5 minute read
Table of Content
POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
NIS 2-Directive
German industry’s position on the EU Commission’s proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
March 2021
Executive Summary
German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies.
While the EU Commission’s proposal strikes a good balance between targeted regulatory interventions and strengthening the EU’s cyber-resilience holistically, German industry proposes the following changes to the proposal for a NIS 2-Directive:
Encryption (Number 54)
Policy makers should refrain from measures that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU. Europe needs not fewer, but more trustworthy IT solutions to swiftly implement the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption.
List of Essential and Important Entities (Annex I and II in conjunction with Article 2) German industry recognises the necessity to broaden the scope of the NIS 2-Directive. However, the European Commission should focus more on a company’s criticality for a supply chain rather than the size of an entity, and additionally should focus on those business units of a company that are paramount for operational continuity. While we appreciate the exemptions for micro and small enterprises, most medium-sized enterprises should be excluded from the scope as well, at least if they are not suppliers in critical supply chains.
Coordinated vulnerability disclosure and European vulnerability registry (Article 6)
German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby also pay closer attention to the cyber-resilience of products and services. The European Union should institutionalise coordinated vulnerability disclosure based on international industrial / de-facto standards, such as CVE introduced in 1999.
Report on the state of cybersecurity in the Union (Article 15)
ENISA should refrain from publishing a biennial report that includes mainly general information. Rather, ENISA should publish online up-to-date information on cybersecurity incidents. A daily updated, holistic situation picture as well as daily updated, sector-specific warnings would help essential and important entities to protect their companies.
Management bodies of Essential and Important Entities (Article 17)
BDI recognises that management bodies are responsible for the cybersecurity strategy of an entity. If a mandatory IT security training is regarded necessary for members of management bodies, the EU should publish EU-wide applicable information on what constitutes “sufficient knowledge and skills” and should provide funding for cybersecurity knowledge, dissemination especially for SMEs. A definition of management bodies is required.
Cybersecurity risk management measures (Article 18)
The EU Commission and national governments must ensure that IT security personnel can focus on IT security rather than on bureaucracy, i.e registering and reporting. We call on the co-legislators to introduce cybersecurity risk management measures that provide a high degree of legal certainty for essential and important entities, and to provide funding for initial risk management analysis, especially for SMEs.
EU coordinated risk assessments of critical supply chains (Article 19)
Based on the experience of the EU’s coordinated risk assessment on 5G, we welcome the proposal to conduct risk assessments of critical supply chains. However, measures based on such an analysis must be proportionate and foresee sufficient implementation period.
Reporting obligations (Article 20)
Essential and important entities only benefit from reporting obligations, if there is an institution that systemically classifies the threats, organises the automatic distribution of the threat information to participating parties, maintains strategic threat intelligence information, and reports about current trends. Entities require an efficient reporting channel, at least 72 hours for reporting an incident, and should only hand-in a final report if they have finished the forensic analysis and conducted measures necessary to ensure business continuity.
Use of European cybersecurity certification schemes (Article 21)
Instead of mandatory certification of ICT products based on EU CSA schemes, the European Commission should publish horizontal cybersecurity requirements based on the New Legislative Framework, which are then specified by European harmonised standards.
Registry for essential and important entities (Article 25)
We welcome an EU-wide registry for essential and important entities. However, the EU’s proposal will augment the administrative burden for these entities, as they already have to register at national level. Therefore, entities should only have to register once and ENISA should exchange the respective data with national competent authorities.
General conditions for imposing administrative fines (Article 31)
The introduction of administrative fines is justified. However, the maximum level of fines should be no higher than two million Euros without reference to annual turnover.
Table of Content
Executive Summary ............................................................................................................................ 1
The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach .............................................................................................................................................. 4
In detail discussion of selected Articles from the EU Commission’s proposal for a NIS 2Directive ............................................................................................................................................... 5
Encryption (Number 54) ........................................................................................................................ 5 Scope: List of essential and important entities (Annex I and II) in conjunction with the exemptions for Micro and Small Enterprises stipulated in Article 2 n° 2 ....................................................................... 6 Minimum harmonisation (Article 3)...................................................................................................... 10 Definitions (Article 4) ........................................................................................................................... 10 Coordinated vulnerability disclosure and a European vulnerability registry (Article 6) ....................... 11 National cybersecurity crisis management frameworks (Article 7) ..................................................... 12 Requirements and tasks of CSIRTs (Article 10) ................................................................................. 13 Report on the state of cybersecurity in the Union (Article 15)............................................................. 13 Management bodies of Essential and Important Entities (Article 17) ................................................. 14 Cybersecurity risk management measures (Article 18) ...................................................................... 14 EU coordinated risk assessments of critical supply chains (Article 19) .............................................. 15 Reporting obligations (Article 20) ........................................................................................................ 16 Use of European cybersecurity certification schemes (Article 21)...................................................... 17 Standardisation (Article 22) ................................................................................................................. 19 Jurisdiction and territoriality (Article 24) .............................................................................................. 20 Registry for essential and important entities (Article 25)..................................................................... 20 Cybersecurity information-sharing arrangements (Article 26)............................................................. 21 Voluntary notification of relevant information (Article 27).................................................................... 22 Supervision and enforcement for essential entities (Article 29) .......................................................... 22 Supervision and enforcement for important entities (Article 30) ......................................................... 23 General conditions for imposing administrative fines on essential and important entities (Article 31) 24 Review (Article 35) .............................................................................................................................. 24
