NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
Supervision and enforcement for important entities (Article 30) Summary of legislative proposal: The supervision of important entities will be based on ex post supervisory measures, i.e. competent national authorities shall be only active when provided with evidence or indication of non-compliance with the obligations laid down in the NIS 2-Directive. National competent authorities shall the possibilities to conduct (a) on-site inspections and off-site ex post supervision conducted by trained professionals; (aa) investigation of cases of non-compliance and the effects thereof on the security of the services; (b) targeted security audits carried out by a qualified independent body or a competent authority; (c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria; (d) requests for any information necessary to assess cybersecurity measures, including documented cybersecurity policies, and registration at ENISA; and (e) requests to access data, documents and/or information necessary for the performance of the supervisory tasks. If competent national authorities find that important entities do not adhere to the requirements stipulated in Article 18 and 20, they can i.a. issue warnings or binding instructions, and even order those entities to bring their risk management measures or the reporting obligations in compliance with the obligations laid down in Articles 18 and 20 in a specified manner and within a specified period. BDI’s position: German industry recognises that supervision and enforcement of the measures stated in the NIS 2Directive are necessary to achieve a level-playing field across the European Union. However, these measures must be proportionate. The measures now inserted by the European Parliament are excessive – especially if essential entities would have to pay for them. German industry wonders, how the co-legislators want to ensure that enough qualified cybersecurity professionals will be available to conduct the targeted security audits in important entities – as well as the annual audits mentioned in Article 29 – across the European Union. In light of the massive shortage of qualified IT security personnel this seems to be impossible. German industry fears that this requirement will result in a reduction of the overall cyber-resilience across the Union, as cybersecurity professionals will conduct (lucrative) audits rather than help SMEs in their attempts to enhance their cyber-resilience. We therefore urge the colegislators that besides utilising cybersecurity professionals for audits, there need to be enough welltrained professionals for helping entities with their ambitions to enhance their cyber-resilience. German industry opposes the idea that important entities shall pay the costs for the targeted audits, especially since the directive does not specify how often such an audit can be deemed necessary. The co-legislators must ensure that such audits are paid for by the competent national authority and cannot take place more often than once a year in order to not disrupt disproportionately the entity’s business processes. German industry urges the European Commission to specify, which criteria referred to in point (c) are considered “fair and transparent”. Important entities require a maximum degree of legal certainty when implementing the NIS 2-Directive. The current proposal stays too vague in this regard. Moreover, we urge the European Commission to consider important entities’ intrinsic interest in maintaining a high degree of cyber-resilience. In this regard it should be noted that companies are best equipped to conduct any necessary measure to enhance their cyber-resilience. Therefore, we oppose the possibility of granting competent authorities with any possibility to “issue binding instructions”, as stipulated in Article 30 paragraph 4 point (b). If competent authorities were provided with such farreaching competencies, the European Commission has to clarify that the competent authority will bear any cost resulting from such measures.
26
