NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
Europe needs not fewer, but more trustworthy IT solutions to reap the benefits of the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption and should increasingly promote the development of post-quantum cryptography procedures to accommodate future requirements for secure communication. Proposed changes to the legislative text: In order to safeguard the security of electronic communications networks and services, the use of encryption and other data-centric security technologies, such as, tokenisation, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. However, this should not lead to any efforts to weaken end-to-end encryption, which is a critical technology for effective data protection and privacy. By promoting encryption, the EU will set a positive role-model for other parts of the world. Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II) Summary of legislative proposal: The NIS 2 Directive applies to public and private essential and important entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. Essential entities (Annex I) comprise certain entities active in the sectors energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road, operators of smart charging services for electric vehicles), banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. In addition, important entities are entities active in the sectors postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing of (a) medical devices and in vitro diagnostic medical devices, (b) computer, (c) electronic and optical products, (d) electrical equipment, (e) machinery and equipment, (f) motor vehicles, trailers and semi-trailers and (g) transport equipment, digital providers, online marketplaces, online search engines and social networking services platforms, as well as higher education institutions and research institutions. Most micro and small entities, except those listed by member states, are exempt from the Directive. According to Art. 2 paragraph 2b, essential and important entities have to submit at least the following information to the national competent authority: (a) the name of the entity; (b)the address and up-todate contact details, including email addresses, IP ranges, telephone numbers; and (c) the relevant sector(s) and subsector(s) referred to in Annexes I and II. BDI’s position: In order to enhance Europe’s cyber-resilience holistically, it seems justified to broaden the scope of the Directive, in particular in light of the severe cyberattacks witnessed in recent months. However, the co-legislators have to specify in greater detail the Directive’s protection goal and subsequently adjust the NIS 2-Directive’s scope accordingly. We welcome the exemptions for micro and small enterprises as these often do not have the necessary financial means and capacities to fulfil the far-reaching obligations stipulated in the NIS 2-Directive. 6
