2 minute read
Cybersecurity information-sharing arrangements (Article 26
companies defined as companies of particular public interest pursuant to Germany’s IT Security Act 2.0 will already have to register at the BSI, the EU’s proposal will increase the administrative burden for these companies. Therefore, we urge the co-legislators to ensure that a registration only has to be conducted once at ENISA and that ENISA will provide national competent authorities with all necessary information. If the registry is to be created, all information shared with ENISA needs to be treated with the highest degree of confidentiality. Moreover, effective cybersecurity measures, including encryption, would need to be in place to protect the information in such a registry.
Proposed changes to the legislative text:
To ensure that essential and important entities have to register only once, we propose the following amendment to the proposal:
3. Upon receipt of the information under paragraph 1, ENISA shall forward it to the single points of contact depending on the indicated location of each entity’s main establishment or, if it is not established in the Union, of its designated representative. Where an entity referred to in paragraph 1 has besides its main establishment in the Union further establishments in other
Member States, ENISA shall also inform the single points of contact of those Member States.
Entities shall only be obliged to report the information under paragraph 1 to ENISA and not in addition to the single points of contact in the Member States. ENISA shall ensure the exchange of these information with national competent authorities.
Cybersecurity information-sharing arrangements (Article 26)
Summary of legislative proposal:
Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing in order to prevent, detect, respond or mitigate incidents, or enhance level of cybersecurity. Member States shall ensure that the exchange of information takes place within trusted communities of essential and important entities based on information sharing arrangements.
BDI’s position:
German industry appreciates this proposal since experience from the UP KRITIS, the German public private partnership bringing together experts from operators of critical entities and representatives of government agencies, showcases the benefits of a regular exchange on cybersecurity topics between such companies and respective public authorities. German industry welcomes that apart from essential and important entities, also other relevant entities not covered by the scope of the NIS 2-Directive may join the exchange of such information. Member States must ensure that exchange within these groups remains confidential and based on mutual trust, while providing as many companies as possible with access to such a forum.
In order to ensure the protection of intellectual property and business know-how, the extent and scope of this exchange need to be clearly defined. Moreover, it has to be ensured that all essential and important entities can join such cybersecurity information sharing arrangements. Experiences with nonprofit platforms such as the German CERT Association (“Deutscher CERT Verbund”) and the CERT@VDE have also proven for years that trustful cooperation based on a voluntary commitment by companies works well.
