NIS 2-Directive
In detail discussion of selected Articles from the EU Commission’s proposal for a NIS 2-Directive Ensuring a high degree of cyber-resilience across the European Union is of outstanding importance in light of the increasing interlinkages between sectors and actors, and along supply-chains. Therefore, German industry regards the EU Commission’s proposal for repealing Directive (EU) 2016/1148 and proposing a Directive on measures for a high common level of cybersecurity across the Union (NIS 2Directive) as an important step. However, the European legislator has to strike the right balance between a high degree of cyber-resilience and companies’ abilities to fulfil the cybersecurity risk mitigating measures proposed in the draft NIS 2-Directive. On the following pages, German industry discusses several important dimensions of the EU Commission’s proposal for a NIS 2-Directive and calls on the EU Commission, the European Parliament and Member States to consider these remarks during the legislative process. Encryption (Number 54) Summary of legislative proposal: The European Commission emphasises the need to promote the usage of end-to-end encryption, which shall be obligatory for entities. Solutions for lawful access to end-to-end encrypted information shall maintain the effectiveness of such measures, while providing possibilities for public authorities to gain access to such information for criminal investigations. BDI’s position: Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools such as e-mails and messenger services. To protect companies from industrial espionage by third countries and citizens from cybercriminals, the EU should support the advancement and utilisation of cryptographic methods. German industry calls on the European Commission, the European Parliament and the EU Member States to promote encryption without demanding any measures that could weaken cryptographic procedures. While German industry recognises the importance to gain access to electronic evidence for competent authorities, in order to conduct successful investigations and thereby bring criminals to justice, but also to protect victims and help ensure security, national authorities must also see the potential downsides a weakening of encryption can have for Europe’s digital sovereignty. Moreover, weakening encryption in Europe could set a precedence for authoritarian regimes. Therefore, German industry urges policy makers to refrain from any measure that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU. Europe needs not fewer, but more trustworthy IT solutions to reap the benefits of the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption and should increasingly promote the development of post-quantum cryptography procedures to accommodate future requirements for secure communication. Proposed changes to the legislative text: In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. Authorities
5
