9 minute read
Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II
Europe needs not fewer, but more trustworthy IT solutions to reap the benefits of the digital transformation in administration, industry and society. To this end, European legislators should be proponents of strong encryption and should increasingly promote the development of post-quantum cryptography procedures to accommodate future requirements for secure communication.
Proposed changes to the legislative text:
In order to safeguard the security of electronic communications networks and services, the use of encryption and other data-centric security technologies, such as, tokenisation, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. However, this should not lead to any efforts to weaken end-to-end encryption, which is a critical technology for effective data protection and privacy. By promoting encryption, the EU will set a positive role-model for other parts of the world.
Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II)
Summary of legislative proposal:
The NIS 2 Directive applies to public and private essential and important entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. Essential entities (Annex I) comprise certain entities active in the sectors energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road, operators of smart charging services for electric vehicles), banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. In addition, important entities are entities active in the sectors postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing of (a) medical devices and in vitro diagnostic medical devices, (b) computer, (c) electronic and optical products, (d) electrical equipment, (e) machinery and equipment, (f) motor vehicles, trailers and semi-trailers and (g) transport equipment, digital providers, online marketplaces, online search engines and social networking services platforms, as well as higher education institutions and research institutions. Most micro and small entities, except those listed by member states, are exempt from the Directive.
According to Art. 2 paragraph 2b, essential and important entities have to submit at least the following information to the national competent authority: (a) the name of the entity; (b)the address and up-todate contact details, including email addresses, IP ranges, telephone numbers; and (c) the relevant sector(s) and subsector(s) referred to in Annexes I and II.
BDI’s position:
In order to enhance Europe’s cyber-resilience holistically, it seems justified to broaden the scope of the Directive, in particular in light of the severe cyberattacks witnessed in recent months. However, the co-legislators have to specify in greater detail the Directive’s protection goal and subsequently adjust the NIS 2-Directive’s scope accordingly.
We welcome the exemptions for micro and small enterprises as these often do not have the necessary financial means and capacities to fulfil the far-reaching obligations stipulated in the NIS 2-Directive.
However, we expect that especially smaller SMEs (50 – 100 employees), which do not fall under the “size cap”, as they have 50 or more employees, or an annual turnover of more than 10 Mio. Euro, will have problems meeting the far-reaching risk management measures and reporting obligations. Therefore, we call on the co-legislators to exempt all SMEs according to Commission Recommendation 2003/361/EC from the scope of the Directive, i.e. that all companies – at least those operational in sectors classified as “important” – with ≤ 250 employees or an annual turnover of less than 50 Mio. Euro. An exemption to this exclusion shall apply for SME that supply critical hardware and software solutions to essential entities or that can be defined as “critical” in supply chains any other regards. This adaptation would ensure that the NIS 2-Directive follows a functional risk-based approach, strengthens the EU’s cyber-resilience without putting unacceptably high burdens on smaller entities.
With regard to Annex II N 2, German industry recognises the importance of the waste management sector. However, we advocate to narrow the scope to municipal waste management, since the management of municipal waste is of paramount importance to maintain public health and safety.
The amount of regulation introduced in various sectors of European economy is increasingly yearover-year. Sectors, such as telecommunication, aviation and many more, are already highly regulated. Often, the regulatory framework is a hotchpotch consisting of a plethora of regulatory acts – both at national and European, and increasingly also international level. Therefore, we urge the European legislator to step up all efforts leading to enhanced harmonisation between various sector specific and general regulatory approaches. German industry recognises the importance of regulation; however, we require a regulatory framework, in which obligations do not contradict each other.
German industry recognises the importance of aviation as an essential service to the European Union and the desire to declare manufacturers of aviation parts as important entities to support this goal. However, EASA has published Opinion 03/2021 to introduce cybersecurity oversight of all aviation organisations. The design and production of aircraft is highly regulated by EASA, the EU Member State Civil Aviation Authorities and the relevant competent authorities have tight control of compliant operations of these organisations. By designating these organisations as an important entity under the proposed update of the NIS Directive, redundant regulations would be introduced for the same subject area. This would greatly increase business operational frictions and reduce the competitiveness of European aviation industry to other jurisdictions as organisations would be required to duplicate efforts to demonstrate their security. The competent authorities for Part IS and the competent authorities for NIS may disagree on acceptable measures and organisations would be challenged to find cost effective and mutually acceptable solutions. The aviation industry also has unique constraints on operations resulting from the extensive safety regulations, these constraints may prohibit some standard responses expected by security agencies and this may lead to issues with NIS 2 audits. Therefore, it is preferable to have all oversight performed by aviation authorities who are aware of acceptable and unacceptable practices in aviation.
German industry welcomes the deletion of references to “potential” in Art. 2 paragraph 2 (d) and (e). This significantly enhances regulatory clarity as it reduces the possibility for arbitrariness or a broad understanding of the directive by Member States.
German industry welcomes, that – according to Art. 2 paragraph 6to here provisions of sector–specific acts of Union law require essential or important entities to adopt cybersecurity risk management measures or to notify incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply. German industry appreciates, that the Commission is urged to issue guidelines in relation to the implementation of the sector-specific acts of Union law.
Art. 2 paragraph 6a has in general only a clarifying character. Nonetheless, German industry appreciates that essential and important entities, CERTs, CSIRTs and providers of security technologies and services, shall process personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, to meet the obligations set out in the NIS 2 Directive. The reference to the relevant articles in the GDPR gives obligated parties the necessary legal certainty.
In light of the energy and traffic transition, addressing operators of smart charging services for electric vehicles is a far-sighted step. In order to ensure stability within the electricity network as well as that owner of electric vehicles can charge their vehicles, the proposal to broaden the scope of the NIS 2 Directive to operators of smart charging services for electric vehicles is appreciated.
In terms of a holistic approach to protecting Europe’s cyber-resilience, the European Parliaments proposal to include higher education and research institutions into the list of essential entities is much appreciated. Especially for collaborations and cooperation of enterprises and research institutions it is very important that both partners are applying high cyber security standards. Thereby, know-how developed in European research and higher education entities will be better protected against espionage. This ultimately contributes to safeguarding Europe’s digital sovereignty.
clear definitions: A clear definition of the “type of entity” in Annex I and II would be desirable.
- cloud computing service providers: The term “cloud computing service providers” (Annex I
No.8) is too wide and imprecise. The current wording includes not only the providers of mere distributed storage and computing capacities, but also software providers who offer storage in a cloud in connection with their virtually usable software products. Due to a further virtualisation of information technology, the very broad definition could lead to an increasing number of services falling into this category. Hence, the NIS 2-Directive should distinguish between “digital service providers” on the one hand, and users, such as “enterprises” or “operators of essential services” , on the other hand, who in turn require “digital services” as a basis for providing their services. Only providers of cloud-based software products whose services enable essential utility services should fall under the Directive’s scope. In contrast, Companies which use a
“digital service” to provide their SaaS without the focus of their own SaaS being on the provision of cloud capacity to users should be explicitly excluded from the Directive’s scope.
- providers of online marketplaces: Providers of online marketplaces (Annex II No. 6) are classified as “important entities” . Again, the EU Commission does not explicitly distinguish between entities, whose service is primarily based on an online marketplace, and those entities, who merely “offer” an online marketplace as a subordinate service to another business activity.
Such “second order” online marketplaces should be excluded from the Directive’s scope.
Proposed changes to the legislative text:
Article 2:
(1) This Directive applies to public and private essential and important entities of a type referred to as essential entities in Annex I and as important entities in Annex II that provide their services or carry out their activities within the Union. This Directive does not apply to small and medium enterprises or microenterprises within the meaning of Article 2(2) and (3) of the Annex to Commission Recommendation 2003/361/EC, except for those SMEs that are suppliers of critical hardware and software to essential entities or that can be defined as critical in any other way. Article 3 (4) of the Annex of that Recommendation is not applicable.
