EU Parliament’s position on NIS 2 Directive by Bundesverband der Deutschen Industrie e.V.

POSITION | CYBERSECURITY | EUROPEAN LEGISLATION

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position German industry’s adjusted position based on the ITRE Committee’s amendments to the EU Commission’s proposal for a NIS 2 Directive

29 November 2021 Executive Summary German industry welcomes the European Union’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. We very much appreciate the diligent work done by the European Parliament’s ITRE Committee and in particular rapporteur Bart Groothuis. Among the ITRE Committee’s positive amendments we would like to stress: ▪

encryption (recital 54): German industry appreciates the more positive language of recital 54 which recognises the importance of encryption and other cybersecurity measures. We urge the co-legislators to refrain from any measure that could weaken encryption. Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools and help protect entities from espionage and sabotage, hence, they must be legally safeguarded.

▪

scope (Annex I): German industry appreciates the inclusion of research institutions into the Directive’s scope since businesses often collaborate with these institutions for research projects. In terms of supply-chain security and to prevent industrial espionage and sabotage, including especially larger entities of various sectors of the value chain into the Directive’s scope seems to be reasonable.

▪

supervision (Article 29): German industry appreciates that the ITRE Committee changed Article 29 paragraph 5b insofar as a temporary ban against any person holding managerial responsibilities at chief executive officer or legal representative level in that essential entity is now considered only as an ultima ratio. Moreover, we very much appreciate the deletion of any reference to other employees as they do not have the necessary decision powers within an entity to implement certain measures regarded as necessary by law if a CEO withholds the necessary money for such activities. Therefore, we welcome the newly introduced language in comparison to previous wordings. To this end, the wording of Paragraph 6 should mirror the wording of Paragraph 5b.

Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | S.Heckler@bdi.eu | www.bdi.eu

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Nonetheless, German industry continues to see the need for far-reaching amendments to the NIS 2 Directive’s text. The proposed Directive should enhance Europe’s cyber-resilience holistically without introducing too much bureaucracy. To ensure that the NIS 2 Directive will at the same time not overstrain companies, German industry proposes the following further amendments to the NIS 2 proposal: ▪

Harmonisation (Article 3 + entire directive): With the current proposal, the co-legislators again miss an opportunity to foster harmonisation and legal clarity, and simultaneously reducing double regulation. During the trialogue, the co-legislators should create a coherent common level of cybersecurity within the internal market. Therefore, the relation between the NIS 2 Directive and sectoral cybersecurity obligations introduced by Union law must be clarified.

▪

scope (Article 2 & Annex I+II): While we recognise the necessity to broaden the scope, all SMEs falling into the sectors outlined in Annex I and II should be exempted from the scope, apart from those SMEs that are suppliers of critical hardware and software to essential entities.

▪

definitions (Article 4): BDI urges the co-legislators to alter the proposed definition of “network and information system”, “online marketplaces” and “cloud computing services”. Also, a definition of “management bodies” should be introduced in the NIS 2 Directive.

▪

national cybersecurity strategy (Article 5): Efficient state cyber defence (Paragraph 2 point hb) is an indispensable component for maintaining cybersecurity. However, a spiral of escalation between countries as well as national and international cyber-criminals must be avoided. The development of international rules for responsible state behaviour in cyberspace would therefore be desirable over the development of purely national approaches.

▪

ENISA’s cybersecurity report (Article 15): ENISA publishing a biennial report that includes merely general information will not augment the EU’s cyber-resilience. Rather, ENISA should publish online up-to-date information on cybersecurity incidents on a daily basis.

▪

management bodies (Article 17 in conjunction with 29): We recognise the responsibility of management bodies for the cybersecurity strategy of an entity. However, no single employee should be held accountable for any cybersecurity-related misconduct – this especially applies to those employees that do not have ultimate budgetary decision-making competences. We urge the Commission to swiftly publish – after having consulted with industry and other stakeholders – binding recommendations on what constitutes sufficient knowledge and skills.

▪

obligations, supervision and enforcement (Articles 18, 20, 29 and 30): While we recognise the need to include various sectors into the Directive’s scope to enhance cyber-resilience along value chains, we regard a better differentiation between essential and important entities in terms of obligations, cybersecurity measures, supervision and enforcement as important.

▪

Reporting obligations (Article 20): We urge the co-legislators to prolong the reporting period for all incidents to 72 hours – especially for important entities. The number of reports should be limited to three – with a maximum of one intermediate report. National competent authorities must have sufficient resources to process this information in a timely manner.

▪

supervision and enforcement (Article 29): We recognise that supervision and enforcement are necessary to achieve a European level-playing field. However, these measures must be proportionate, whereas the ITRE Committee’s proposals are excessive. Considering the massive shortage of qualified IT professionals, these professionals should primarily support entities in enhancing their cyber-resilience, rather than conducting annual audits of essential entities.

▪

fines (Article 31): To ensure that all entities implement and fulfil the measures and obligations pursuant to Article 18 and 20, the introduction of administrative fines seems justified. However, we oppose the excessive fines proposed in Article 31. The co-legislators should limit fines to a maximum of two million Euros and should delete any reference to annual turnover. 2

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Table of Content Executive Summary ............................................................................................................................ 1 The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach .............................................................................................................................................. 4 In detail discussion of the ITRE Committee’s compromise amendments to the EU Commission’s proposal for a NIS 2-Directive ............................................................................................................ 5 Encryption (Number 54) ........................................................................................................................ 5 Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II) ......... 6 Minimum harmonisation (Article 3) ........................................................................................................ 9 Definitions (Article 4) ........................................................................................................................... 10 National cybersecurity strategy (Article 5) ........................................................................................... 11 Coordinated vulnerability disclosure and a European vulnerability registry (Article 6) ....................... 11 National cybersecurity crisis management frameworks (Article 7) ..................................................... 13 Requirements, technical capabilities and tasks of CSIRTs (Article 10) .............................................. 13 Report on the state of cybersecurity in the Union (Article 15) ............................................................. 14 Management bodies of Essential and Important Entities (Article 17) ................................................. 15 Cybersecurity risk management measures (Article 18) ...................................................................... 16 EU coordinated risk assessments of critical supply chains (Article 19) .............................................. 17 Reporting obligations (Article 20) ........................................................................................................ 17 Use of European cybersecurity certification schemes (Article 21) ...................................................... 20 Standardisation (Article 22) ................................................................................................................. 21 Jurisdiction and territoriality (Article 24) .............................................................................................. 22 ENISA registry (Article 25) .................................................................................................................. 22 Cybersecurity information-sharing arrangements (Article 26) ............................................................. 23 Voluntary notification of relevant information (Article 27) .................................................................... 24 Supervision and enforcement for essential entities (Article 29) .......................................................... 24 Supervision and enforcement for important entities (Article 30) ......................................................... 26 General conditions for imposing administrative fines on essential and important entities (Article 31) 27 Review (Article 35) .............................................................................................................................. 28 Imprint ................................................................................................................................................ 29

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach A high degree of cyber-resilience is a prerequisite for the effective functioning of highly digitised processes, networkable products and services. This is because the damage caused by cybersecurity incidents is tremendous, both in the private sector and in industry. Current estimates suggest that in 2021, the annual global costs emanating from cybercrime and state-motivated cyberattacks will amount to six trillion US dollars. This would be a doubling of the damage estimated for 2015. 1 Both companies and households are increasingly targeted by cybercriminals. Last year alone, sabotage, data theft and espionage are estimated to have caused 223 billion Euro of damage to German industry alone2 – this compares to roughly 110 billion Euro in 20193. Almost every single German company experienced a cyberattack– often entailing phishing, DDoS attacks or infection with various types of malware – causing damage to their business operations over the past years. The damage to private households is much more difficult to quantify, as cybercrime is often unreported and the damage cannot always be directly linked to an incident. The reasons for successful cyberattacks are also extremely diverse and are by no means solely due to characteristics inherent to products (hardware and software): Rather, a careless handling of data, a lack of knowledge about potential attack vectors, and a lack of willingness to install updates, all significantly contribute to the success of cybercriminals. The potential threat of cyberattacks is unlikely to diminish. As our daily lives are becoming smarter, i.e. more digital and thus more networked, the potential target for cybercriminals is growing immensely. According to current estimates, the number of networked objects worldwide is expected to rise to 125 billion by 2030. This compares to 27 billion networked objects in 2017. 4 By 2022, every German will own about 9.7 networked devices.5 The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups, while simultaneously posing new attack vectors that can potentially be exploited by criminals. Therefore, German industry welcomes the EU Commission’s holistic approach adopted in the EU’s Cybersecurity Strategy 2020. Hence, the NIS 2-Directive6 can only be a first step towards enhancing the EU-wide level of cyber-resilience. It should be swiftly accompanied by horizontal cybersecurity requirements based on the New Legislative Frameworks. To this end, we appreciate the European Commission’s announcement of introducing cybersecurity requirements for IoT devices outside the NIS 2-Directive. Together with DIN and DKE, the Federation of German Industries developed a proposal of how the cyber-resilience of products and services could be strengthened. 7 At the same time, it remains of utmost importance that governments refrain from holding back knowledge concerning vulnerabilities or from calling for measures that will weaken encryption.

Cybersecurityventures. 2018. Cybercrime Damages $6 Trillion By 2021. URL: https://cybersecurityventures.com/cybercrimedamages-6-trillion-by-2021/ 2 Bitkom. 2021. Wirtschaftsschutz 2021. URL: https://www.bitkom.org/sites/default/files/2021-08/bitkom-slides-wirtschaftsschutz-cybercrime-05-08-2021.pdf 3 Bitkom. 2019. Wirtschaftsschutz in der digitalen Welt. URL: https://www.bitkom.org/sites/default/files/201911/bitkom_wirtschaftsschutz_2019_0.pdf 4 IHS Markit. 2017. The Internet of Things: A movement not a market. URL: https://cdn.ihs.com/www/pdf/IoT_ebook.pdf 5 CISCO. 2019. Visual Networking Index: Forecast Highlights Tool. URL: https://www.cisco.com/c/m/en_us/solutions/serviceprovider/vni-forecast-highlights.html# 6 Cf. Eurlex. 2020. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (COM/2020/823) final. URL. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52020PC0823 7 cf. BDI, DIN, DKE. 2021. EU-wide Cybersecurity Requirements. URL: https://english.bdi.eu/publication/news/eu-wide-cybersecurity-requirements/ 4

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

In detail discussion of the ITRE Committee’s compromise amendments to the EU Commission’s proposal for a NIS 2-Directive Ensuring a high degree of cyber-resilience across the European Union is of outstanding importance in light of the increasing interlinkages between sectors and actors, and along supply-chains. Therefore, German industry regards the EU Commission’s proposal for repealing Directive (EU) 2016/1148 and proposing a Directive on measures for a high common level of cybersecurity across the Union (NIS 2Directive) as an important step. However, the European legislator has to strike the right balance between a high degree of cyber-resilience and companies’ abilities to fulfil the cybersecurity risk mitigating measures proposed in the draft NIS 2-Directive. The current proposal does not sufficiently distinguish between essential and important entities and the respective requirements they have to fulfil. According to the current proposal, both essential and important entities will have to implement the same measures regardless of their potential risk or criticality. German industry advocates a risk-based approach that urges all companies to ensure a level of cyberresilience adequate to their potential risk for society and within supply chains. Henceforth, the colegislators should differentiate in greater detail between the requirements that essential entities and those that important entities have to fulfil. In addition, the co-legislators have to ensure that there will be no double regulation. On the following pages, German industry discusses several important dimensions of the EU Commission’s proposal for a NIS 2-Directive and calls on the EU Commission, the European Parliament and Member States to consider these remarks during the legislative process. Encryption (Number 54) Summary of legislative proposal: The NIS 2 Directive emphasises the need to promote the usage of end-to-end encryption, which shall be obligatory for entities. The use of end-to-end encryption should be reconciled with the Member State’ powers to en-sure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. However, the European parliament stressed in its amendment that this should not lead to any efforts to weaken end-to-end encryption, which is a critical technology for effective data protection and privacy. BDI’s position: Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools such as e-mails and messenger services. To protect companies from industrial espionage by third countries and citizens from cybercriminals, the EU and its Member States should support the advancement and utilisation of cryptographic methods. German industry calls on the European Commission, the European Parliament and the EU Member States to promote encryption without demanding any measures that could weaken cryptographic procedures. While German industry recognises the importance to gain access to electronic evidence for competent authorities to conduct successful investigations and thereby bring criminals to justice, but also to protect victims and help ensure security, national authorities must also see the potential downsides a weakening of encryption can have for Europe’s digital sovereignty. Moreover, weakening encryption in Europe could set a precedence for authoritarian regimes. Therefore, German industry urges policy makers to refrain from any measure that could weaken encryption. We strictly oppose any technical solutions, such as backdoors or master key, as their pure existence would weaken encryption in the EU.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Europe needs not fewer, but more trustworthy IT solutions to reap the benefits of the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption and should increasingly promote the development of post-quantum cryptography procedures to accommodate future requirements for secure communication. Proposed changes to the legislative text: In order to safeguard the security of electronic communications networks and services, the use of encryption and other data-centric security technologies, such as, tokenisation, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. However, this should not lead to any efforts to weaken end-to-end encryption, which is a critical technology for effective data protection and privacy. By promoting encryption, the EU will set a positive role-model for other parts of the world. Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II) Summary of legislative proposal: The NIS 2 Directive applies to public and private essential and important entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. Essential entities (Annex I) comprise certain entities active in the sectors energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road, operators of smart charging services for electric vehicles), banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. In addition, important entities are entities active in the sectors postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing of (a) medical devices and in vitro diagnostic medical devices, (b) computer, (c) electronic and optical products, (d) electrical equipment, (e) machinery and equipment, (f) motor vehicles, trailers and semi-trailers and (g) transport equipment, digital providers, online marketplaces, online search engines and social networking services platforms, as well as higher education institutions and research institutions. Most micro and small entities, except those listed by member states, are exempt from the Directive. According to Art. 2 paragraph 2b, essential and important entities have to submit at least the following information to the national competent authority: (a) the name of the entity; (b)the address and up-todate contact details, including email addresses, IP ranges, telephone numbers; and (c) the relevant sector(s) and subsector(s) referred to in Annexes I and II. BDI’s position: In order to enhance Europe’s cyber-resilience holistically, it seems justified to broaden the scope of the Directive, in particular in light of the severe cyberattacks witnessed in recent months. However, the co-legislators have to specify in greater detail the Directive’s protection goal and subsequently adjust the NIS 2-Directive’s scope accordingly. We welcome the exemptions for micro and small enterprises as these often do not have the necessary financial means and capacities to fulfil the far-reaching obligations stipulated in the NIS 2-Directive. 6

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

However, we expect that especially smaller SMEs (50 – 100 employees), which do not fall under the “size cap”, as they have 50 or more employees, or an annual turnover of more than 10 Mio. Euro, will have problems meeting the far-reaching risk management measures and reporting obligations. Therefore, we call on the co-legislators to exempt all SMEs according to Commission Recommendation 2003/361/EC from the scope of the Directive, i.e. that all companies – at least those operational in sectors classified as “important” – with ≤ 250 employees or an annual turnover of less than 50 Mio. Euro. An exemption to this exclusion shall apply for SME that supply critical hardware and software solutions to essential entities or that can be defined as “critical” in supply chains any other regards. This adaptation would ensure that the NIS 2-Directive follows a functional risk-based approach, strengthens the EU’s cyber-resilience without putting unacceptably high burdens on smaller entities. With regard to Annex II N 2, German industry recognises the importance of the waste management sector. However, we advocate to narrow the scope to municipal waste management, since the management of municipal waste is of paramount importance to maintain public health and safety. The amount of regulation introduced in various sectors of European economy is increasingly yearover-year. Sectors, such as telecommunication, aviation and many more, are already highly regulated. Often, the regulatory framework is a hotchpotch consisting of a plethora of regulatory acts – both at national and European, and increasingly also international level. Therefore, we urge the European legislator to step up all efforts leading to enhanced harmonisation between various sector specific and general regulatory approaches. German industry recognises the importance of regulation; however, we require a regulatory framework, in which obligations do not contradict each other. German industry recognises the importance of aviation as an essential service to the European Union and the desire to declare manufacturers of aviation parts as important entities to support this goal. However, EASA has published Opinion 03/2021 to introduce cybersecurity oversight of all aviation organisations. The design and production of aircraft is highly regulated by EASA, the EU Member State Civil Aviation Authorities and the relevant competent authorities have tight control of compliant operations of these organisations. By designating these organisations as an important entity under the proposed update of the NIS Directive, redundant regulations would be introduced for the same subject area. This would greatly increase business operational frictions and reduce the competitiveness of European aviation industry to other jurisdictions as organisations would be required to duplicate efforts to demonstrate their security. The competent authorities for Part IS and the competent authorities for NIS may disagree on acceptable measures and organisations would be challenged to find cost effective and mutually acceptable solutions. The aviation industry also has unique constraints on operations resulting from the extensive safety regulations, these constraints may prohibit some standard responses expected by security agencies and this may lead to issues with NIS 2 audits. Therefore, it is preferable to have all oversight performed by aviation authorities who are aware of acceptable and unacceptable practices in aviation. German industry welcomes the deletion of references to “potential” in Art. 2 paragraph 2 (d) and (e). This significantly enhances regulatory clarity as it reduces the possibility for arbitrariness or a broad understanding of the directive by Member States. German industry welcomes, that – according to Art. 2 paragraph 6to here provisions of sector–specific acts of Union law require essential or important entities to adopt cybersecurity risk management measures or to notify incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply. German industry appreciates, that the Commission is urged to issue guidelines in relation to the implementation of the sector-specific acts of Union law.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Art. 2 paragraph 6a has in general only a clarifying character. Nonetheless, German industry appreciates that essential and important entities, CERTs, CSIRTs and providers of security technologies and services, shall process personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, to meet the obligations set out in the NIS 2 Directive. The reference to the relevant articles in the GDPR gives obligated parties the necessary legal certainty. In light of the energy and traffic transition, addressing operators of smart charging services for electric vehicles is a far-sighted step. In order to ensure stability within the electricity network as well as that owner of electric vehicles can charge their vehicles, the proposal to broaden the scope of the NIS 2 Directive to operators of smart charging services for electric vehicles is appreciated. In terms of a holistic approach to protecting Europe’s cyber-resilience, the European Parliaments proposal to include higher education and research institutions into the list of essential entities is much appreciated. Especially for collaborations and cooperation of enterprises and research institutions it is very important that both partners are applying high cyber security standards. Thereby, know-how developed in European research and higher education entities will be better protected against espionage. This ultimately contributes to safeguarding Europe’s digital sovereignty. clear definitions: A clear definition of the “type of entity” in Annex I and II would be desirable. -

cloud computing service providers: The term “cloud computing service providers” (Annex I No.8) is too wide and imprecise. The current wording includes not only the providers of mere distributed storage and computing capacities, but also software providers who offer storage in a cloud in connection with their virtually usable software products. Due to a further virtualisation of information technology, the very broad definition could lead to an increasing number of services falling into this category. Hence, the NIS 2-Directive should distinguish between “digital service providers” on the one hand, and users, such as “enterprises” or “operators of essential services”, on the other hand, who in turn require “digital services” as a basis for providing their services. Only providers of cloud-based software products whose services enable essential utility services should fall under the Directive’s scope. In contrast, Companies which use a “digital service” to provide their SaaS without the focus of their own SaaS being on the provision of cloud capacity to users should be explicitly excluded from the Directive’s scope.

providers of online marketplaces: Providers of online marketplaces (Annex II No. 6) are classified as “important entities”. Again, the EU Commission does not explicitly distinguish between entities, whose service is primarily based on an online marketplace, and those entities, who merely “offer” an online marketplace as a subordinate service to another business activity. Such “second order” online marketplaces should be excluded from the Directive’s scope.

Proposed changes to the legislative text: Article 2: (1) This Directive applies to public and private essential and important entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. This Directive does not apply to small and medium enterprises or microenterprises within the meaning of Article 2(2) and (3) of the Annex to Commission Recommendation 2003/361/EC, except for those SMEs that are suppliers of critical hardware and software to essential entities or that can be defined as critical in any other way. Article 3 (4) of the Annex of that Recommendation is not applicable.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Annex I and II should only focus on those parts of a company that are important for operative continuity and the protection of know-how and trade secrets. Annex II should be revised as follows: 2. Municipal waste management: Undertakings carrying out waste management referred to in points (9) of Article 3 of Directive 2008/98/EC (29) of municipal waste but excluding undertakings for whom waste management is not their principal economic activity Amend Annex A.2(6) to recognise Part IS as proposed in EASA Opinion 03/2020 as sector-specific legislation to be considered a lex specialis for aviation manufacturing as an important entity. Furthermore, the following definitions in Article 4 needed to be revised: (17) ‘online marketplace’ means a digital service within the meaning of (insert correct reference, the current one seems to be incorrect). Excluded from this definition are those online marketplaces, where the activities on the marketplace contribute to less than 10 percent of an enterprise’s annual revenues. (19) ‘cloud computing service’ means a digital service that in its core function enables on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources. Excluded from this definition are services that utilise cloud computing services of a third party in order to provide their own service outside the area of “cloud computing”. Minimum harmonisation (Article 3) Summary of legislative proposal: Member States may adopt or maintain provisions ensuring a higher level of cybersecurity. BDI’s position: German industry advocates a holistic, overlap-free, EU-wide harmonised regulatory framework on cybersecurity that strikes the right balance between enhancing the EU’s cyber-resilience while avoiding over-regulation and imposing unduly high burdens on European companies. Therefore, Member States should make limited use of the possibility to introduce more far-reaching requirements than those stated in the NIS 2-Directive. Such additional legislative requirements should be limited to sectors that are specific to or possess specific characteristics in one Member State. With the current proposal the co-legislator again misses an opportunity to foster harmonisation and legal clarity across the Single Market. The proposal also does not sufficiently address the urgent need to reduce double regulation. During the trilogue, the co-legislators should strive to create a coherent common level of cybersecurity within the internal market.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Definitions (Article 4) Summary of legislative proposal: Article four defines several terms, among them “network and information system” and “near miss”. BDI’s position: Clear and unambiguous definitions are of utmost importance in order to ensure legal certainty. To this end, German industry urges the European Commission, the European Parliament and the European Council to revise the proposed definition of “network and information systems”. The current definition does not specify that the “device or group of inter-connected or related devices” described in letter 1 b are only those devices that are integrated into the IT or OT system of an essential or important entity. Since the aim of the NIS 2-Directive is to ensure the integrity, availability and operational capacity of essential and important entities, the respective definition of “network and information systems” should be limited to those devices that are of paramount importance for guaranteeing these goals. BDI welcomes the inclusion of a clear and unambiguous definition of ‘near miss’ as it provides entities with regulatory clarity. It is equally important that a ‘near miss’ does not impose additional obligations but only empowers entities to exchange information as foreseen in Art. 26 paragraph 1. A company’s internal cybersecurity measures, such as internal security and penetration tests or scans, could lead to an “incident”. Therefore, the definition of “indicent” should be narrowed in such a way that these internally triggered incidents are falling outside the scope of the Directive. Therefore, we propose the integration of “unwanted or unexpected” into the definition. The European Commission must introduce a definition of management bodies that outlines who is the addressee of the requirements pursuant to Article 17. We propose a definition similar to the one introduced by Directive 2013/36/EU (CRD). Proposed changes to the legislative text: (1) ‘network and information system’ means: a) an electronic communications network within the meaning of Article 2(1) of Directive (EU) 2018/1972; b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, which are integrated into the ITand/or OT-system of an essential or important entity pursuant to Article 2 of this directive and there fulfil functionalities that are of importance for the proper security, operational capacity, integrity and/or availability of the entity; c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; (5) ‘incident’ means any unwanted or unexpected event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems; (27) ‘management body’ means an institution's body or bodies, which are appointed in accordance with national law, which are empowered to set the institution's strategy, objectives and overall direction,

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

and which oversee and monitor management decision-making, and include the persons who effectively direct the business of the institution National cybersecurity strategy (Article 5) Summary of legislative proposal: Article five obliges each Member State to adopt a national cybersecurity strategy defining the strategic objectives, the required technical, organisational, and financial resources to achieve those objectives, as well as the appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. Paragraph two details the topics / areas each national strategy has to address. BDI’s position: BDI welcomes the general idea that each Member State will be obliged to develop a cybersecurity strategy. However, these strategies must be harmonised in order to ensure that the national measures in their entirety enhance Europe’s cyber-resilience. Efficient state cyber defence (cf. Article 5 Paragraph 2 point hb) is an indispensable component for maintaining cybersecurity and thus public security in the modern information and communication society. At the same time, a discussion on the further development of state instruments is necessary, to take into account the dynamics of the threat situation in cyberspace and its impact on each Member State's security. A spiral of escalation between the Member States as well as national and international cyber-criminals must be avoided. The development of international rules for responsible state behaviour in cyberspace would therefore be desirable over the development of purely national approaches. Active cyber defence / hackbacks must therefore not be an instrument of the private sector or of private persons and institutions. Rather, it can only be a civil or military defence measure of a state within the framework of its monopoly on the use of force. The German industry also strictly rejects the obligation of providers and other companies to cooperate. Proposed changes to the legislative text: 2 hb based on guidance from international organisations, such as the United Nations, ENISA and the European Commission a policy on promoting active cyber defence Coordinated vulnerability disclosure and a European vulnerability registry (Article 6) Summary of legislative proposal: The European Commission aspires to institutionalise coordinated vulnerability disclosure across the EU. Moreover, ENISA shall develop and maintain a European vulnerability registry, to disclose and register vulnerabilities present in ICT products or ICT services. All interested parties shall have access to the information on vulnerabilities contained in the database that have patches or mitigation measures available. BDI’s position: German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby, also to pay closer attention to the cyber-resilience of products and services. Any security vulnerability, regardless of whether it is an unintentional bug in the product or an intentional backdoor, should be included in the registry. Manufacturers of such products should not only be obliged to report security gaps, but also to swiftly close such security gaps. In order to keep the effort for

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

everyone involved as low as possible, the European Commission needs to implement a lean and efficient reporting process. The European Union should institutionalise coordinated vulnerability disclosure based on international standards, such as ISO/IEC 29147: 2018 Information technology – Security techniques – Vulnerability disclosure, and CVE. Within CVE trustworthy organisations nowadays act as CVE Numbering Authorities around the world in a voluntary program, so that cybersecurity experts can more easily prioritise and address vulnerabilities. When disclosing vulnerabilities, ENISA must cooperate with the respective manufacturer of a product or the provider of a service and inform them prior to any public disclosure. German industry very much appreciates the changes made by the ITRE Committee to the Commission’s proposals, as they specify that all interested parties will have access only to those vulnerabilities in the database, for which patches or mitigation measures are available. Confidentiality has to be assured in an appropriate way. Manufacturers of ICT products and providers of ICT services must have the chance to provide their customers with updates or patches to mitigate the risks of the respective vulnerability before a vulnerability is publicly disclosed by a third party. Otherwise, hackers could exploit the disclosed information which would have serious repercussions for Europe’s cyber-resilience. Reporting vulnerabilities should not be a one-way road. Rather, public entities, including secret services, must be obliged to report their knowledge on vulnerabilities as well. German industry calls onto the European Commission to integrate into Article 6 a requirement that obliges government agencies from EU Members States to immediately report any information on vulnerabilities or backdoors in IT products to the respective manufacturers and/or ENISA. Currently it is the case that government agencies frequently hold back such knowledge which represents a significant threat to Europe’s cyberresilience. This is especially the case when serious vulnerabilities in ICT products or services utilised in critical entities are concerned. Moreover, CSIRTs must never have the power to suppress or delay the disclosure of a detected vulnerability. Proposed changes to the legislative text: 2. The co-legislators should agree on the ITRE Committee’s wording of Article 6 paragraph 2, rather than on the EU Commission’s original proposal, as the ITRE Committee’s wording recognises the necessity to develop and roll-out patches and mitigating measures to vulnerabilities before they are published: ENISA shall develop and maintain a confidentiality assuring European vulnerability database leveraging the global Common Vulnerabilities and Exposures (CVE). To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and shall adopt the necessary technical and organisational measures to ensure the security and integrity of the database, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities which do not fall within the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services. All interested parties shall be provided access to the information on the vulnerabilities contained in the database that have patches or mitigation measures available without disclosing the affected and/or reporting user entities’ name. The database shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches. In the absence of available patches, guidance addressed to users of vulnerable ICT products and ICT services as to how the risks resulting from disclosed vulnerabilities may be mitigated shall be included in the database. 3. CSIRTs, competent authorities pursuant to Article 8 of this Directive, and all other authorities of the EU and its Member States have to immediately inform by applying coordinated

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

vulnerability disclosure principles the producer of an ICT product or the provider of an ICT service respectively of any vulnerability in such products or services they become aware of. No public authority in the Union shall hold back this information. National cybersecurity crisis management frameworks (Article 7) Summary of legislative proposal: Each Member States has to designate competent authorities responsible for the management of largescale incidents and crises. In addition, each Member State has to adopt a national cybersecurity incident and crisis response plan, containing (i) objectives of national preparedness measures and activities; (ii) tasks and responsibilities of the national competent authorities; (iii) crisis management procedures and information exchange channels; (iv) preparedness measures, including exercises and training activities; (v) relevant public and private interested parties and infrastructure involved; and (vi) national procedures and arrangements between relevant national authorities and bodies. BDI’s position: As the Solarwinds case as well as the attack on the Ukrainian power grid in December 2015 demonstrated, cyber incidents can have far-reaching repercussions. Therefore, German industry welcomes the EU Commission’s proposal that every Member State has to adopt a national cybersecurity incident and crisis response plan. When developing and drafting such plans, Member States should be required to consult essential and important entities, as these companies provide vital services for society and have far-reaching insights into current attack-vectors and know what repercussions an outage of their entity’s services would have. Proposed changes to the legislative text: 5. Member States shall consult in a structured manner essential and important entities when developing the plans according to paragraph 2, in order to ensure the provision of the services provided by essential entities during large-scale incidents and crises. Requirements, technical capabilities and tasks of CSIRTs (Article 10) Summary of legislative proposal: Article ten outlines the requirements CSIRTs have to comply with, the technical capabilities they have to possess and the tasks they have to fulfil. CIRSTs shall (a) monitor cyberthreats, vulnerabilities and incidents at national level; (b) provide early warning, alerts, announcements and dissemination of information to essential and important entities as well as to other relevant interested parties on cyberthreats, vulnerabilities and incidents; (c) respond to incidents; (d) provide dynamic risk and incident analysis and situational awareness regarding cybersecurity; (e) provide, upon request of an entity, a proactive scanning of the network and information systems used for the provision of their services; and (f) participate in the CSIRTs network and providing mutual assistance to other members of the network upon their request. In addition to the before states, the ITRE Committee’s proposal tasks CSIRTs with acquiring real-time threat intelligence; providing assistance to the entities involved; (fa) providing, upon request of an entity enabling and configuration of network logging to protect data, including personal data from unauthorised exfiltration; and (fb) contributing to the deployment of secure information sharing tools pursuant to Article 9(3). According to the amendment by the ITRE Committee, CSIRTs shall develop at least the following technical capabilities: (a) the ability to conduct real-time or near-real-time monitoring of networks and 13

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

information systems, and anomaly detection; (b) the ability to support intrusion prevention and detection; (c) the ability to collect and conduct complex forensic data analysis, and to reverse engineer cyber threats; (d) the ability to filter malign traffic; (e) the ability to enforce strong authentication and access privileges and controls; and (f) the ability to analyse cyber threats. BDI’s position: The operational powers of the supervisory authorities, in particular the CSIRTs (Art. 10) and the national competent cybersecurity authorities (Art. 29 (2)) already were too extensive in the EU Commission’s initial proposal and are now even more extensive with regards to the ITRE Committee’s proposal. It must be ensured that CSIRTs do not interfere too extensively in the sovereign realm of enterprises. Instead a trustworthy structure should be fostered, so that governmental and enterprise CSIRTs can collaborate, also with the globally well organised CERT and CSIRT community. Report on the state of cybersecurity in the Union (Article 15) Summary of legislative proposal: The ENISA will publish a biennial report on the state of cybersecurity in the Union. The report shall include the development of cybersecurity capabilities across the Union, the current state in the Member States, and propose a cybersecurity index as well as policy recommendations. BDI’s position: German industry urges the co-legislators to delete Article 15, as such a biennial report by ENISA will mainly include general information. Today, ENISA only has very limited staff and financial resources, which should be spend in such a way as to augment Europe’s cyber-resilience. Henceforth, ENISA should publish online up-to-date information on cybersecurity incidents. An improved daily updated, holistic situation picture as well as daily updated, sector-specific warnings would significantly help essential and important entities to benefit from the data aggregated at national competent authorities, and thereby, to better protect their business processes. Such information would help essential and information entities to support their cybersecurity risk mitigating measures. Proposed changes to the legislative text: deletion of the Article Alternative that would provide real added value for industry and Europe’s cyber-resilience as a whole: Article 15 Daily updated management report on cybersecurity in the Union 1. ENISA shall issue, in cooperation with the national competent authorities, a daily updated management report. The daily updated management report shall in particular include: (a) an overview of new threat vectors, that have been reported by entities according to Article 2 (b) an analysis of new attack vectors (c) an overview of vulnerabilities that have been published in the register according to Article 6

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Management bodies of Essential and Important Entities (Article 17) Summary of legislative proposal: Management bodies of essential and important entities have to approve the cybersecurity risk management measures taken by their entity in order to comply with requirements on “cybersecurity risk management measures”, supervise their implementation and are accountable in case of the entity’s non-compliance with these obligations. Moreover, members of the management body have to follow specific trainings, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity. In addition, member States shall encourage essential and important entities to offer similar training to all employees. BDI’s position: BDI recognises that management bodies are responsible for the cybersecurity strategy of an essential or important entity. This step will help to significantly increase the awareness for cybersecurity issues among top-level management. However, we regard it as important that the co-legislators recognises that members of management bodies of essential entities and important entities have IT security personnel that possesses the necessary qualifications to develop and implement an entity’s cybersecurity strategy. Consequently, it has to be questioned whether members of management bodies have to pass a respective training or whether reports by CISOs or IT security personnel are equally sufficient to provide members of management bodies with in-depth information. Moreover, personal accountability for non-compliance is a step too far, especially if the goal is to ensure appropriate cybersecurity awareness in companies across sectors. However, if the co-legislators regard a mandatory IT security training necessary for members of management bodies, they should swiftly define what constitutes “sufficient knowledge and skills”, in order to provide guidance on which skills are considered adequate to implement the Directive’s requirements. Moreover, such recommendations must be the same across the EU to ensure that members of management bodies are not confronted with diverging requirements across the Single Market, and – in a worst-case scenario – have to undergo different trainings per country. In addition, the co-legislators should only insert additional requirements, with which essential and important entities have to comply in Article 18, rather than across the directive. The ITRE Committee’s insertion of requirements concerning the training of employees in Article 17 is misplaced. Proposed changes to the legislative text: The co-legislators must publish a definition of management bodies. The requirements concerning staff training should be deleted from Article 17 and should be inserted in Article 18: 2. Member States shall ensure that members of the management body of essential and important entities follow specific training, and shall encourage essential and important entities to offer similar training to all employees, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the services provided by the entity. 3. The European Commission will publish, by no later than six months after the ratification of this directive and after consulting business associations, binding recommendations on what constitutes sufficient knowledge and skills according to number two of this Article. 15

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Cybersecurity risk management measures (Article 18) Summary of legislative proposal: Essential and important entities have to ensure a level of security of network and information systems appropriate to the risk presented, including at least (a) risk analysis and information system security policies; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; and (f) policies and procedures (training, testing and auditing) to assess the effectiveness of cybersecurity risk management measures. The ITRE Committee suggests as additional measures: (fa) basic computer hygiene practices and cybersecurity training; (fb) the use of cryptography, such as encryption, where appropriate; and (fc) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate. The Commission is empowered to adopt delegated acts to supplement the elements laid down in paragraph 2 to take account of new cyber threats, technological developments or sectorial specificities as well as to supplement this Directive by laying down the technical and the methodological specifications of the measures referred to in paragraph 2. BDI’s position: While German industry recognises the necessity to outline basic cybersecurity risk management measures for network and information systems that all essential and important entities have to fulfil, the co-legislators must ensure that the IT security personnel can focus on IT security rather than on filling in forms and being occupied by reporting obligations. We call on the European Commission, the European Parliament and Member States to introduce cybersecurity risk management measures for network and information systems that provide a high degree of legal certainty for essential and important entities. Therefore, instead of referring to the “state of the art”, which leaves ample room for evaluators, after an incident has happened, to conclude that not all potential state-of-the-art capabilities have been applied, reference to (minimum) standards should be introduced. Since Article 18 paragraph 2f as well as recital 45a stress the necessity that essential and important entities should provide cybersecurity trainings for their employees, this requirement should be deleted from Article 17, as the latter article is concerned with the governance within the entities rather than the organisational measures they have to adopt in order to enhance the cyberresilience of their entity. As the European Commission proposed a directive and not a regulation, and thereby providing Member States with a certain degree of flexibility when implementing the requirement stipulated in the NIS 2-Directive, the potential later adoption of delegated acts specifying technical and methodological specifications of cybersecurity risk management measures pursuant to Article 18 seems counterintuitive. When the European Commission adopts such delegated acts, it must ensure consistency between already existent national requirements and those to be adopted by the EU Commission. In addition, enough time for implementing such specifications must be provided. Moreover, the proposal remains unclear concerning the concrete implications of the requirements stipulated in Article 18 number 2d concerning “supply chain security”. Number 2d includes “security-related aspects concerning the relationships between each entity and its suppliers or service providers”. It is

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

unclear how essential and important entities shall ensure that a supplier or service provider complies with the requirements deemed necessary by the EU Commission. Henceforth, an essential or important entity should not by liable if a supplier or service provider is non-compliant at least as long as an important or essential entity did everything it could contract-wise to ensure that the supplier or provider maintains a risk-adequate level of cybersecurity. In contrast, if essential and important entities were required to utilise certified ICT products and services only to guarantee supply-chain-security this would render business processes much more complex and ultimately increase product/service costs. EU coordinated risk assessments of critical supply chains (Article 19) Summary of legislative proposal: The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT service, system or product supply chains, taking into account technical and, where relevant, non-technical risk factors. BDI’s position: Based on the experience of the EU’s coordinated risk assessment on 5G, German industry welcomes the proposal to conduct such risk assessments of critical supply chains. However, the measures proposed after having conducted such an analysis must be proportionate and always foresee a sufficient implementation period. We appreciate the European Parliament’s insertion of consultations with stakeholder groups. Reporting obligations (Article 20) Summary of legislative proposal: Essential and important entities have to notify significant incidents to the CSIRT. Where applicable, Member States shall ensure that essential and important entities inform on a “best efforts” basis the recipients of their services, without undue delay, of protective measures or remedies to particular incidents and known risks, which can be taken by the recipients. Where appropriate, the entities shall inform the recipients of their services of the incident or the known risk itself. The significance of an incident shall be determined based on: (a) the number of recipients of the services affected by the incident; (b) the duration of the incident; (c) the geographical spread of the area affected by the incident; (d) the extent to which the functioning and continuity of the service is affected; and (e) the extent of impact on economic and societal activities. The entities have to submit the following reports: -

initial notification: within 24 hours if availability of service is affected; within 72 hours if availability of service is not affected; within 24 hours if significant impact on the services of or the data maintained by a trust services provider;

intermediate report: upon the request of a CSIRT on relevant status updates;

comprehensive report: not later than one month after the submission of the initial notification, including at least (i) a detailed description of the incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the incident; (iii) applied and ongoing mitigation measures.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

final report: in the case of an ongoing incident at time of the submission of the comprehensive report, a final report shall be provided one month after the incident has been resolved.

Member States shall ensure the confidentiality and appropriate protection of sensitive information about incidents shared with CSIRTs, and shall adopt measures and procedures for sharing and reuse of incident information. Member States shall establish a single-entry point for all notifications required under the NIS 2-Directive and other relevant Union law. The CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (a) of paragraph 4, a response to the notifying entity, including initial feedback on the incident and, upon the request of the entity, guidance and actionable advice on the implementation of possible mitigation measures. The CSIRT may share information on the incident with other important and essential entities, while ensuring the confidentiality of the information provided by the reporting entity. BDI’s position: Based on the experience of critical infrastructures reporting on cybersecurity incidents since 2016 and the missing feedback established by the national competent authorities, German industry is hesitant when it comes to the extension of already existing reporting obligations – both in terms of number of entities that have to report and the information that have to be reported. In light of the ITRE Committee’s amendments to the European Commission’s proposal for Article 20, German industry stresses: -

on paragraph 1: The co-legislators should refrain from incident reporting to CSIRTs and rather maintain the established incident reporting channels to the national competent authority.

on paragraph 2: It is a sensible step, to urge essential and important entities to provide users of their services with information of protective measures or remedies to incidents and known risks.

on paragraph 3: German industry welcomes the criteria for establishing whether or not an incident classifies as significant.

on paragraph 4: German industry appreciates the prolongation of the reporting period to 72 hours for some incidents. However, we urge the co-legislators to prolong the reporting period for all incidents to 72 hours – especially for important entities. It is of utmost importance, that essential and important entities can focus on measures to minimise the implications of a successful cyber-incident first, rather than having to fulfil reporting obligations. Therefore, companies should be required to notify competent authorities within 72 hours after identifying a successful attack. Furthermore, CSIRTs should be allowed to ask for a maximum of one interim report. Rather than establishing a huge amount of bureaucracy by requiring entities to hand in several reports, incident mitigation and the prevention of future incidents should the aim. Therefore, the requested comprehensive and final reports should not exceed two pages.

on paragraph 4a: German industry appreciates that Member States shall provide entities with a single entry point for all notifications required under the NIS 2-Directive and other relevant Union law. Establishing such a one-stop-shop is a very useful step. In light of reporting obligation under the Critical Entities Resilience Directive, the NIS 2-Directive and GDPR, such a single entry point is of paramount importance to minimise bureaucracy. As a second step, the 18

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

single entry point should provide forms that allow the reporting of cases, which fall under more than one act of Union law, such as a significant cybersecurity incident pursuant to NIS 2 and data breach pursuant to GDPR. -

on paragraph 5: German industry welcomes the concept of information sharing on cyber-incidents in paragraph 5. Pursuant to our comments on paragraph 1, the national competent authority should be provided with this possibility.

In addition, we urge the co-legislators to establish at Union-level an institution – potentially the ENISA – that: 1. systemically classifies the threats, 2. organises the automatic distribution of threat information to participating parties, 3. maintains strategic threat intelligence information, and 4. reports about trends and focuses on understanding the “most critical activities to reduce the risks”. Essential and important entities can only significantly enhance their cyber-resilience, if they are provided with well-structured and up-to-date information. An improved, daily updated, holistic situation picture as well as daily updated, sector-specific warnings, would ensure that essential and important entities can benefit from the knowledge on reported cyber-attacks, and thereby, improve their own cybersecurity measures. Proposed changes to the legislative text: 3. Member States shall ensure that, for the purpose of the notification under paragraph 1, the entities concerned shall submit to the competent authorities or the CSIRT: a. without undue delay and in any event within 24 72 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action; b. a maximum of one an intermediate report on relevant status updates, upon the request of a CSIRT c.

a comprehensive final report not later than one month after the entity has finished its forensic analysis as well as other measures to handle the incidents and its potential business implications submission of the initial notification, including at least the following: i. a detailed description of the incident, its severity and impact; ii. the type of threat or root cause that likely triggered the incident; iii. applied and ongoing mitigation measures.

d. in the case of an ongoing incident at time of the submission of the comprehensive report referred to in point (c), a final report shall be provided one month after the incident has been resolved.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Use of European cybersecurity certification schemes (Article 21) Summary of legislative proposal: Member States shall, following guidance from ENISA, the Commission and the Cooperation Group, encourage essential and important entities to certify certain ICT products, ICT services and ICT processes, either developed by the essential or important entity or procured from third parties, under European cybersecurity schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 or, if not yet available, under similar internationally recognised certification schemes. The Commission is empowered to adopt delegated acts to supplement the NIS 2-Directive by specifying which categories of essential and important entities are required to obtain a certificate under specific European cybersecurity schemes pursuant to Article 49 of Regulation (EU) 2019/881. Such delegated acts shall be considered where insufficient levels of cybersecurity have been identified, shall be preceded by an impact assessment and shall provide for an implementation period. BDI’s position: In order to ensure a holistic strengthening of essential and important entities’ cyber-resilience a holistic approach – combining technical, organisational, personnel-related and product-related measures – is required. German industry welcomes the EU Commission’s intention to address the product dimension. However, the current EU Commission’s proposal is not adequate for several reasons: 1. German industry disapproves the primary focus on specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, especially since these schemes were always intended to be voluntary. Rather, we urge the European Commission to propose a legislative act containing horizontal cybersecurity requirements based on the NLF as announced in the working programme for 2022. Details on BDI’s proposal for introducing horizontal, mandatory cybersecurity requirements based on the NLF can be found here: https://english.bdi.eu/publication/news/eu-wide-cybersecurity-requirements/ 2. Since the producer or distributor of an ICT product, ICT service or ICT process is responsible for the certification of the respective product, service or process, it should be the responsibility of the producer or distributer to ensure certification of its product, service or process. Henceforth, the wording in paragraph one must be adjusted accordingly. 3. Paragraph 2 currently does not state for which concretely defined products, services and systems an essential or important entity has to obtain a certificate under specific European cybersecurity schemes pursuant to Article 49 of Regulation (EU) 2019/881. German industry urges the co-legislators to introduce the requirement to certify components, processes or services only for those components, process or services that are utilised in security-critical areas. At the same time, the co-legislators should introduce a mechanism that ensures that the manufacturer (e.g. hard- and software provider) is obtaining the required certificates. 4. Companies should be enabled to choose whether certifying their product, service or process under a specific European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881 or based on European harmonised standards, or alternatively opting for a conformity assessment by the manufacturer. 5. Especially for smaller important entities having to rely only on certified products or services will proof costly without necessarily enhancing the entity’s cyber-resilience.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Proposed changes to the legislative text: 1. Member States ENISA shall, following guidance from ENISA, the Commission and the Cooperation Group, encourage essential and important entities to utilise in particularly security-critical areas, defined by a list of critical functionalities, only certify certain ICT products, ICT services and ICT processes, either developed by the essential or important entity or procured from third parties, which are certified under European cybersecurity schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 or, if not yet available, under similar internationally recognised certification schemes or based on European harmonised standards. Furthermore, Member States shall encourage essential and important entities to use qualified trust services pursuant to Regulation (EU) No 910/2014. 2. The Commission is empowered to adopt delegated acts, in accordance with Article 36, to supplement this Directive by specifying which categories of hard- and software providers for essential and important entities are required to obtain for ICT products, ICT services and ICT processes that are utilised in security-critical areas a certificate under specific European cybersecurity schemes pursuant to Article 49 of Regulation (EU) 2019/881 under similar internationally recognised certification schemes or based on European harmonised standards. Such delegated acts shall be considered where insufficient levels of cybersecurity have been identified, shall be preceded by an impact assessment and shall provide for an implementation period. 3. The Commission shall propose a legislative act containing horizontal cybersecurity requirements based on the New Legislative Framework for ICT products, ICT services and ICT processes may, after consulting with the Cooperation Group and the European Cybersecurity Certification Group, request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881 in cases where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 is available. Standardisation (Article 22) Summary of legislative proposal: In order to promote the convergent implementation of cybersecurity risk mitigating measures, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems. BDI’s position: German industry welcomes the technology-neutral approach adopted by the European Commission regarding recommendations for the implementation of cybersecurity risk mitigating measures. Furthermore, we welcome that – in contrast to Germany’s new IT Security Law 2.0 – the European Commission focuses on the adoption of European and international standards. This will facilitate the spread of such universal standards. However, to ensure that entities operating in more than one country do not have to fulfil diverging requirements, German industry would welcome if ENISA was to recommend basic guidelines for such measures for the entire EU. Proposed changes to the legislative text: 1. In order to promote the convergent implementation of Article 18(1) and (2), Member States ENISA shall, without imposing or discriminating in favour of the use of a particular type of 21

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems. Jurisdiction and territoriality (Article 24) Summary of legislative proposal: (1) TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I to the NIS 2-Directive fall under the jurisdiction of the Member State in which they have their main establishment in the Union. (2) The main establishment in the Union shall be in the Member State where the decisions related to the cybersecurity risk management measures are taken. BDI’s position: German industry welcomes that DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I of the NIS 2-Directive fall under the jurisdiction of the Member State in which they have their main establishment in the Union. For companies in the ICT sector it is important to fall under the jurisdiction of just one Member State as it significantly reduces the reporting obligations. Therefore, it needs to be clarified that an entity’s main establishment equates to the group’s headquarter in the Union and not only to the national entity’s headquarter in a Member State. Proposed changes to the legislative text: 1. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their group’s main establishment in the Union. 2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their group’s main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State either where the entities have the establishment with the highest number of employees in the Union, or the establishment where cybersecurity operations are carried out. ENISA registry (Article 25) Summary of legislative proposal: The NIS 2 provides for the introduction of a registry for essential and important entities addressed in Article 24, which will be hosted by ENISA. The entities will have to submit to ENISA their name, the address of their main establishment, and up-to-date contact details, including email addresses, IP ranges, telephone numbers and relevant sector(s) and subsector(s) of the entities referred to in Annexes I and II . Changes to these information have to be reported to ENISA within three month. BDI’s position: The Federation of German Industry welcomes the idea of an EU-wide registry for essential and important entities pursuant to Article 24. However, since operators of critical infrastructures and

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

companies defined as companies of particular public interest pursuant to Germany’s IT Security Act 2.0 will already have to register at the BSI, the EU’s proposal will increase the administrative burden for these companies. Therefore, we urge the co-legislators to ensure that a registration only has to be conducted once at ENISA and that ENISA will provide national competent authorities with all necessary information. If the registry is to be created, all information shared with ENISA needs to be treated with the highest degree of confidentiality. Moreover, effective cybersecurity measures, including encryption, would need to be in place to protect the information in such a registry. Proposed changes to the legislative text: To ensure that essential and important entities have to register only once, we propose the following amendment to the proposal: 3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representative. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other Member States, ENISA shall also inform the single points of contact of those Member States. Entities shall only be obliged to report the information under paragraph 1 to ENISA and not in addition to the single points of contact in the Member States. ENISA shall ensure the exchange of these information with national competent authorities. Cybersecurity information-sharing arrangements (Article 26) Summary of legislative proposal: Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing in order to prevent, detect, respond or mitigate incidents, or enhance level of cybersecurity. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities based on information sharing arrangements. BDI’s position: German industry appreciates this proposal since experience from the UP KRITIS, the German public private partnership bringing together experts from operators of critical entities and representatives of government agencies, showcases the benefits of a regular exchange on cybersecurity topics between such companies and respective public authorities. German industry welcomes that apart from essential and important entities, also other relevant entities not covered by the scope of the NIS 2-Directive may join the exchange of such information. Member States must ensure that exchange within these groups remains confidential and based on mutual trust, while providing as many companies as possible with access to such a forum. In order to ensure the protection of intellectual property and business know-how, the extent and scope of this exchange need to be clearly defined. Moreover, it has to be ensured that all essential and important entities can join such cybersecurity information sharing arrangements. Experiences with nonprofit platforms such as the German CERT Association (“Deutscher CERT Verbund”) and the CERT@VDE have also proven for years that trustful cooperation based on a voluntary commitment by companies works well.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Voluntary notification of relevant information (Article 27) Summary of legislative proposal: Entities not falling into the scope of the NIS 2 Directive as well as essential and important entities can notify the CSIRT of cyber threats and near misses. BDI’s position: German industry appreciates the possibility of voluntary reporting, and that voluntary reporting shall not result in the imposition of any additional obligations upon the reporting entity to which it would not have been subject had it not submitted the notification. At the same time, however, national competent authorities should be obliged to respond to such notifications within two days. If companies are provided with benefits when reporting cybersecurity incidents, the amount of notifications is likely to rise. Thereby, the national competent authorities will gain a more holistic picture of the current cyberthreat landscape. Supervision and enforcement for essential entities (Article 29) Summary of legislative proposal: The supervision of essential entities will be based on ex ante and ex post supervisory measures. Competent national authorities shall have the following powers: (a) on-site inspections and off-site supervision, including random checks; (b) annual and targeted security audits carried out by a qualified independent body or a competent authority; (c) ad hoc audits in cases justified on the ground of a significant incident or noncompliance by the essential entity; (d) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria; (e) request information necessary to assess the cybersecurity measures adopted by the entity, including documented cybersecurity policies, and registration at ENISA; (f) conduct requests to access data, documents or any information necessary for the performance of their supervisory tasks; and (g) conduct requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence. The entity concerned will have to pay the audits pursuant to point b. In case essential entities are found non-compliant with the obligations laid down in Articles 18 and 20 of the NIS 2-Directive, competent authorities will have substantial possibilities to enforce adherence to these measures. BDI’s position: German industry recognises that supervision and enforcement of the measures stated in the NIS 2Directive are necessary to achieve a level-playing field across the European Union. However, these measures must be proportionate. The measures now inserted by the European Parliament are excessive – especially if essential entities would have to pay for them. German industry wonders, how the co-legislators want to ensure that enough qualified cybersecurity professionals will be available to conduct annual and targeted security audits in all essential entities across the European Union. In light of the massive shortage of qualified IT security personnel this seems to be impossible. German industry fears that this requirement will result in a reduction of the overall cyber-resilience across the Union, as cybersecurity professionals will conduct (lucrative) audits rather than help SMEs in their attempts to enhance their cyber-resilience. We therefore urge the co-legislators to delete the reference to annual.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

German industry urges the co-legislators to specify which criteria referred to in paragraph 2 point (d) are considered “fair and transparent”. Essential entities require a maximum degree of legal certainty when implementing the NIS 2-Directive. The current proposal stays too vague in this regard. German industry appreciates the notion stipulated in paragraph 2a that where exercising their powers under points (a) to (d) in paragraph 2, the competent authorities shall minimise the impact on the business processes of the essential entity. German industry opposes the idea that entities shall pay on an annual basis the costs for audits. As the European Parliament enables the competent authorities to issue binding instructions, including with regard to measures necessary to prevent or remedy an incident, as well as time-limits for the implementation of such measures and for reporting on their implementation (cf. Art. 29 paragraph 4b), the competent authority, when executing its competences pursuant to this article, must take into account the existing and ever increasing lack of IT security specialists. Henceforth, German industry urges the national competent authorities to provide companies with realistic time-limits. German industry appreciates that the ITRE Committee changed Article 29 paragraph 5b insofar as a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity is now considered only as an ultima ratio. Moreover, we very much appreciate the deletion of any reference to other employees as they do not have the necessary decision powers within an entity to implement certain measures regarded as necessary by law as long as a CEO withholds the necessary money for such activities. Therefore, we welcome the newly introduced language in comparison to previous wordings. To this end, the wording of Paragraph 6 should mirror the wording of Paragraph 5b (see below). Proposed changes to the legislative text: Paragraph two: b. annual and targeted security audits carried out by a qualified independent body or a competent authority; … The results of any targeted security audit shall be made available to the competent authority. The costs of such an audit carried out by a qualified independent body shall be paid by the Member States entity concerned. Paragraph six should be deleted. 6. Member States shall ensure that any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity natural person responsible for or acting as a representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the powers to ensure its compliance with the obligations laid down in this Directive. Member States shall ensure that those natural persons may be held liable for breach of their duties to ensure compliance with the obligations laid down in this Directive.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Supervision and enforcement for important entities (Article 30) Summary of legislative proposal: The supervision of important entities will be based on ex post supervisory measures, i.e. competent national authorities shall be only active when provided with evidence or indication of non-compliance with the obligations laid down in the NIS 2-Directive. National competent authorities shall the possibilities to conduct (a) on-site inspections and off-site ex post supervision conducted by trained professionals; (aa) investigation of cases of non-compliance and the effects thereof on the security of the services; (b) targeted security audits carried out by a qualified independent body or a competent authority; (c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria; (d) requests for any information necessary to assess cybersecurity measures, including documented cybersecurity policies, and registration at ENISA; and (e) requests to access data, documents and/or information necessary for the performance of the supervisory tasks. If competent national authorities find that important entities do not adhere to the requirements stipulated in Article 18 and 20, they can i.a. issue warnings or binding instructions, and even order those entities to bring their risk management measures or the reporting obligations in compliance with the obligations laid down in Articles 18 and 20 in a specified manner and within a specified period. BDI’s position: German industry recognises that supervision and enforcement of the measures stated in the NIS 2Directive are necessary to achieve a level-playing field across the European Union. However, these measures must be proportionate. The measures now inserted by the European Parliament are excessive – especially if essential entities would have to pay for them. German industry wonders, how the co-legislators want to ensure that enough qualified cybersecurity professionals will be available to conduct the targeted security audits in important entities – as well as the annual audits mentioned in Article 29 – across the European Union. In light of the massive shortage of qualified IT security personnel this seems to be impossible. German industry fears that this requirement will result in a reduction of the overall cyber-resilience across the Union, as cybersecurity professionals will conduct (lucrative) audits rather than help SMEs in their attempts to enhance their cyber-resilience. We therefore urge the colegislators that besides utilising cybersecurity professionals for audits, there need to be enough welltrained professionals for helping entities with their ambitions to enhance their cyber-resilience. German industry opposes the idea that important entities shall pay the costs for the targeted audits, especially since the directive does not specify how often such an audit can be deemed necessary. The co-legislators must ensure that such audits are paid for by the competent national authority and cannot take place more often than once a year in order to not disrupt disproportionately the entity’s business processes. German industry urges the European Commission to specify, which criteria referred to in point (c) are considered “fair and transparent”. Important entities require a maximum degree of legal certainty when implementing the NIS 2-Directive. The current proposal stays too vague in this regard. Moreover, we urge the European Commission to consider important entities’ intrinsic interest in maintaining a high degree of cyber-resilience. In this regard it should be noted that companies are best equipped to conduct any necessary measure to enhance their cyber-resilience. Therefore, we oppose the possibility of granting competent authorities with any possibility to “issue binding instructions”, as stipulated in Article 30 paragraph 4 point (b). If competent authorities were provided with such farreaching competencies, the European Commission has to clarify that the competent authority will bear any cost resulting from such measures.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

German industry opposes audits and on-site inspections on cybersecurity. Such processes much be urgently streamlined to ensure minimum impact on business processes. Proposed changes to the legislative text: 4. (b) issue binding instructions or an order requiring those entities to remedy the deficiencies identified or the infringement of the obligations laid down in this Directive; General conditions for imposing administrative fines on essential and important entities (Article 31) Summary of legislative proposal: Member States shall impose administrative fines on essential and important entities for infringements of obligations concerning cybersecurity risk management measures (Article 18) and reporting obligations (Article 20). Administrative fines shall amount to a maximum of at least 10,000,000 Euro or up to two per cent of global annual turnover. BDI’s position: In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. However, German industry calls for a significant reduction of the maximum level of administrative fines imposed on entities. Unlike in the case of data protection (cf. GDPR), the legal interest to be protected here is not a fundamental right (GDPR = right to informational self-determination; vs NIS 2 = cybersecurity of essential and important entities). Nor do the considerations regarding data protection law – that have led to fines being calculated on the basis of group sales – fit with regard to the NIS 2 Directive. Therefore, the maximum level of administrative fines should be no higher than two million Euros without any reference to annual turnover. Such a level would strike an acceptable balance between the intent to “punish” companies violating the requirements stipulated in Articles 18 and 20, and German industry’s requirements for administrative fines that are not excessive. This is particularly important since, according to a Bitkom study from 2021, the consequences of successful cyberattacks already amount to costs of more than 223 billion euros per year for the German economy. 8 Proposed changes to the legislative text: 4. Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of two million EUR at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.

Bitkom. 2021. Wirtschaftsschutz 2021. URL: https://www.bitkom.org/sites/default/files/2021-08/bitkom-slides-wirtschaftsschutz-cybercrime-05-08-2021.pdf (Accessed on 1st November 2021). 27

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Review (Article 35) Summary of legislative proposal: The EU Commission will periodically review the functioning of the NIS 2-Directive. A first report will be published 42 months after the entry into force of the Directive – subsequent reports every 35 months thereafter. BDI’s position: German industry strongly appreciates the introduction of a review mechanism of the functioning of the Directive. This is of utmost importance to ensure that the regulatory framework concerning the cybersecurity requirements imposed on essential and important entities are adequate in light of the constantly developing cyberthreat landscape.

NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position

Imprint Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 EU Transparency Register: 1771817758-48 Editor Steven Heckler Deputy Head of Department Digitalisation and Innovation T: +49 30 2028-1523 s.heckler@bdi.eu

BDI document number: D 1469

EU Parliament’s position on NIS 2 Directive

Articles inside

Supervision and enforcement for important entities (Article 30

Cybersecurity information-sharing arrangements (Article 26

Review (Article 35

General conditions for imposing administrative fines on essential and important entities (Article 31

Standardisation (Article 22

Use of European cybersecurity certification schemes (Article 21

The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach

Minimum harmonisation (Article 3

Executive Summary

Cybersecurity risk management measures (Article 18

Definitions (Article 4

Report on the state of cybersecurity in the Union (Article 15

Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II

Management bodies of Essential and Important Entities (Article 17