NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
German industry opposes audits and on-site inspections on cybersecurity. Such processes much be urgently streamlined to ensure minimum impact on business processes. Proposed changes to the legislative text: 4. (b) issue binding instructions or an order requiring those entities to remedy the deficiencies identified or the infringement of the obligations laid down in this Directive; General conditions for imposing administrative fines on essential and important entities (Article 31) Summary of legislative proposal: Member States shall impose administrative fines on essential and important entities for infringements of obligations concerning cybersecurity risk management measures (Article 18) and reporting obligations (Article 20). Administrative fines shall amount to a maximum of at least 10,000,000 Euro or up to two per cent of global annual turnover. BDI’s position: In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. However, German industry calls for a significant reduction of the maximum level of administrative fines imposed on entities. Unlike in the case of data protection (cf. GDPR), the legal interest to be protected here is not a fundamental right (GDPR = right to informational self-determination; vs NIS 2 = cybersecurity of essential and important entities). Nor do the considerations regarding data protection law – that have led to fines being calculated on the basis of group sales – fit with regard to the NIS 2 Directive. Therefore, the maximum level of administrative fines should be no higher than two million Euros without any reference to annual turnover. Such a level would strike an acceptable balance between the intent to “punish” companies violating the requirements stipulated in Articles 18 and 20, and German industry’s requirements for administrative fines that are not excessive. This is particularly important since, according to a Bitkom study from 2021, the consequences of successful cyberattacks already amount to costs of more than 223 billion euros per year for the German economy. 8 Proposed changes to the legislative text: 4. Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of two million EUR at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.
8
Bitkom. 2021. Wirtschaftsschutz 2021. URL: https://www.bitkom.org/sites/default/files/2021-08/bitkom-slides-wirtschaftsschutz-cybercrime-05-08-2021.pdf (Accessed on 1st November 2021). 27
