2 minute read
Definitions (Article 4
Definitions (Article 4)
Summary of legislative proposal:
Article four defines several terms, among them “network and information system” and “near miss”.
BDI’s position:
Clear and unambiguous definitions are of utmost importance in order to ensure legal certainty. To this end, German industry urges the European Commission, the European Parliament and the European Council to revise the proposed definition of “network and information systems”. The current definition does not specify that the “device or group of inter-connected or related devices” described in letter 1 b are only those devices that are integrated into the IT or OT system of an essential or important entity. Since the aim of the NIS 2-Directive is to ensure the integrity, availability and operational capacity of essential and important entities, the respective definition of “network and information systems” should be limited to those devices that are of paramount importance for guaranteeing these goals.
BDI welcomes the inclusion of a clear and unambiguous definition of ‘near miss’ as it provides entities with regulatory clarity. It is equally important that a ‘near miss’ does not impose additional obligations but only empowers entities to exchange information as foreseen in Art. 26 paragraph 1.
A company’s internal cybersecurity measures, such as internal security and penetration tests or scans, could lead to an “incident”. Therefore, the definition of “indicent” should be narrowed in such a way that these internally triggered incidents are falling outside the scope of the Directive. Therefore, we propose the integration of “unwanted or unexpected” into the definition.
The European Commission must introduce a definition of management bodies that outlines who is the addressee of the requirements pursuant to Article 17. We propose a definition similar to the one introduced by Directive 2013/36/EU (CRD).
Proposed changes to the legislative text:
(1) ‘network and information system’ means:
a) an electronic communications network within the meaning of Article 2(1) of Directive (EU) 2018/1972;
b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, which are integrated into the ITand/or OT-system of an essential or important entity pursuant to Article 2 of this directive and there fulfil functionalities that are of importance for the proper security, operational capacity, integrity and/or availability of the entity;
c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
(5) ‘incident’ means any unwanted or unexpected event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems;
(27) ‘management body’ means an institution's body or bodies, which are appointed in accordance with national law, which are empowered to set the institution's strategy, objectives and overall direction,
