POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position German industry’s adjusted position based on the ITRE Committee’s amendments to the EU Commission’s proposal for a NIS 2 Directive
29 November 2021 Executive Summary German industry welcomes the European Union’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. We very much appreciate the diligent work done by the European Parliament’s ITRE Committee and in particular rapporteur Bart Groothuis. Among the ITRE Committee’s positive amendments we would like to stress: ▪
encryption (recital 54): German industry appreciates the more positive language of recital 54 which recognises the importance of encryption and other cybersecurity measures. We urge the co-legislators to refrain from any measure that could weaken encryption. Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools and help protect entities from espionage and sabotage, hence, they must be legally safeguarded.
▪
scope (Annex I): German industry appreciates the inclusion of research institutions into the Directive’s scope since businesses often collaborate with these institutions for research projects. In terms of supply-chain security and to prevent industrial espionage and sabotage, including especially larger entities of various sectors of the value chain into the Directive’s scope seems to be reasonable.
▪
supervision (Article 29): German industry appreciates that the ITRE Committee changed Article 29 paragraph 5b insofar as a temporary ban against any person holding managerial responsibilities at chief executive officer or legal representative level in that essential entity is now considered only as an ultima ratio. Moreover, we very much appreciate the deletion of any reference to other employees as they do not have the necessary decision powers within an entity to implement certain measures regarded as necessary by law if a CEO withholds the necessary money for such activities. Therefore, we welcome the newly introduced language in comparison to previous wordings. To this end, the wording of Paragraph 6 should mirror the wording of Paragraph 5b.
Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | S.Heckler@bdi.eu | www.bdi.eu
