6 minute read
Executive Summary
POSITION | CYBERSECURITY | EUROPEAN LEGISLATION NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
German industry’s adjusted position based on the ITRE Committee’s amendments to the EU Commission’s proposal for a NIS 2 Directive
29 November 2021
Executive Summary
German industry welcomes the European Union’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies.
We very much appreciate the diligent work done by the European Parliament’s ITRE Committee and in particular rapporteur Bart Groothuis. Among the ITRE Committee’s positive amendments we would like to stress:
▪ encryption (recital 54): German industry appreciates the more positive language of recital 54 which recognises the importance of encryption and other cybersecurity measures. We urge the co-legislators to refrain from any measure that could weaken encryption. Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools and help protect entities from espionage and sabotage, hence, they must be legally safeguarded.
▪ scope (Annex I): German industry appreciates the inclusion of research institutions into the
Directive’s scope since businesses often collaborate with these institutions for research projects. In terms of supply-chain security and to prevent industrial espionage and sabotage, including especially larger entities of various sectors of the value chain into the Directive’s scope seems to be reasonable.
▪ supervision (Article 29): German industry appreciates that the ITRE Committee changed
Article 29 paragraph 5b insofar as a temporary ban against any person holding managerial responsibilities at chief executive officer or legal representative level in that essential entity is now considered only as an ultima ratio. Moreover, we very much appreciate the deletion of any reference to other employees as they do not have the necessary decision powers within an entity to implement certain measures regarded as necessary by law if a CEO withholds the necessary money for such activities. Therefore, we welcome the newly introduced language in comparison to previous wordings. To this end, the wording of Paragraph 6 should mirror the wording of Paragraph 5b.
Nonetheless, German industry continues to see the need for far-reaching amendments to the NIS 2 Directive’s text. The proposed Directive should enhance Europe’s cyber-resilience holistically without introducing too much bureaucracy. To ensure that the NIS 2 Directive will at the same time not overstrain companies, German industry proposes the following further amendments to the NIS 2 proposal:
▪ Harmonisation (Article 3 + entire directive): With the current proposal, the co-legislators again miss an opportunity to foster harmonisation and legal clarity, and simultaneously reducing double regulation. During the trialogue, the co-legislators should create a coherent common level of cybersecurity within the internal market. Therefore, the relation between the NIS 2
Directive and sectoral cybersecurity obligations introduced by Union law must be clarified. ▪ scope (Article 2 & Annex I+II): While we recognise the necessity to broaden the scope, all
SMEs falling into the sectors outlined in Annex I and II should be exempted from the scope, apart from those SMEs that are suppliers of critical hardware and software to essential entities.
▪ definitions (Article 4): BDI urges the co-legislators to alter the proposed definition of “network and information system”, “online marketplaces” and “cloud computing services”. Also, a definition of “management bodies” should be introduced in the NIS 2 Directive. ▪ national cybersecurity strategy (Article 5): Efficient state cyber defence (Paragraph 2 point hb) is an indispensable component for maintaining cybersecurity. However, a spiral of escalation between countries as well as national and international cyber-criminals must be avoided. The development of international rules for responsible state behaviour in cyberspace would therefore be desirable over the development of purely national approaches. ▪ ENISA’s cybersecurity report (Article 15): ENISA publishing a biennial report that includes merely general information will not augment the EU’s cyber-resilience. Rather, ENISA should publish online up-to-date information on cybersecurity incidents on a daily basis. ▪ management bodies (Article 17 in conjunction with 29): We recognise the responsibility of management bodies for the cybersecurity strategy of an entity. However, no single employee should be held accountable for any cybersecurity-related misconduct – this especially applies to those employees that do not have ultimate budgetary decision-making competences. We urge the Commission to swiftly publish – after having consulted with industry and other stakeholders – binding recommendations on what constitutes sufficient knowledge and skills. ▪ obligations, supervision and enforcement (Articles 18, 20, 29 and 30): While we recognise the need to include various sectors into the Directive’s scope to enhance cyber-resilience along value chains, we regard a better differentiation between essential and important entities in terms of obligations, cybersecurity measures, supervision and enforcement as important. ▪ Reporting obligations (Article 20): We urge the co-legislators to prolong the reporting period for all incidents to 72 hours – especially for important entities. The number of reports should be limited to three – with a maximum of one intermediate report. National competent authorities must have sufficient resources to process this information in a timely manner. ▪ supervision and enforcement (Article 29): We recognise that supervision and enforcement are necessary to achieve a European level-playing field. However, these measures must be proportionate, whereas the ITRE Committee’s proposals are excessive. Considering the massive shortage of qualified IT professionals, these professionals should primarily support entities in enhancing their cyber-resilience, rather than conducting annual audits of essential entities. ▪ fines (Article 31): To ensure that all entities implement and fulfil the measures and obligations pursuant to Article 18 and 20, the introduction of administrative fines seems justified. However, we oppose the excessive fines proposed in Article 31. The co-legislators should limit fines to a maximum of two million Euros and should delete any reference to annual turnover.
Table of Content
Executive Summary ............................................................................................................................1
The EU’s Cybersecurity Strategy 2020: Current cybersecurity situation requires holistic approach ..............................................................................................................................................4
In detail discussion of the ITRE Committee’s compromise amendments to the EU Commission’s proposal for a NIS 2-Directive............................................................................................................5 Encryption (Number 54) ........................................................................................................................ 5 Scope: Article 2 in conjunction with the List of essential and important entities (Annex I and II) ......... 6 Minimum harmonisation (Article 3)........................................................................................................ 9 Definitions (Article 4) ........................................................................................................................... 10 National cybersecurity strategy (Article 5)........................................................................................... 11 Coordinated vulnerability disclosure and a European vulnerability registry (Article 6)....................... 11 National cybersecurity crisis management frameworks (Article 7) ..................................................... 13 Requirements, technical capabilities and tasks of CSIRTs (Article 10) .............................................. 13 Report on the state of cybersecurity in the Union (Article 15)............................................................. 14 Management bodies of Essential and Important Entities (Article 17) ................................................. 15 Cybersecurity risk management measures (Article 18) ...................................................................... 16 EU coordinated risk assessments of critical supply chains (Article 19) .............................................. 17 Reporting obligations (Article 20)........................................................................................................ 17 Use of European cybersecurity certification schemes (Article 21)...................................................... 20 Standardisation (Article 22)................................................................................................................. 21 Jurisdiction and territoriality (Article 24) .............................................................................................. 22 ENISA registry (Article 25) .................................................................................................................. 22 Cybersecurity information-sharing arrangements (Article 26)............................................................. 23 Voluntary notification of relevant information (Article 27).................................................................... 24 Supervision and enforcement for essential entities (Article 29).......................................................... 24 Supervision and enforcement for important entities (Article 30) ......................................................... 26 General conditions for imposing administrative fines on essential and important entities (Article 31) 27 Review (Article 35) .............................................................................................................................. 28
