NIS 2-Directive: Position on ITRE Draft Report by Bundesverband der Deutschen Industrie e.V.

POSITION | CYBERSECURITY | EUROPEAN LEGISLATION

NIS 2-Directive German industry’s position on the ITRE Committee draft report for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 31st May 2021 Executive Summary German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. While the EU Commission’s proposal strikes a good balance between targeted regulatory interventions and strengthening the EU’s cyber-resilience holistically, German industry regards it of utmost importance to amend the Commission’s proposal. In this regard, we welcome most amendments proposed in the ITRE draft report by rapporteur Bart Groothuis, MEP. Nonetheless, we still see the necessity for inter alia the following additional alterations: ▪

scope (Article 2 & Annex I+II): While we recognise the necessity to broaden the scope, all SMEs falling into the sectors outlined in Annex I and II should be exempted from the scope, apart from those SMEs that are suppliers of critical hardware and software to essential entities.

▪

definitions (Article 4): BDI urges the co-legislators to alter the proposed definition of “network and information system”, “online marketplaces” and “cloud computing services”. Also, a definition of “management bodies” should be introduced in the NIS 2 Directive.

▪

ENISA’s cybersecurity report (Article 15): ENISA publishing a biennial report that includes mainly general information will not augment the EU’s cyber-resilience. Rather, ENISA should publish online up-to-date information on cybersecurity incidents.

▪

management bodies (Article 17 in conjunction with 29): We recognise the responsibility of management bodies for the cybersecurity strategy of an entity. However, no single member should be held accountable for any cybersecurity-related misconduct. We urge the Commission to publish binding recommendations on what constitutes sufficient knowledge and skills.

▪

fines (Article 31): In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. We advocate for a maximum of two million Euros and a deletion of any reference to percentages of annual turnover.

Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu

NIS 2-Directive

Table of Content Executive Summary .................................................................................................................................... 1 Discussion of selected Amendments from the ITRE Committee’s draft report on the NIS 2-Directive ...................................................................................................................................................................... 3 Article 2 in conjunction with Annex II – Scope .............................................................................................. 3 Article 4 – Definitions .................................................................................................................................... 4 Article 5 – National cybersecurity strategy .................................................................................................... 5 Article 8 – National competent authorities and single points of contact ........................................................ 6 Article 9 – Computer security incident response teams (CSIRTs) ................................................................ 7 Article 10 – Requirements and tasks of CSIRTS .......................................................................................... 7 Article 18 – Cybersecurity risk management measures ................................................................................ 8 Article 20 – Reporting obligations ................................................................................................................. 9 Article 21 – Use of European cybersecurity certification schemes ............................................................. 11 Article 26 – Cybersecurity information-sharing arrangements .................................................................... 13 Article 26a – Voluntary notification of relevant information by essential and important entities .................. 14 Article 29 – Supervision and enforcement for essential entities.................................................................. 14 German industry’s proposals for further amendments......................................................................... 15 Recital 54 – Encryption ............................................................................................................................... 15 Article 2 in conjunction with Annex I and II – Scope ................................................................................... 16 Article 4 – Definitions .................................................................................................................................. 17 Article 6 – Coordinated vulnerability disclosure and a European vulnerability registry ............................... 20 Article 7 – National cybersecurity crisis management frameworks ............................................................. 21 Article 15 – Report on the state of cybersecurity in the Union .................................................................... 21 Article 17 – Governance.............................................................................................................................. 22 Article 19 – EU coordinated risk assessments of critical supply chains ...................................................... 23 Article 20 – Reporting obligations ............................................................................................................... 23 Article 22 – Standardisation ........................................................................................................................ 25 Article 24 – Jurisdiction and territoriality...................................................................................................... 25 Article 25 – Registry for essential and important entities ............................................................................ 26 Article 26 – Cybersecurity information-sharing arrangements .................................................................... 26 Article 27 – Voluntary notification of relevant information ........................................................................... 27 Article 29 – Supervision and enforcement for essential entities.................................................................. 27 Article 30 – Supervision and enforcement for important entities ................................................................. 27 Article 31 – General conditions for imposing administrative fines on essential and important entities ....... 28 Article 35 – Review ..................................................................................................................................... 29

Imprint ........................................................................................................................................................ 30

NIS 2-Directive

Discussion of selected Amendments from the ITRE Committee’s draft report on the NIS 2-Directive Article 2 in conjunction with Annex II – Scope Amendment 27 – paragraph 1 Summary of Amendment

Evaluation:

▪

Entities with a public ownership of 25 per cent will be treated like SMEs.

BDI urges the co-legislators to exempt all SMEs from the scope of the Directive, except for those that offer essential services or products for essential entities and pose hence, a high degree of supply-chain criticality. Not the ownership, but rather the criticality of an entity should be crucial when it comes to the inclusion of an entity into the Directive’s scope.

Amendment 28 New paragraph 6a Summary of Amendment

Evaluation:

▪

Amendment 28 clarifies that personal data shall be processed by essential and important entities, CERTs, CSIRTs and providers of security technologies and services to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, to meet the obligations set out in this Directive. It creates a clear legal basis under GDPR Articles 6(1)(c) or (f) respectively.

Amendment 28 has in general only a clarifying character. Nonetheless, German industry appreciates that essential and important entities, CERTs, CSIRTs and providers of security technologies and services, shall process personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, to meet the obligations set out in this Directive. The reference to the relevant articles in the GDPR gives obligated parties the necessary legal certainty.

Amendment 91 Summary of Amendment

Evaluation:

▪

Inclusion of education and research institutions, in particular of higher education institutions and research institutions, as new categories of important entities.

BDI welcomes the inclusion of higher education and research institutions into the list of essential entities. Especially for collaborations and cooperation of enterprises and research institutions it is very important that both partners are following high cyber security standards. This fosters innovation and the engagement of the businesses in the field of research.

NIS 2-Directive

Article 4 – Definitions Amendment 29 – paragraph 1 point 5 a new Summary of Amendment ▪

Addition of a definition of “near miss” as:

Evaluation: ▪

(5a) ‘near miss’ means an event which could have caused harm, but was successfully prevented from fully transpiring;

BDI welcomes the inclusion of a clear and unambiguous definition of ‘near miss’ as it provides entities with regulatory clarity. It is equally important that a ‘near miss’ does not impose additional obli-gations but only empowers entities to exchange information as done in Art. 26 paragraph 1.

Amendment 30- paragraph 1 point 7 a (new) Summary of Amendment ▪

Addition of a definition of “risk” as:

Evaluation: ▪

(7a) ‘risk’ means the potential for loss or disruption caused by a cybersecurity incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;

BDI welcomes the inclusion of a clear and unambiguous definition of “risk”.

Amendment 32 – paragraph 1 point 14 Summary of Amendment

Evaluation:

▪

Split of the definition into two separate points 14 a and b and substitution of DNS service provider by third-party entities

BDI welcomes the differentiation between recursive and authoritative domain name resolution services

(14) ‘DNS service provider’ means an entity that provides: (a) recursive domain name resolution services to internet end-users; or (b) authoritative domain name resolution services as a service procurable by third-party entities; Amendment 33 – paragraph 1 point 15 a (new) Summary of Amendment

Evaluation:

▪

Addition of a list of all actors involved in “domain name registration services”. (15a) ‘domain name registration services’ means services provided by domain name registries and registrars, privacy or proxy registration service

BDI welcomes a clear and unambiguous list of parties that are considered as actors providing domain name registration services.

NIS 2-Directive

providers, domain brokers or resellers, and any other services which are related to the registration of domain names Article 5 – National cybersecurity strategy Amendment 34 and 35 – paragraph 1 – point e and paragraph 2 – point h Summary of Amendment

Evaluation:

▪

National cybersecurity strategies shall entail a point of contact for SMEs: (e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy, including a cybersecurity point of contact for SMEs

▪

National cybersecurity strategies shall also entail a policy promoting cybersecurity for all SMEs.

BDI appreciates the introduction of a dedicated a cybersecurity point of contact for SMEs. Especially SMEs face overwhelming challenges to implement a cybersecurity strategy. Easily accessible guidance and support is key for them.

BDI proposes the following further changes: ▪

SMEs need direct support and funding by the Member States to be able to implement risk-adequate cybersecurity measures. Moreover, best practises should be shared across SMEs.

▪

German Industry would welcome a solution similar to the TISIM initiative organised by the German Ministry of Economic Affairs and Energy that helps SMEs to assess and identify cyber security measures.

Amendment 36 paragraph 2 – point h a (new) Summary of Amendment

Evaluation:

▪

Efficient state cyber defence is an elementary component for safeguarding cyber security and thus public security in the modern information and communication society. At the same time, a discussion on the further development of state instruments is necessary in order to take into account the dynamics of the threat situation in cyberspace and its effects on Germany's security situation. A spiral of escalation between the state and national as well as international cyber criminals must be avoided at all costs. The development of international rules for responsible state action in cyberspace should therefore be given priority over the development of purely national approaches.

Member States develop a policy promoting active cyber defence.

BDI calls for the following eight principles to guide state action in cyberspace:

NIS 2-Directive

1. introduce state cyber defence, both in the military and civilian spheres, on the firm foundations of the German Basic Law and international treaties in a legally secure manner, 2. maintain the state's monopoly on the use of force also in cyberspace, 3. avoid a spiral of escalation in cyberspace with negative repercussions for industry, 4. exclude the obligation to install vulnerabilities and immediately report identified vulnerabilities and backdoors to the manufacturer, 5. introduce a uniform cyber-law enforcement framework throughout Germany based on international approaches, strengthen the police as well as federal and state criminal investigation offices, but also courts and public prosecutors' offices, 6. clarify liability issues, 7. give international approaches priority over national go-it-alone approaches, 8. states must refrain from hackback operations where allegedly attacking systems are targeted by a counter attack. In most cases, such operations lack reliable attribution (IP-spoofing) leading to the danger of attacking innocent people or organisations with the risk of impacting essential services. Rather, less aggressive cyber-counter-measures, such as deleting stolen databases stored on other devices or the deactivation of botnetworks, should be conducted. Article 8 – National competent authorities and single points of contact Amendment 39 – paragraph 4 Summary of Amendment

Evaluation:

▪

The single point of contact in each Member State shall not only engage with the SPOCs in other member states but also with the Commission and ENISA.

BDI welcomes the inclusion of ENISA as one of the reporting institutions. A joined collection of these data in one organisation helps to better address cybersecurity threats.

NIS 2-Directive

BDI proposes the following further changes: ▪

German industry urges the co-legislators to increase the personnel capacity of ENISA to provide them with adequate resources to manage the services they are responsible for. At the moment ENISA does not have enough resources and is massively understaffed and -financed.

Article 9 – Computer security incident response teams (CSIRTs) Amendment 41 Paragraph 6 a new Summary of Amendment

Evaluation:

▪

Member States shall ensure the possibility of effective, efficient and secure information exchange between their own CSIRTs and the CSIRTs from third countries, where information exchange is reciprocal and beneficial to the security of its citizens.

BDI welcomes the proposed institutionalisation of information exchange between different CSIRTs. As CSIRTs have highly sensitive data, it must be ensured that the security and integrity of that data is safeguarded. On the other hand, this mustn’t lead to an obligation for companies to report to an additional institution. The opposite is true: Merging some reporting obligations into one institution like ENISA would be beneficial for the industry.

BDI proposes the following further changes: ▪

In general, BDI criticizes that the operational powers of the supervisory authorities, in particular, the CSIRTs (Art. 10) and the national competent cybersecurity authorities (Art. 29 (2)) are too extensive. It must be ensured that CSIRTs do not interfere too extensively in the sovereign realm of enterprises.

Article 10 – Requirements and tasks of CSIRTS Amendment 44 paragraph 2 point d Summary of Amendment

BDI proposes the following further changes:

▪

Addition of collecting and analysing forensic data and reverse-engineering of cyber threats as tasks of CSIRTs

German industry urges the co-legislators to delete “including reverse-engineering cyber threats”.

(d) collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness regarding cybersecurity, including reverse-engineering cyber threats;

NIS 2-Directive

Amendment 45 paragraph 2 point e Summary of Amendment

BDI proposes the following further changes:

▪

Addition of the case of a serious threat to national security as reason for CSIRTs to the proactive scanning:

German industry urges the co-legislators to delete “upon request of an entity”.

(e) providing, upon request of an entity or in the case of a serious threat to national security, a proactive scanning of the network and information systems used for the provision of their services Amendment 46 paragraph 2 point f a (new) Summary of Amendment

Evaluation:

▪

Addition of protecting data as task of CSIRTs (fa) protecting data, including personal data, from unauthorised exfiltration and using network logging;

German industry perceives the term “network logging” as unclear. We urge the co-legislators to clearly state what is meant.

BDI proposes the following further changes: ▪

(fa) protecting data, including personal data, from unauthorised exfiltration and using logging of system (and network) security events;

Article 18 – Cybersecurity risk management measures Amendment 54 paragraph 5 Summary of Amendment

Evaluation:

▪

Deletion of the possibility for the EU Commission to adopt implementing acts laying down the technical and the methodological specifications of the elements referred to in paragraph 2.

BDI supports the deletion of this paragraph. Since the EU Commission proposed a NIS 2 Directive, it should refrain from downstream harmonisation. Rather, the EU Commission should directly strive for a high degree of EU-wide harmonisation as this reduces implementation costs for industry. In contrast, if companies have to first implement national requirements emanating from the implementation of the NIS 2 in each Member State and later have to adjust their processes according to the Delegated Act this results in costs twice.

Amendment 55 paragraph 6 Summary of Amendment

Evaluation:

▪

The Commission is empowered to adopt technical and methodological specifications via delegated acts.

German industry opposes the adoption of delegated acts by the EU Commission if this happens after Member States

NIS 2-Directive

implemented the Directive. While German industry would welcome a greater degree of harmonisation across the Union, having to adjust a company’s internal process first to a Member State’s legislative acts implementing the Directive and afterward additionally according to the requirements of a Delegated Act would cause companies twice adoption costs. This has to be avoided. Article 20 – Reporting obligations Amendment 56 paragraph 1 Summary of Amendment

Evaluation:

▪

Entities shall inform CSIRT or the competent authority about any incident having a significant impact, regardless of whether that impact is associated with the provision of the entity’s services.

BDI opposes the deletion of the reference to “on the provision of their services” as only these incidents are relevant with regards to an essential or important entity’s customer relations. NIS 2 should not address unspecified topics such as “national security”.

Amendments 57, 59, 60 Summary of Amendment

Evaluation:

▪

Deletion of all references to cyber threats that could have potentially resulted in a significant incident (incl. respective reporting obligations) or that could have affected other natural or legal persons by causing considerable material or non-material losses.

German industry welcomes the deletion of reporting obligations for potential incidents as it is often impossible to state for sure the potential consequences of an attack that has been successfully mitigated.

Amendment 58 paragraph 2 subpararagraph 2 Summary of Amendment

Evaluation:

▪

In order to enhance Europe’s cyber-resilience holistically, BDI regards it as necessary that all actors have the necessary information to contribute to enhanced cyber-resilience.

▪

However, only recipients of services that are affected by a cyber incident should be informed. Therefore, BDI welcomes the deletion of this paragraph from Artcile 20.

The requirement that entities shall inform recipients of their services potentially affected by a significant cyber threat of measures or remedies that those recipients can take in response to that threat.

NIS 2-Directive

Amendment 61 paragraph 4 point a Summary of Amendment

Evaluation:

▪

Increase of the notification time from 24 to 72 hours

German industry fully agrees to increase time to 72 hours. Businesses should ensure to minimize the implications of a successful cyber incident first, rather than having to fulfil reporting obligations.

Amendment 62 paragraph 4 point c introductory part Summary of Amendment

Evaluation:

▪

Entities shall no longer hand in a final report one month after the initial report but a more comprehensive report

The BDI fully supports that a final report cannot be handed in after one month, as the investigation time for a complex cybersecurity incident often amount to significantly longer periods. However, an EU-wide applicable manual should be swiftly published detailing what constitutes a “more comprehensive report”. Even one month after a large cyber incident, companies will have to focus most of their IT security resources on mitigating the incident and enabling operational continuity. Therefore, the requirements for such a report should be realistic.

Amendment 68 paragraph 11 a new Summary of Amendment

Evaluation:

▪

German industry opposes the adoption of delegated acts by the EU Commission if this happens after Member States implemented the Directive. While German industry would welcome a greater degree of harmonisation across the Union, having to adjust a company’s internal process first to a Member State’s legislative act implementing the Directive and afterwards additionally according to the requirements of a Delegated Act would cause companies twice adoption costs. This has to be avoided.

▪

Hence, the European Commission should directly publish a Delegated Act detailing the specify types of information and the cases’ significance before the deadline for the transposition of this Directive according to Article 38. When developing such a Delegated Act, the

Introduction of the right to introduce delegated acts to specify types of information and the cases’ significance. 11a. The Commission is empowered to adopt delegated acts, in accordance with Article 36, to supplement this Regulation by specifying the type of information submitted pursuant to paragraph 1 of this Article and by further specifying the cases in which an incident shall be considered to be significant as referred to in paragraph 3 of this Article.

NIS 2-Directive

Commission should take into account ENISA’s expertise. Article 21 – Use of European cybersecurity certification schemes Amendment 69 paragraph 1 Summary of Amendment

Evaluation:

▪

BDI appreciates the new wording as it also references internationally recognised certification schemes, which is of utmost importance for inter alia the automotive sector, where UNECE R155 and ISO 5112 will be vital to certify solutions in the area of “connected vehicles” and hence, where no dedicated EU CSA scheme will be required.

▪

In addition to allowing certification based on international standards, we urge the Commission to introduce horizontal NLF-based cybersecurity requirements. German industry expressly supports the European Commission's current considerations, supported by the European Council, to introduce mandatory, horizontal cybersecurity requirements based on the principles of the New Legislative Framework (NLF).

Member States may no longer require essential or important entities to certify ICT products/services/processes based on specific EU cybersecurity schemes based on the EU CSA. Rather they shall encourage it. Moreover, the new wording also foresees similar internationally recognised certification schemes as a similarly appropriate alternative.

BDI proposes the following further changes: Together with the German standardisation bodies, DIN and DKE, BDI supports the introduction of mandatory, horizontal cybersecurity requirements based on the principles of the New Legislative Framework (NLF). When introducing a respective legislative proposal, the following recommendations should be considered: 1. To achieve overarching cyber resilience, generally binding protection targets should be defined by law and these should then be specified by harmonised European standards, that reflect the dynamic development of the state of the art. 2. Protective measures and resilience against cyberattacks must be based on the specific application and the associated threat situation. The NLF allows the coverage of different risk levels and follows the

NIS 2-Directive

necessary risk-based approach. It is the responsibility of the manufacturer as the economic actor placing the product on the market to determine the intended area of use (and thus the threat level) of the product. 3. CE marking, by combining conformity assessment and market surveillance, acts as an anchor of trust for private and commercial customers alike. 4. The Digital Single Market will only be successful if national isolated solutions are avoided and compatibility with international standards is ensured. 5. With a bridge between the cybersecurity requirements of a product-centred horizontal NLFbased EU legislative act and the schemes under the EU Cybersecurity Act (CSA), the two approaches can complement each other. Thus, coherent cybersecurity requirements can be guaranteed for the products falling into the scope of the two legislative acts. 6. Coherent cybersecurity requirements allow the manufacturer to choose between harmonised European standards (hEN) and CSA schemes to perform the conformity assessment according to NLFbased EU legislation. If a hEN is applied, the manufacturer can use the presumption of conformity. Details on BDI’s proposal for introducing horizontal, mandatory cybersecurity requirements based on the NLF can be found here: https://english.bdi.eu/publication/news/euwide-cybersecurity-requirements/ Amendment 70 paragraph 2 Summary of Amendment

Evaluation:

▪

Deletion of the entire paragraph giving the commission the power for delegated acts that would specify which categories of essential entities shall be required to obtain a certificate and under which

BDI fully supports the deletion of this paragraph. Rather than adopting binding Delegated Acts entities should be provided with freedom of choice when it comes to the selection of the basis for

NIS 2-Directive

specific European cybersecurity certification schemes pursuant to paragraph 1.

certifying ICT products, services or processes. As detailed above, manufacturers should have the possibility to choose between harmonised European standards (hEN) and CSA schemes to perform the conformity assessment according to NLF-based EU legis-lation. ▪

If the EU Commission were to develop Delegated Acts it should be obliged to closely consult with ENISA.

Article 26 – Cybersecurity information-sharing arrangements Amendment 77 paragraph 1 – introductory part Summary of Amendment

Evaluation:

▪

Entities shall be allowed to additionally exchange information on near misses, meta and content data, indicators of compromise, modus operandi, attack attribution information (incl. personal data related to the attacker).

This broadening of the information that can be exchanged between entities is appreciated as it will help entities to increase their resilience.

Amendment 79 paragraph 2 Summary of Amendment

Evaluation:

▪

Member States shall support the exchange of information on cyber threats/incidents in trusted communities of essential and important entities as well as their service providers

German industry welcomes the inclusion of service providers in exchange fora of essential and important entities on cyber incidents and threats as it takes the necessary holistic approach better into account.

BDI proposes the following further changes:

▪

BDI would welcome the following addition to fully take into account the interplay of essential and important entities with their suppliers:

▪

Member States shall support the exchange of information by encouraging and promoting the creation of trusted communities of essential and important entities, and their service providers and any supplier of critical components or services. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared.

NIS 2-Directive

Amendment 80 paragraph 3 Summary of Amendment

Evaluation:

▪

Member States shall support this information sharing by publishing best practices rather than setting out rules.

BDI agrees that such sharing arrangements are better organized in a topdown structure. We would ask the German government to continue the good working relations established in the UP KRITIS and to include suppliers of essential and important entities in this forum.

Article 26a – Voluntary notification of relevant information by essential and important entities Amendment 81 26a new Summary of Amendment

Evaluation:

▪

New article for the voluntary notification of relevant information by essential and important entities.

German industry opposes the introduction of Article 26a. If entities wish to hand in additional information that should be always possible regardless of a legally defined respective possibility. To prevent gold-plating by certain Member States turning these voluntary possibilities into legally binding requirements, German industry proposes the deletion of this Article.

Article 29 – Supervision and enforcement for essential entities Amendment 85 paragraph 5 point b Summary of Amendment

Evaluation:

▪

Deletion of the following paragraph that could have resulted in legal steps against single employees in case of cybersecurity-related breaches: (b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity.

BDI welcomes the deletion of this paragraph. German industry opposes such a far-reaching personal liability of individual employees.

BDI proposes the following further changes: ▪

Furthermore, German industry urges the co-legislators to delete paragraph 6 as well. Since the term “management” is too broadly used in companies across the Union, German industry opposes such a far-reaching personal liability of individual employees.

NIS 2-Directive

German industry’s proposals for further amendments Ensuring a high degree of cyber-resilience across the European Union is of outstanding importance in light of the increasing interlinkages between sectors and actors, and along supply-chains. Therefore, German industry regards the EU Commission’s proposal for repealing Directive (EU) 2016/1148 and proposing a Directive on measures for a high common level of cybersecurity across the Union (NIS 2Directive) as an important step. However, the European legislator has to strike the right balance between a high degree of cyber-resilience and companies’ abilities to fulfil the cybersecurity risk mitigating measures proposed in the draft NIS 2-Directive. In addition to the amendments proposed by ITRE rapporteur Bart Groothuis, Germany industry urges the co-legislators to make the following amendments to the proposal for a NIS 2 Directive: Recital 54 – Encryption Text proposed by the Commission

Proposed Amendment

In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.

In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. Authorities across all Member States should promote the utilisation of cryptographic processes in order to ensure Europe’s digital sovereignty and digital transformation. By promoting encryption, the EU will set a positive role-model for other parts of the world.

Explanation Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools such as e-mails and messenger services. To protect companies from industrial espionage by third countries and citizens from cybercriminals, the EU should support the advancement and utilisation of cryptographic methods. German industry calls on the European Commission, the European Parliament and the EU Member States to promote encryption without demanding any measures that could weaken cryptographic procedures. While German industry recognises the importance to gain access to electronic evidence for competent authorities, in order to conduct successful investigations and thereby bring criminals to justice, but also to protect victims and help ensure security, national authorities must also see the potential downsides a weakening of encryption can have for Europe’s digital sovereignty. Moreover, weakening encryption in Europe could set a precedence for authoritarian regimes. Therefore, German industry urges policy makers to refrain from any measure that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU.

NIS 2-Directive

Europe needs not fewer, but more trustworthy IT solutions to reap the benefits of the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption and should increasingly promote the development of post-quantum cryptography procedures to accommodate future requirements for secure communication. Article 2 in conjunction with Annex I and II – Scope Text proposed by the Commission

Proposed Amendment

(1) This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro, small and medium enterprises within the meaning of Commission Recommendation 2003/361/EC except for those SMEs that are suppliers of critical hardware and software to essential entities or that can be defined as critical in any other way.

Explanation We welcome the exemptions for micro and small enterprises as these often do not have the necessary financial means and capacities to fulfil the far-reaching obligations stipulated in the NIS 2-Directive. However, we expect that especially smaller SMEs (50 – 100 employees), which do not fall under the “size cap”, as they have ≥50 employees or an annual turnover of more than 10 Mio. Euro, will face considerable challenges in meeting the far-reaching risk management measures and reporting obligations. Therefore, we call on the co-legislators to exempt all SMEs according to Commission Recommendation 2003/361/EC from the scope of the Directive, i.e. that all companies – at least those operational in sectors classified as “important” – with ≤ 250 employees or an annual turnover of less than 50 Mio. Euro. An exemption to this exclusion shall apply for SME that supply critical hardware and software solutions to essential entities or that can be defined as “critical” in supply chains any other regards. This adaptation would ensure that the NIS 2-Directive follows a functional risk-based approach, strengthens the EU’s cyber-resilience without putting unacceptably high burdens on smaller entities. By following a company rather than a plant-focus, the EU Commission seems to aspire to protect operational continuity of factories, operational continuity of administrative and sales processes, knowhow and trade secrets, as well as the reliability/quality of products. In their joined letter, the heads of state of Denmark, Estonia Finland and Germany urge the European Commission to “identify systems of critical technologies and strategic sectors”1. German industry supports this approach. Companies should not be included into the Directive’s scope solely based on NACE sectors or their size, but rather according to a product’s or service’s importance for the supply chain and an enterprise’s criticality for society. Otherwise, a huge amount of companies will compete for the very few IT security specialists available on the market. This would result in exorbitant costs for basic cybersecurity measures. Hence, especially smaller entities would have difficulties paying for IT security expertise. This, however, has the potential to weaken rather than strengthen Europe’s cyber-resilience.

Cf. Prime Minister’s Office. 2021. Finland, Germany, Denmark and Estonia call on EU to accelerate digital transformation. URL: https://vnk.fi/en/-/finland-germany-denmark-and-estonia-call-on-eu-to-accelerate-digital-transformation 16

NIS 2-Directive

Text proposed by the Commission

Proposed Amendment (7) Where an operator of essential services relies on a third-party digital service provider for the provision of a service which is essential for the maintenance of critical societal and economic activities, any significant impact on the continuity of the essential services due to an incident affecting the digital service provider shall be notified by that operator.

Explanation The current proposal does not sufficiently address the reality of B2B interactions, in which one essential service provider might be the client of another essential service provider. This could lead to legal ambiguity and overlap in reporting obligations. From our point of view, a business client acting as an essential entity, and that uses third-party digital servicers or digital infrastructure to serve multiple end users, would be better positioned to assess the impact and gravity of an incident than the essential entity providing the digital service or infrastructure. Under the current proposal, a cloud provider or any other digital infrastructure provider deemed as essential, would have to report to the regulator without having the necessary information or overview of end users affected.

Text proposed by the Commission

Proposed Amendment

Annex II:

Waste management: Undertakings carrying out waste management referred to in points (9) of Article 3 of Directive 2008/98/EC (29) but excluding undertakings for whom waste management is not their principal economic activity

Municipal waste management: Undertakings carrying out waste management referred to in points (9) of Article 3 of Directive 2008/98/EC (29) of municipal waste but excluding undertakings for whom waste management is not their principal economic activity

Explanation German industry recognises the importance of the waste management sector. However, we advocate to narrow the scope to municipal waste management, since the management of municipal waste is of paramount importance to maintain public health and safety. Article 4 – Definitions Text proposed by the Commission

Proposed Amendment

(1) ‘network and information system’ means:

(a) an electronic communications network within the meaning of Article 2(1) of Directive (EU) 2018/1972;

(b) any device or group of inter–connected or related devices, one or more of which, pursuant to

(b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, which are integrated into the IT- and/or 17

NIS 2-Directive

a program, perform automatic processing of digital data; (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;

OT-system of an essential or important entity pursuant to Article 2 of this directive and there fulfil functionalities that are of importance for the proper operational capacity, integrity and/or availability of the entity; (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;

Explanation Clear and unambiguous definitions are of utmost importance in order to ensure legal certainty. To this end, German industry urges the European Commission, the European Parliament and the European Council to revise the proposed definition of “network and information systems”. The current definition does not specify that the “device or group of inter-connected or related devices” described in letter 1 b are only those devices that are integrated into the IT or OT system of an essential or important entity. Since the aim of the NIS 2-Directive is to ensure the integrity, availability and operational capacity of essential and important entities, the respective definition of “network and information systems” should be limited to those devices that are of paramount importance for guaranteeing these goals.

Text proposed by the Commission

Proposed Amendment

(5) ‘incident’ means any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems;

(5) ‘incident’ means any unwanted or unexpected event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems;

Explanation A company’s internal cybersecurity measures, such as internal security and penetration tests or scans, could lead to an “incident”. Therefore, the definition of “indicent” should be narrowed in such a way that these internally triggered incidents are falling outside the scope of the Directive. Therefore, we propose the integration of “unwanted or unexpected” into the definition.

Text proposed by the Commission

Proposed Amendment

(17) ‘online marketplace’ means a digital service within the meaning of Article 2 point (n) of Directive 2005/29/EC of the European Parliament and of the Council

(17) ‘online marketplace’ means a digital service within the meaning of (insert correct reference, the current one seems to be incorrect). Excluded from this definition are services that only enable online contracting on a website as a minor service subordinated to the main service with a different focus.

NIS 2-Directive

Explanation Providers of online marketplaces (Annex II No. 6) are classified as “important entities”. Again, the EU Commission does not explicitly distinguish between entities, whose service is primarily based on an online marketplace, and those entities, who merely “offer” an online marketplace as a subordinate service to another business activity. Such “second order” online marketplaces should be excluded from the Directive’s scope.

Text proposed by the Commission

Proposed Amendment

(19) ‘cloud computing service’ means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources;

(19) ‘cloud computing service’ means a digital service that in its core function enables on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources. Excluded from this definition are services that only use cloud computing services of a third party as a partial performance to be able to provide their own service with a different focus.

Explanation The term “cloud computing service providers” (Annex I No.8) is too wide and imprecise. The current wording includes not only the providers of mere distributed storage and computing capacities, but also software providers who offer storage in a cloud in connection with their virtually usable software products. Due to a further virtualisation of information technology, the very broad definition could lead to an increasing number of services falling into this category. Hence, the NIS 2-Directive should distinguish between “digital service providers” on the one hand, and users, such as “enterprises” or “operators of essential services”, on the other hand, who in turn require “digital services” as a basis for providing their services. Only providers of cloud-based software products whose services enable essential utility services should fall under the Directive’s scope. In contrast, Companies which use a “digital service” to provide their SaaS without the focus of their own SaaS being on the provision of cloud capacity to users should be explicitly excluded from the Directive’s scope.

Text proposed by the Commission

Proposed Amendment (27) ‘management body’ means an institution's body or bodies, which are appointed in accordance with national law, which are empowered to set the institution's strategy, objectives and overall direction, and which oversee and monitor management decision-making, and include the persons who effectively direct the business of the institution

Explanation The European Commission must introduce a definition of management bodies that outlines who is the addressee of the requirements pursuant to Article 17. We propose a definition similar to the one introduced by Directive 2013/36/EU (CRD).

NIS 2-Directive

Article 6 – Coordinated vulnerability disclosure and a European vulnerability registry Text proposed by the Commission

Proposed Amendment

2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.

2. ENISA shall swiftly develop and maintain a European, yet internationally compatible, vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures with a view in particular to enabling important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties after the producer of an ICT product or the provider of an ICT service had sufficient time to provide customers with an update or a patch. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated. 3. CSIRTs, competent authorities pursuant to Article 8 of this Directive, and all other authorities of the EU and its Member States have to immediately inform by applying coordinated vulnerability disclosure principles the producer of an ICT product or the provider of an ICT service respectively of any vulnerability in such products or services they become aware of. No public authority in the Union shall hold back this information.

Explanation German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby, also to pay closer attention to the cyber-resilience of products and services. Any security vulnerability, regardless of whether it is an unintentional bug in the product or an intentional backdoor, should be included in the registry. Manufacturers of such products should not only be obliged to report security gaps, but also to swiftly close such security gaps. In order to keep the effort for everyone involved as low as possible, the European Commission needs to implement a lean and efficient reporting process. The European Union should institutionalise coordinated vulnerability disclosure based on international standards, such as ISO/IEC 29147: 2018 Information technology – Security techniques – Vulnerability disclosure, and CVE. Within CVE trustworthy organisations nowadays act as CVE Numbering Authorities around the world in a voluntary program, so that cybersecurity experts can more easily prioritise and address vulnerabilities.

NIS 2-Directive

When disclosing vulnerabilities, ENISA must cooperate with the respective manufacturer of a product or the provider of a service and inform them prior to any public disclosure. Manufacturers of ICT products and providers of ICT services must have the chance to provide their customers with updates or patches to mitigate the risks of the respective vulnerability before a vulnerability is publicly disclosed by a third party. Otherwise, hackers could exploit the disclosed information which would have serious repercussions for Europe’s cyber-resilience. Therefore, a timeframe should be established for how quickly ENISA must notify the manufacturer and how long the manufacturer has to review the requests, respond to them, and roll out a bug fix if necessary. Reporting vulnerabilities should not be a one-way road. Rather, public entities, including secret services, must be obliged to report their knowledge on vulnerabilities as well. German industry calls onto the European Commission to integrate into Article 6 a requirement that obliges government agencies from EU Members States to immediately report any information on vulnerabilities or backdoors in IT products to the respective manufacturers and/or ENISA. Currently it is the case that government agencies frequently hold back such knowledge which represents a significant threat to Europe’s cyberresilience. This is especially the case when serious vulnerabilities in ICT products or services utilised in critical entities are concerned. Moreover, CSIRTs must never have the power to suppress or delay the disclosure of a detected vulnerability. Article 7 – National cybersecurity crisis management frameworks Text proposed by the Commission

Proposed Amendment 5. Member States shall consult in a structured manner essential and important entities when developing the plans according to paragraph 2, in order to ensure the provision of the services provided by essential entities during large-scale incidents and crises.

Explanation As the Solarwinds case as well as the attack on the Ukrainian power grid in December 2015 demonstrated, cyber incidents can have far-reaching repercussions. Therefore, German industry welcomes the EU Commission’s proposal that every Member State has to adopt a national cybersecurity incident and crisis response plan. When developing and drafting such plans, Member States should be required to consult essential and important entities, as these companies provide vital services for society. Article 15 – Report on the state of cybersecurity in the Union Text proposed by the Commission

Proposed Amendment

Report on the state of cybersecurity in the Union

Daily updated management report on cybersecurity in the Union

1. ENISA shall issue, in cooperation with the Commission, a biennial report on the state of cybersecurity in the Union. The report shall in particular include an assessment of the following:

1. ENISA shall issue, in cooperation with the national competent authorities, a daily updated management report. The daily updated management report shall in particular include:

(a) the development of cybersecurity capabilities across the Union;

(a) an overview of new threat vectors, that have been reported by entities according to Article 2

NIS 2-Directive

(b) the technical, financial and human resources available to competent authorities and cybersecurity policies, and the implementation of supervisory measures and enforcement actions in light of the outcomes of peer reviews referred to in Article 16;

(b) an analysis of new attack vectors (c) an overview of vulnerabilities that have been published in the register according to Article 6

(c) a cybersecurity index providing for an aggregated assessment of the maturity level of cybersecurity capabilities. Explanation ENISA publishing a biennial report that includes mainly general information will not augment the EU’s cyber-resilience. Rather, ENISA should publish online up-to-date information on cybersecurity incidents. An improved daily updated, holistic situation picture as well as daily updated, sector-specific warnings would significantly help essential and important entities to benefit from the data aggregated at national competent authorities, and thereby, to better protect their business processes. Such information would help essential and information entities to support their cybersecurity risk mitigating measures. Article 17 – Governance Text proposed by the Commission

Proposed Amendment

(1) Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk management measures taken by those entities in order to comply with Article 18, supervise its implementation and be accountable for the non-compliance by the entities with the obligations under this Article.

Explanation BDI recognises that management bodies are responsible for the cybersecurity strategy of an essential or important entity. This step will help to significantly increase the awareness for cybersecurity issues among top-level management. However, we regard it as important that the European Commission recognises that members of management bodies of essential entities and important entities have IT security personnel that possesses the necessary qualifications to develop and implement an entity’s cybersecurity strategy. Consequently, it has to be questioned whether members of management bodies have to pass a respective training or whether reports by CISOs or IT security personnel are equally sufficient to provide members of management bodies with in-depth information. Moreover, personal accountability for non-compliance is a step too far, especially if the goal is to ensure appropriate cybersecurity awareness in companies across sectors.

Text proposed by the Commission

Proposed Amendment

(2) Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge

(2) Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge 22

NIS 2-Directive

and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.

and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity. (3) The European Commission will publish, by no later than six months after the ratification of this directive and after consulting business associations, binding recommendations on what constitutes sufficient knowledge and skills according to number two of this Article.

Explanation However, if the European Commission regards a mandatory IT security training necessary for members of management bodies, it should swiftly define what constitutes “sufficient knowledge and skills”, in order to provide guidance on which skills are considered adequate to implement the Commission’s requirements. Moreover, such recommendations must be the same across the EU to ensure that members of management bodies are not confronted with diverging requirements across the Single Market, and – in a worst case scenario – have to undergo different trainings per country. Article 19 – EU coordinated risk assessments of critical supply chains Based on the experience of the EU’s coordinated risk assessment on 5G, German industry welcomes the proposal to conduct such risk assessments of critical supply chains. However, the measures proposed after having conducted such an analysis must be proportionate and always foresee a sufficient implementation period. Article 20 – Reporting obligations Text proposed by the Commission

Proposed Amendment

5. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to the competent authorities or the CSIRT:

a. without undue delay and in any event within 24 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;

a. without undue delay and in any event within 72 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;

b. upon the request of a competent authority or a CSIRT, an intermediate report on relevant status updates;

b. upon the request of a competent authority or a CSIRT, a maximum of one intermediate report on relevant status updates;

a final report not later than one month after the submission of the report under point (a), including at least the following: i.

a detailed description of the incident, its severity and impact;

c. a final report not later than one month after the entity has finished its forensic analysis as well as other measures to handle the incidents and its potential business implications, including at least the following:

NIS 2-Directive

ii.

the type of threat or root cause that likely triggered the incident;

a detailed description of the incident, its severity and impact;

iii.

applied and ongoing mitigation measures.

ii.

the type of threat or root cause that likely triggered the incident;

iii.

applied and ongoing mitigation measures.

Member States shall provide that in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines laid down in points (a) and (c). Member States shall ensure that any reporting obligation is in full compliance with the Union’s data protection rules or respective international, legal obligations.

Explanation When being confronted with a cyber-incident, essential and important entities must first focus on all necessary measures to minimise the implications of the cyber-incident, rather than having to fulfil reporting obligations. Business continuity, saving workplaces and thereby supporting social cohesion in a region have to be the first priority. Reporting can only come second. Therefore, companies should be required to only notify competent authorities within 72 hours after identifying a successful attack. Furthermore, CSIRTs should be allowed to ask for a maximum of one interim report. Moreover, since the investigation time for a complex cybersecurity incident often amount to half a year, handing in a final report after one months is not possible. Therefore, the final report should be handed in to the competent national authorities no later than one month after the entity has finished its forensic analysis and has conducted all other measures necessary to ensure business continuity and handling the notified cybersecurity incident. Such longer deadlines for handing in a final report are pertinent to ensure that companies can focus on mitigating the cybersecurity incident in the first place and ensure the full operational capacity of a company is swiftly regained. This is in the interest of both shareholders and stakeholders, employees and employers, as well as the wider community.

Text proposed by the Commission

Proposed Amendment (12) Member States shall, establish within 12 months after transferring this Directive into national law, a one-stop-shop solution through which entities pursuant to Article 2 and Annex I and II of this Directive can report incidents according to this Article and the respective requirements pursuant to Regulation (EU) 2016/679.

Explanation If the European Commission seeks to introduce far-reaching reporting obligations, an efficient reporting process has to be established across all EU Member States. The creation of an efficient, harmonised reporting channel to one competent authority (one-stop-shop principle), instead of reporting obligations to various national and/or European authorities, such as competent authorities for cybersecurity and 24

NIS 2-Directive

data protection officers is paramount. Otherwise, especially smaller companies will be overburdened by reporting obligations and cannot sufficiently address the actual cyber incident. Article 22 – Standardisation Text proposed by the Commission

Proposed Amendment

In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.

1. In order to promote the convergent implementation of Article 18(1) and (2), ENISA shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.

Explanation German industry welcomes the technology-neutral approach adopted by the European Commission regarding recommendations for the implementation of cybersecurity risk mitigating measures. Furthermore, we welcome that – in contrast to Germany’s new IT Security Law 2.0 – the European Commission focuses on the adoption of European and international standards. This will facilitate the spread of such universal standards. However, to ensure that entities operating in more than one country do not have to fulfil diverging requirements, German industry would welcome if ENISA was to recommend basic guidelines for such measures for the entire EU. Article 24 – Jurisdiction and territoriality Text proposed by the Commission

Proposed Amendment

1. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.

2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union.

2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their group’s main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union.

NIS 2-Directive

Explanation German industry welcomes that DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I of the NIS 2-Directive fall under the jurisdiction of the Member State in which they have their main establishment in the Union. For companies in the ICT sector it is important to fall under the jurisdiction of just one Member State as it significantly reduces the reporting obligations. Therefore, it needs to be clarified that an entity’s main establishment equates to the group’s headquarter in the Union and not only to the national entity’s headquarter in a Member State. Article 25 – Registry for essential and important entities Text proposed by the Commission

Proposed Amendment

3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representative. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other Member States, ENISA shall also inform the single points of contact of those Member States. Entities shall only be obliged to report the information under paragraph 1 to ENISA and not in addition to the single points of contact in the Member States. ENISA shall ensure the exchange of these information with national competent authorities.

Explanation The Federation of German Industry welcomes the idea of an EU-wide registry for DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers. However, the EU’s proposal will increase the administrative burden for the respective companies. Therefore, it should be made clear that a registration only has to be conducted once at ENISA and that ENISA will provide national competent authorities with all necessary information. In addition, the mere existence of a registry with information about all cyber establishments in the Union, can in itself represent a cybersecurity risk. If the registry is to be created, all information shared with ENISA needs to be treated with the highest degree of confidentiality. Moreover, effective cybersecurity measures, including encryption, would need to be in place to protect the information in such a registry. Article 26 – Cybersecurity information-sharing arrangements German industry appreciates this proposal since experience from the UP KRITIS, the German public private partnership bringing together experts from operators of critical entities and representatives of government agencies, showcases the benefits of a regular exchange on cybersecurity topics between such companies and respective public authorities. In order to ensure the protection of intellectual property and business know-how, the extent and scope of this exchange need to be clearly defined. Moreover, it has to be ensured that all essential and important entities can join such cybersecurity information sharing arrangements. Experiences with non-profit platforms such as the German CERT 26

NIS 2-Directive

Association (“Deutscher CERT Verbund”) and the CERT@VDE have also proven for years that trustful cooperation based on a voluntary commitment by companies works well. Article 27 – Voluntary notification of relevant information German industry appreciates that voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification. At the same time, however, national competent authorities should be obliged to respond to such notifications within two days. If companies are provided with benefits when reporting cybersecurity incidents, the amount of notifications is likely to rise. Thereby, the national competent authorities will gain a more holistic picture of the current cyberthreat landscape. Article 29 – Supervision and enforcement for essential entities Text proposed by the Commission

Proposed Amendment

Paragraph six

deleted

Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive. Member States shall ensure that those natural persons may be held liable for breach of their duties to ensure compliance with the obligations laid down in this Directive. Explanation As the NIS 2-Directive already includes very far-reaching supervision and enforcement powers – including fines – it should be the responsibility of the respective entity to take any necessary employeerelated measures. The competent authority shall not have the competence to oust any employee – including members of the management body. In addition to the responsibility of entities to maintain an adequate level of IT security and to avoid any violations of the duties outlined in the NIS 2-Directive, the Directive also establishes responsibilities and sanctions directed at single employees “exercising managerial functions”. Since the term “management” is too broadly used in companies across the Union German industry opposes such a farreaching personal liability of individual employees. Article 30 – Supervision and enforcement for important entities Text proposed by the Commission

Proposed Amendment

2. (c) security scans based on objective, fair and transparent risk assessment criteria;

deleted

Explanation Furthermore, we point out that intrusive and unannounced “security scans” are problematic with regard to cyber security as, if done incorrectly, they could trigger a cyber incident of their own. Therefore, this option should be deleted. 27

NIS 2-Directive

Text proposed by the Commission

Proposed Amendment

4. (b) issue binding instructions or an order requiring those entities to remedy the deficiencies identified or the infringement of the obligations laid down in this Directive;

4. (b) issue an order requiring those entities to remedy the deficiencies identified or the infringement of the obligations laid down in this Directive;

Explanation It is in an important entities’ intrinsic interest to maintain a high degree of cyber-resilience. In this regard it should be noted that companies are best equipped to conduct any necessary measure to enhance their cyber-resilience. Therefore, we oppose the possibility of granting competent authorities with any possibility to “issue binding instructions”, as stipulated in Article 30 Nr. 4 point (b). If competent authorities were provided with such far-reaching competencies, the European Commission has to clarify that the competent authority will bear any cost resulting from such measures. Article 31 – General conditions for imposing administrative fines on essential and important entities Text proposed by the Commission

Proposed Amendment

4. Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.

Explanation In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. However, a significant reduction of the maximum level of administrative fines imposed on entities seems necessary. Unlike in the case of data protection (cf. GDPR), the legal interest to be protected here is not a fundamental right (GDPR = right to informational self-determination; vs NIS 2 = cybersecurity of essential and important entities). Nor do the considerations regarding data protection law – that have led to fines being calculated on the basis of group sales – fit with regard to the NIS 2 Directive. Therefore, the maximum level of administrative fines should be no higher than two million Euros without any reference to annual turnover. Such a level would strike an acceptable balance between the intent to punish companies violating the requirements stipulated in Articles 18 and 20, and German industry’s requirements for administrative fines that are not excessive. This is particularly important since, according to a Bitkom study from 2019, the consequences of successful cyberattacks already amount to costs of more than 100 billion euros per year for the German economy.2

Bitkom. 2019. Wirtschaftsschutz in der digitalen Welt. URL: 11/bitkom_wirtschaftsschutz_2019_0.pdf (Accessed on 14th January 2021).

https://www.bitkom.org/sites/default/files/2019-

NIS 2-Directive

Article 35 – Review German industry strongly appreciates the EU Commission’s clear statement of a regular review of the functioning of the Directive. This is of utmost importance to ensure that the regulatory framework concerning the cybersecurity requirements imposed on essential and important entities are adequate in light of the existing cyberthreat landscape.

NIS 2-Directive

Imprint Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 EU Transparency Register: 1771817758-48 Editor Steven Heckler Deputy Head of Department Digitalisation and Innovation T: +49 30 2028-1523 s.heckler@bdi.eu

Lars Jüngling-Dahlhoff Intern l.juengling-dahlhoff@bdi.eu

BDI document number: D 1391