybersecurity; (e) provide, upon request of an entity, a proactive scanning of the network and information systems used for the provision of their services; and (f) participate in the CSIRTs network and providing mutual assistance to other members of the network upon their request. BDI’s position: The operational powers of the supervisory authorities, in particular the CSIRTs (Art. 10) and the national competent cybersecurity authorities (Art. 29 (2)) are too extensive. It must be ensured that CSIRTs do not interfere too extensively in the sovereign realm of enterprises. Instead a trustworthy structure should be fostered, so that governmental and enterprise CSIRTs can collaborate, also with the globally well organised CERT and CSIRT community. Report on the state of cybersecurity in the Union (Article 15) Summary of legislative proposal: The ENISA will publish a biennial report on the state of cybersecurity in the Union. The report shall include the development of cybersecurity capabilities across the Union, the current state in the Member States, propose a cybersecurity index and policy recommendations. BDI’s position: German industry urges ENISA to refrain from publishing a biennial report that includes mainly general information. Rather, ENISA should publish online up-to-date information on cybersecurity incidents. An improved daily updated, holistic situation picture as well as daily updated, sector-specific warnings would significantly help essential and important entities to benefit from the data aggregated at national competent authorities, and thereby, to better protect their business processes. Such information would help essential and information entities to support their cybersecurity risk mitigating measures. Management bodies of Essential and Important Entities (Article 17)
13
NIS 2-Directive
Summary of legislative proposal: Management bodies of essential and important entities have to approve the cybersecurity risk management measures taken by those entities in order to comply with requirements on “cybersecurity risk management measures”, supervise their implementation and are accountable for the entity’s non-compliance with these obligations. Moreover, members of the management body have to follow specific trainings, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity BDI’s position: BDI recognises that management bodies are responsible for the cybersecurity strategy of an essential or important entity. This step will help to significantly increase the awareness for cybersecurity issues among top-level management. However, we regard it as important that the European Commission recognises that members of management bodies of essential entities and important entities have IT security personnel that possesses the necessary qualifications to develop and implement an entity’s cybersecurity strategy. Consequently, it has to be questioned whether members of management bodies have to pass a respective training or whether reports by CISOs or IT security personnel are equally sufficient to provide members of management bodies with in-depth information. Moreover, personal accountability for non-compliance is a step too far, especially if the goal is to ensure appropriate cybersecurity awareness in companies across sectors. However, if the European Commission regards a mandatory IT security training necessary for members of management bodies, it should swiftly define what constitutes “sufficient knowledge and skills”, in order to provide guidance on which skills are considered adequate to implement the Commission’s requirements. Moreover, such recommendations must be the same across the EU to ensure that members of management bodies are not confronted with diverging requirements across the Single Market, and – in a worst case scenario – have to undergo different trainings per country. Proposed changes to the legislative text: The European Commission must publish a definition of management bodies. Cybersecurity risk management measures (Article 18) Summary of legislative proposal: Essential and important entities have to ensure a level of security of network and information systems appropriate to the risk presented, including at least (a) risk analysis and information system security policies; (b) incident handling (prevention, detection & response); (c) business continuity and crisis management; (d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures; and (g) the use of cryptography and encryption. The EU Commission may adopt implementing acts in order to lay down the technical and the methodological specifications of these elements. The Commission may adopt implementing acts in order to lay down the technical and methodological specifications of the above stated elements (Paragraph 5). The Commission is empowered to adopt delegated acts to take account of new cyber threats, technological developments or sectorial specificities (Paragraph 6).
14
NIS 2-Directive
BDI’s position: While German industry recognises the necessity to outline basic cybersecurity risk management measures for network and information systems that all essential and important entities have to fulfil, the European Commission and Member States’ governments must ensure that the IT security personnel can focus on IT security rather than on filling in forms and being occupied by reporting obligations. We call on the European Commission, the European Parliament and Member States to introduce cybersecurity risk management measures for network and information systems that provide a high degree of legal certainty for essential and important entities. Therefore, instead of referring to the “state of the art”, which leaves ample room for evaluators, after an incident has happened, to conclude that not all potential state-of-the-art capabilities have been applied, reference to (minimum) standards should be introduced. As the European Commission proposed a directive and not a regulation, and thereby providing Member States with a certain degree of flexibility when implementing the requirement stipulated in the NIS 2-Directibe, the potential later adoption of implementing acts that specify technical and methodological specifications of cybersecurity risk management measures pursuant to Article 18 seems counterintuitive. When the European Commission adopts implementing acts according to paragraph five or delegated acts according to paragraph six, it must ensure consistency between already existent national requirements and those to be adopted by the EU Commission. In Germany, for example, the national legislator has introduced, or is in the process of introducing measures to be taken by enterprises. These are laid down in Germany’s IT Security Law 2.0, and for the telco sector additionally in § 109 Telecommunication Law (§164 new) and the respective the security catalogue. Hence, there is an increased likelihood that the European Commission’s delegated or implementing acts will deviate from the German regulatory framework in future, and hence, that German entities will be confronted with contradicting regulatory requirements. This must be avoided. In addition, enough time for implementing such specifications must be provided. Moreover, the proposal remains unclear concerning the concrete implications of the requirements stipulated in Article 18 number 2d concerning “supply chain security”. Number 2d includes “security-related aspects concerning the relationships between each entity and its suppliers or service providers”. It is unclear how essential and important entities shall ensure that a supplier or service provider complies with the requirements deemed necessary by the EU Commission. Henceforth, an essential or important entity should not by liable if a supplier or service provider is non-compliant at least as long as an important or essential entity did everything it could contract-wise to ensure that the supplier or provider maintains a risk-adequate level of cybersecurity. In contrast, if essential and important entities were required to utilise certified ICT products and services only to guarantee supply-chain-security this would render business processes much more complex and ultimately increase product/service costs. EU coordinated risk assessments of critical supply chains (Article 19) Summary of legislative proposal: The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT service, system or product supply chains, taking into account technical and, where relevant, non-technical risk factors. BDI’s position: Based on the experience of the EU’s coordinated risk assessment on 5G, German industry welcomes the proposal to conduct such risk assessments of critical supply chains. However, the measures 15
NIS 2-Directive
proposed after having conducted such an analysis must be proportionate and always foresee a sufficient implementation period. Reporting obligations (Article 20) Summary of legislative proposal: Essential and important entities have to notify incidents to competent authorities or CSIRT without undue delay and in any event within 24 hours after having become aware of the incident. Entities have to provide a CSIRT with an intermediate report on relevant status updates. Moreover, entities have to hand-in a final report not later than one month after incident notification. Entities have to report both (a) incidents having a significant impact on the provision of their services and (b) any significant cyber threat that those entities identify that could have potentially resulted in a significant incident. Moreover, entities have to notify potentially affected recipients of this service. Entities only have to notify significant incidents, i.e. those that have caused or have the potential to cause substantial operational disruption or financial losses for the entity concerned or affect other natural or legal persons by causing considerable material or non-material losses. BDI’s position: In Germany, critical infrastructures have to report cybersecurity incidents to the national competent authorities, BSI, since the first IT Security Law came into effect in 2016. Nonetheless, German industry does not see any significant improvement in the available cybersecurity threat reporting by the BSI. Therefore, German industry is hesitant when it comes to the extension of already existing reporting obligations to more entities. Essential and important entities only benefit from a threat notification obligation, if there is an institution – potentially the ENISA – that: 1. systemically classifies the threats, 2. organises the automatic distribution of threat information to participating parties, 3. maintains strategic threat intelligence information, and 4. reports about trends and focuses on understanding the “most critical activities to reduce the risks”. If the European Commission seeks to introduce the above summarised reporting obligations, the following steps must be taken to ensure that reporting cybersecurity incidents is efficient and effective, i.e. contributes to the overall aim of an improve EU-wide up-to-date knowledge of currently existing cyberthreat-vectors: 1. the creation of an efficient, harmonised reporting channel to one competent authority (onestop-shop principle), instead of reporting obligations to various national and/or European authorities, such as competent authorities for cybersecurity and data protection officers; 2. ensuring that essential and important entities can focus on measures to minimise the implications of a successful cyberincident first, rather than having to fulfil reporting obligations. Therefore, companies should be required to notify competent authorities within 72 hours after identifying a successful attack. Furthermore, CSIRTs should be allowed to ask for a maximum of one interim report. Moreover, since the investigation time for a complex cybersecurity incident
16
NIS 2-Directive
often amount to half a year, handing in a final report after one months is not possible. Therefore, the final report should be handed in to the competent national authorities no later than one month after the entity has finished its forensic analysis and has conducted all other measures necessary to ensure business continuity and handling the notified cybersecurity incident. Such longer deadlines for handing in a final report are pertinent to ensure that companies can focus on mitigating the cybersecurity incident in the first place and ensure the full operational capacity of a company is swiftly regained; 3. an improved, daily updated, holistic situation picture as well as daily updated, sector-specific warnings, so that at least all essential and important entities can benefit from the knowledge on reported cyberattacks, and thereby, improve their own cybersecurity measures; 4. a more precise definition of the term “significant incident”, as the current legislative text leaves ample room for interpretation. Companies require a high degree of legal certainty, especially since essential and important entities not fulfilling their reporting obligations are liable to pay a significant fine. Proposed changes to the legislative text: 5. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to the competent authorities or the CSIRT: a. without undue delay and in any event within 24 72 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action; b. upon the request of a competent authority or a CSIRT, an a maximum of one intermediate report on relevant status updates; c.
a final report not later than one month after the entity has finished its forensic analysis as well as other measures to handle the incidents and its potential business implications the submission of the report under point (a), including at least the following: i. a detailed description of the incident, its severity and impact; ii. the type of threat or root cause that likely triggered the incident; iii. applied and ongoing mitigation measures.
Member States shall provide that in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines laid down in points (a) and (c). Use of European cybersecurity certification schemes (Article 21) Summary of legislative proposal: Member States may require essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes.
17
NIS 2-Directive
BDI’s position: In order to ensure a holistic strengthening of essential and important entities’ cyber-resilience a holistic approach – combining technical, organisational, personnel-related and product-related measures – is required. German industry welcomes the EU Commission’s intention to address the product dimension. However, the current EU Commission’s proposal is not adequate for several reasons: 1. German industry disapproves the sole focus on specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, especially since these schemes were always intended to be voluntary. Rather, we urge the European Commission to propose a legislative act containing horizontal cybersecurity requirements based on the NLF as currently discussed in the European Commission's DG GROW and DG CNECT, and supported by the European Council’s Conclusions on the cybersecurity of connected devices as approved on December 2, 2020. 2. Since the producer or distributer of an ICT product, ICT service or ICT process is responsible for the certification of the respective product, service or process, it should be the responsibility of the producer or distributer to ensure certification of its product, service or process. 3. Companies should be enabled to choose whether certifying their product, service or process under a specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 or based on European harmonised standards, or alternatively opting for a conformity assessment by the manufacturer. 4. Especially for smaller important entities having to rely on certified products or services only will proof costly without necessarily enhancing the entity’s cyber-resilience. Together with the German standardisation bodies, DIN and DKE, BDI supports the introduction of mandatory, horizontal cybersecurity requirements based on the principles of the New Legislative Framework (NLF). When introducing a respective legislative proposal, the following recommendations should be considered: 1. To achieve overarching cyber resilience, generally binding protection targets should be defined by law and these should then be specified by harmonised European standards (hEN), that reflect the dynamic development of the state of the art. 2. Protective measures and resilience against cyberattacks must be based on the specific application and the associated threat situation. The NLF allows the coverage of different risk levels and follows the necessary risk-based approach. In this context, it is the responsibility of the manufacturer as the economic actor placing the product on the market to determine the intended area of use (and thus the threat level) of the product. 3. CE marking, by combining conformity assessment and market surveillance, acts as an anchor of trust for private and commercial customers alike. 4. The Digital Single Market will only be successful if national isolated solutions are avoided and compatibility with international standards is ensured. 5. With a bridge between the cybersecurity requirements of a product-centred horizontal NLF-based EU legislative act and the schemes under the EU Cybersecurity Act (CSA), the two approaches can complement each other. Thus, coherent cybersecurity requirements can be guaranteed for the products falling into the scope of the two legislative acts. 18
NIS 2-Directive
6. Coherent cybersecurity requirements allow the manufacturer to choose between harmonised European standards (hEN) and CSA schemes to perform the conformity assessment according to NLF-based EU legislation. If a hEN is applied, the manufacturer can use the presumption of conformity. Details on BDI’s proposal for introducing horizontal, mandatory cybersecurity requirements based on the NLF can be found here: https://english.bdi.eu/publication/news/eu-wide-cybersecurity-requirements/ Proposed changes to the legislative text: 1. In order to demonstrate compliance with certain requirements of Article 18, Member States the European Commission may require essential and important entities to certify certain utilise in particularly security-critical areas, defined by a list of critical functionalities, only ICT products, ICT services and ICT processes which are certified under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 or based on European harmonised standards. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parties. 2. The Commission shall be empowered to adopt delegated acts specifying which categories of essential entities shall be required to utilise certain certified ICT products, ICT services and ICT processes obtain a certificate and under which specific European cybersecurity certification schemes pursuant to paragraph 1. The delegated acts shall be adopted in accordance with Article 36. Standardisation (Article 22) Summary of legislative proposal: In order to promote the convergent implementation of cybersecurity risk mitigating measures, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems. BDI’s position: German industry welcomes the technology-neutral approach adopted by the European Commission regarding recommendations for the implementation of cybersecurity risk mitigating measures. Furthermore, we welcome that – in contrast to Germany’s new IT Security Law 2.0 – the European Commission focuses on the adoption of European and international standards. This will facilitate the spread of such universal standards. However, to ensure that entities operating in more than one country do not have to fulfil diverging requirements, German industry would welcome if ENISA was to recommend basic guidelines for such measures for the entire EU. Proposed changes to the legislative text: 1. In order to promote the convergent implementation of Article 18(1) and (2), Member States ENISA shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems. Jurisdiction and territoriality (Article 24) 19
NIS 2-Directive
Summary of legislative proposal: (1) TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I to the NIS 2-Directive fall under the jurisdiction of the Member State in which they have their main establishment in the Union. (2) The main establishment in the Union shall be in the Member State where the decisions related to the cybersecurity risk management measures are taken. BDI’s position: German industry welcomes that DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I of the NIS 2-Directive fall under the jurisdiction of the Member State in which they have their main establishment in the Union. For companies in the ICT sector it is important to fall under the jurisdiction of just one Member State as it significantly reduces the reporting obligations. Therefore, it needs to be clarified that an entity’s main establishment equates to the group’s headquarter in the Union and not only to the national entity’s headquarter in a Member State. Proposed changes to the legislative text: 1. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their group’s main establishment in the Union. 2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their group’s main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union. Registry for essential and important entities (Article 25) Summary of legislative proposal: The European Commission aims to introduce a registry for essential and important entities addressed in Article 24, which will be hosted by ENISA. The entities will have to submit to ENISA their name, the address of its main establishment and its other legal establishments in the Union or, if not established in the Union, of its designated representative, and up-to-date contact details, including email addresses and telephone numbers of the entities. Changes to these information have to be reported to ENISA within three month. BDI’s position: The Federation of German Industry welcomes the idea of an EU-wide registry for essential and important entities. However, since operators of critical infrastructures and companies defined as companies of particular public interest by Germany’s IT Security Law 2.0 will already have to register at the BSI, the EU’s proposal will increase the administrative burden for the respective companies. Therefore, it should be made clear that a registration only has to be conducted once at ENISA and that ENISA will provide national competent authorities with all necessary information. In addition, the mere 20
NIS 2-Directive
existence of a registry with information about all cyber establishments in the Union, can in itself represent a cybersecurity risk. If the registry is to be created, all information shared with ENISA needs to be treated with the highest degree of confidentiality. Moreover, effective cybersecurity measures, including encryption, would need to be in place to protect the information in such a registry. Proposed changes to the legislative text: To ensure that essential and important entities have to register only once, we propose the following amendment to the proposal: 3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representative. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other Member States, ENISA shall also inform the single points of contact of those Member States. Entities shall only be obliged to report the information under paragraph 1 to ENISA and not in addition to the single points of contact in the Member States. ENISA shall ensure the exchange of these information with national competent authorities. Cybersecurity information-sharing arrangements (Article 26) Summary of legislative proposal: Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing in order to prevent, detect, respond or mitigate incidents, or enhance level of cybersecurity. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities based on information sharing arrangements. BDI’s position: German industry appreciates this proposal since experience from the UP KRITIS, the German public private partnership bringing together experts from operators of critical entities and representatives of government agencies, showcases the benefits of a regular exchange on cybersecurity topics between such companies and respective public authorities. In order to ensure the protection of intellectual property and business know-how, the extent and scope of this exchange need to be clearly defined. Moreover, it has to be ensured that all essential and important entities can join such cybersecurity information sharing arrangements. Experiences with non-profit platforms such as the German CERT Association (“Deutscher CERT Verbund”) and the CERT@VDE have also proven for years that trustful cooperation based on a voluntary commitment by companies works well. Voluntary notification of relevant information (Article 27) Summary of legislative proposal: Entities not falling into the scope of the directive can notify the competent national authorities of cybersecurity incidents
21
NIS 2-Directive
BDI’s position: German industry appreciates that voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification. At the same time, however, national competent authorities should be obliged to respond to such notifications within two days. If companies are provided with benefits when reporting cybersecurity incidents, the amount of notifications is likely to rise. Thereby, the national competent authorities will gain a more holistic picture of the current cyberthreat landscape. Supervision and enforcement for essential entities (Article 29) Summary of legislative proposal: The supervision of essential entities will be based on ex ante and ex post supervisory measures. Competent national authorities shall have the following powers: (a) on-site inspections and off-site supervision, including random checks; (b) regular audits; (c) targeted security audits based on risk assessments or risk-related available information; (d) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria; (e) request information necessary to assess the cybersecurity measures adopted by the entity, including documented cybersecurity policies, and registration at ENISA; (f) conduct requests to access data, documents or any information necessary for the performance of their supervisory tasks; and (g) conduct requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence. In case essential entities are found non-compliant with the obligations laid down in Articles 18 and 20 of the NIS 2-Directive, competent authorities will have substantial possibilities to enforce adherence to these measures. BDI’s position: German industry urges the European Commission to specify which criteria referred to in point (d) are considered “fair and transparent”. Essential entities require a maximum degree of legal certainty when implementing the NIS 2-Directive. The current proposal stays too vague in this regard. As the NIS 2-Directive already includes very far-reaching supervision and enforcement powers – including fines – it should be the responsibility of the respective entity to take any necessary employeerelated measures. The competent authority shall not have the competence to oust any employee – including members of the management body. In addition to the responsibility of entities to maintain an adequate level of IT security and to avoid any violations of the duties outlined in the NIS 2-Directive, the Directive also establishes responsibilities and sanctions directed at single employees “exercising managerial functions”. Since the term “management” is too broadly used in companies across the Union (cf. Art. 29 Paragraph 5 (b) and Paragraph 6) German industry opposes such a far-reaching personal liability of individual employees. Proposed changes to the legislative text: Paragraph five: b. impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity. 22
NIS 2-Directive
Paragraph six should be deleted. 6. Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive. Member States shall ensure that those natural persons may be held liable for breach of their duties to ensure compliance with the obligations laid down in this Directive. Supervision and enforcement for important entities (Article 30) Summary of legislative proposal: The supervision of important entities will be based on ex post supervisory measures, i.e. competent national authorities shall be only active when provided with evidence or indication of non-compliance with the obligations laid down in the NIS 2-Directive. National competent authorities shall the possibilities to conduct (a) on-site inspections and off-site ex post supervision; (b) targeted security audits based on risk assessments or risk-related available information; (c) security scans based on objective, fair and transparent risk assessment criteria; (d) requests for any information necessary to assess cybersecurity measures, including documented cybersecurity policies, and registration at ENISA; and (e) requests to access data, documents and/or information necessary for the performance of the supervisory tasks. If competent national authorities find that important entities do not adhere to the requirements stipulated in Article 18 and 20, they can i.a. issue warnings or binding instructions, and even order those entities to bring their risk management measures or the reporting obligations in compliance with the obligations laid down in Articles 18 and 20 in a specified manner and within a specified period. BDI’s position: German industry urges the European Commission to specify, which criteria referred to in point (c) are considered “fair and transparent”. Important entities require a maximum degree of legal certainty when implementing the NIS 2-Directive. The current proposal stays too vague in this regard. Moreover, we urge the European Commission to consider important entities’ intrinsic interest in maintaining a high degree of cyber-resilience. In this regard it should be noted that companies are best equipped to conduct any necessary measure to enhance their cyber-resilience. Therefore, we oppose the possibility of granting competent authorities with any possibility to “issue binding instructions”, as stipulated in Article 30 Nr. 4 point (b). If competent authorities were provided with such far-reaching competencies, the European Commission has to clarify that the competent authority will bear any cost resulting from such measures. German industry opposes audits and on-site inspections on cybersecurity. Such processes much be urgently streamlined to ensure minimum impact on business processes. Proposed changes to the legislative text: 4. (b) issue binding instructions or an order requiring those entities to remedy the deficiencies identified or the infringement of the obligations laid down in this Directive; General conditions for imposing administrative fines on essential and important entities (Article 31)
23
NIS 2-Directive
Summary of legislative proposal: Member States shall impose administrative fines on essential and important entities for infringements of obligations concerning cybersecurity risk management measures (Article 18) and reporting obligations (Article 20). Administrative fines shall amount to a maximum of at least 10,000,000 Euro or up to two per cent of global annual turnover. BDI’s position: In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. However, German industry calls for a significant reduction of the maximum level of administrative fines imposed on entities. Unlike in the case of data protection (cf. GDPR), the legal interest to be protected here is not a fundamental right (GDPR = right to informational self-determination; vs NIS 2 = cybersecurity of essential and important entities). Nor do the considerations regarding data protection law – that have led to fines being calculated on the basis of group sales – fit with regard to the NIS 2 Directive. Therefore, the maximum level of administrative fines should be no higher than two million Euros without any reference to annual turnover. Such a level would strike an acceptable balance between the intent to punish companies violating the requirements stipulated in Articles 18 and 20, and German industry’s requirements for administrative fines that are not excessive. This is particularly important since, according to a Bitkom study from 2019, the consequences of successful cyberattacks already amount to costs of more than 100 billion euros per year for the German economy. 12 Proposed changes to the legislative text: 4. Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of two million EUR at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher. Review (Article 35) Summary of legislative proposal: The EU Commission will periodically review the functioning of the NIS 2-Directive. A first report will be published 54 months after the entry into force of the Directive. BDI’s position: German industry strongly appreciates the EU Commission’s clear statement of a regular review of the functioning of the Directive. This is of utmost importance to ensure that the regulatory framework concerning the cybersecurity requirements imposed on essential and important entities are adequate in light of the existing cyberthreat landscape.
12
Bitkom. 2019. Wirtschaftsschutz in der digitalen Welt. URL: 11/bitkom_wirtschaftsschutz_2019_0.pdf (Accessed on 14th January 2021).
https://www.bitkom.org/sites/default/files/2019-
24
NIS 2-Directive
Imprint Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 EU Transparency Register: 1771817758-48 Editor Steven Heckler Senior Manager Digitalisation and Innovation T: +49 30 2028-1523 S.Heckler@bdi.eu
BDI document number: D 1333
25
