NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
information systems, and anomaly detection; (b) the ability to support intrusion prevention and detection; (c) the ability to collect and conduct complex forensic data analysis, and to reverse engineer cyber threats; (d) the ability to filter malign traffic; (e) the ability to enforce strong authentication and access privileges and controls; and (f) the ability to analyse cyber threats. BDI’s position: The operational powers of the supervisory authorities, in particular the CSIRTs (Art. 10) and the national competent cybersecurity authorities (Art. 29 (2)) already were too extensive in the EU Commission’s initial proposal and are now even more extensive with regards to the ITRE Committee’s proposal. It must be ensured that CSIRTs do not interfere too extensively in the sovereign realm of enterprises. Instead a trustworthy structure should be fostered, so that governmental and enterprise CSIRTs can collaborate, also with the globally well organised CERT and CSIRT community. Report on the state of cybersecurity in the Union (Article 15) Summary of legislative proposal: The ENISA will publish a biennial report on the state of cybersecurity in the Union. The report shall include the development of cybersecurity capabilities across the Union, the current state in the Member States, and propose a cybersecurity index as well as policy recommendations. BDI’s position: German industry urges the co-legislators to delete Article 15, as such a biennial report by ENISA will mainly include general information. Today, ENISA only has very limited staff and financial resources, which should be spend in such a way as to augment Europe’s cyber-resilience. Henceforth, ENISA should publish online up-to-date information on cybersecurity incidents. An improved daily updated, holistic situation picture as well as daily updated, sector-specific warnings would significantly help essential and important entities to benefit from the data aggregated at national competent authorities, and thereby, to better protect their business processes. Such information would help essential and information entities to support their cybersecurity risk mitigating measures. Proposed changes to the legislative text: deletion of the Article Alternative that would provide real added value for industry and Europe’s cyber-resilience as a whole: Article 15 Daily updated management report on cybersecurity in the Union 1. ENISA shall issue, in cooperation with the national competent authorities, a daily updated management report. The daily updated management report shall in particular include: (a) an overview of new threat vectors, that have been reported by entities according to Article 2 (b) an analysis of new attack vectors (c) an overview of vulnerabilities that have been published in the register according to Article 6
14
