POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
NIS 2-Directive German industry’s position on the EU Commission’s proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 March 2021 Executive Summary German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. While the EU Commission’s proposal strikes a good balance between targeted regulatory interventions and strengthening the EU’s cyber-resilience holistically, German industry proposes the following changes to the proposal for a NIS 2-Directive: Encryption (Number 54) Policy makers should refrain from measures that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU. Europe needs not fewer, but more trustworthy IT solutions to swiftly implement the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption. List of Essential and Important Entities (Annex I and II in conjunction with Article 2) German industry recognises the necessity to broaden the scope of the NIS 2-Directive. However, the European Commission should focus more on a company’s criticality for a supply chain rather than the size of an entity, and additionally should focus on those business units of a company that are paramount for operational continuity. While we appreciate the exemptions for micro and small enterprises, most medium-sized enterprises should be excluded from the scope as well, at least if they are not suppliers in critical supply chains. Coordinated vulnerability disclosure and European vulnerability registry (Article 6) German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby also pay closer attention to the cyber-resilience of products and services. The European Union should institutionalise coordinated vulnerability disclosure based on international industrial / de-facto standards, such as CVE introduced in 1999. Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | S.Heckler@bdi.eu | www.bdi.eu
