NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
Management bodies of Essential and Important Entities (Article 17) Summary of legislative proposal: Management bodies of essential and important entities have to approve the cybersecurity risk management measures taken by their entity in order to comply with requirements on “cybersecurity risk management measures”, supervise their implementation and are accountable in case of the entity’s non-compliance with these obligations. Moreover, members of the management body have to follow specific trainings, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity. In addition, member States shall encourage essential and important entities to offer similar training to all employees. BDI’s position: BDI recognises that management bodies are responsible for the cybersecurity strategy of an essential or important entity. This step will help to significantly increase the awareness for cybersecurity issues among top-level management. However, we regard it as important that the co-legislators recognises that members of management bodies of essential entities and important entities have IT security personnel that possesses the necessary qualifications to develop and implement an entity’s cybersecurity strategy. Consequently, it has to be questioned whether members of management bodies have to pass a respective training or whether reports by CISOs or IT security personnel are equally sufficient to provide members of management bodies with in-depth information. Moreover, personal accountability for non-compliance is a step too far, especially if the goal is to ensure appropriate cybersecurity awareness in companies across sectors. However, if the co-legislators regard a mandatory IT security training necessary for members of management bodies, they should swiftly define what constitutes “sufficient knowledge and skills”, in order to provide guidance on which skills are considered adequate to implement the Directive’s requirements. Moreover, such recommendations must be the same across the EU to ensure that members of management bodies are not confronted with diverging requirements across the Single Market, and – in a worst-case scenario – have to undergo different trainings per country. In addition, the co-legislators should only insert additional requirements, with which essential and important entities have to comply in Article 18, rather than across the directive. The ITRE Committee’s insertion of requirements concerning the training of employees in Article 17 is misplaced. Proposed changes to the legislative text: The co-legislators must publish a definition of management bodies. The requirements concerning staff training should be deleted from Article 17 and should be inserted in Article 18: 2. Member States shall ensure that members of the management body of essential and important entities follow specific training, and shall encourage essential and important entities to offer similar training to all employees, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the services provided by the entity. 3. The European Commission will publish, by no later than six months after the ratification of this directive and after consulting business associations, binding recommendations on what constitutes sufficient knowledge and skills according to number two of this Article. 15
