2 minute read
Cybersecurity risk management measures (Article 18
Cybersecurity risk management measures (Article 18)
Summary of legislative proposal:
Essential and important entities have to ensure a level of security of network and information systems appropriate to the risk presented, including at least (a) risk analysis and information system security policies; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; and (f) policies and procedures (training, testing and auditing) to assess the effectiveness of cybersecurity risk management measures. The ITRE Committee suggests as additional measures: (fa) basic computer hygiene practices and cybersecurity training; (fb) the use of cryptography, such as encryption, where appropriate; and (fc) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate.
The Commission is empowered to adopt delegated acts to supplement the elements laid down in paragraph 2 to take account of new cyber threats, technological developments or sectorial specificities as well as to supplement this Directive by laying down the technical and the methodological specifications of the measures referred to in paragraph 2.
BDI’s position:
While German industry recognises the necessity to outline basic cybersecurity risk management measures for network and information systems that all essential and important entities have to fulfil, the co-legislators must ensure that the IT security personnel can focus on IT security rather than on filling in forms and being occupied by reporting obligations.
We call on the European Commission, the European Parliament and Member States to introduce cybersecurity risk management measures for network and information systems that provide a high degree of legal certainty for essential and important entities. Therefore, instead of referring to the “state of the art”, which leaves ample room for evaluators, after an incident has happened, to conclude that not all potential state-of-the-art capabilities have been applied, reference to (minimum) standards should be introduced. Since Article 18 paragraph 2f as well as recital 45a stress the necessity that essential and important entities should provide cybersecurity trainings for their employees, this requirement should be deleted from Article 17, as the latter article is concerned with the governance within the entities rather than the organisational measures they have to adopt in order to enhance the cyberresilience of their entity.
As the European Commission proposed a directive and not a regulation, and thereby providing Member States with a certain degree of flexibility when implementing the requirement stipulated in the NIS 2-Directive, the potential later adoption of delegated acts specifying technical and methodological specifications of cybersecurity risk management measures pursuant to Article 18 seems counterintuitive. When the European Commission adopts such delegated acts, it must ensure consistency between already existent national requirements and those to be adopted by the EU Commission. In addition, enough time for implementing such specifications must be provided.
Moreover, the proposal remains unclear concerning the concrete implications of the requirements stipulated in Article 18 number 2d concerning “supply chain security”. Number 2d includes “security-related aspects concerning the relationships between each entity and its suppliers or service providers” . It is
