POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
Towards an NIS 2 Directive that is implementable for Europe’s industry Developing a holistic approach from the European Commission’s, European Parliament’s and European Council’s positions
14 January 2022 Enhancing Europe’s cyber-resilience while delivering an implementable regulatory framework for industry With the adoption of the General Approach by the European Council on December 2, 2021 and the adoption of the ITRE Committee’s report on October 28, 2021, the co-legislators have now formulated their opinions on the EU Commission’s proposal for an NIS 2 Directive. German industry appreciates the speedy dealing with this file by the co-legislators, which is doing justice to the importance of the regulatory file under consideration. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. For the upcoming trilogue negotiations between the co-legislators, German industry below details which proposals it would prefer to see in the final text of the NIS 2 Directive in order to ensure that Europe’s cyber-resilience will be enhanced holistically while simultaneously ensuring that the respective regulatory requirements can be implemented by the entities falling within the scope of the directive. Nota bene: BDI’s paper takes as a baseline the assumption that only those points that have been raised by any of the three co-legislators have a chance to be included into the Directive’s final wording. Therefore, we do not flag again those points that we would have appreciated to be changed, introduced or delete but rather compare the available three options and outline our preferred one, even if this option does not mirror our preferences as stated in earlier position papers. Nevertheless, we want to emphasize again that every actor along value chains – from hardware manufacturers and software developers to commercial operators, government agencies and private users – must be actively and holistically involved in strengthening Europe’s cyber-resilience. The European co-legislators must ensure that all these actors are obliged by regulations to contribute their share to prevent cyber-incidents. Henceforth, the European Commission should utilise the announced Cyber Resilience Act to complement the NIS 2 Directive. Recital 54 encryption (recital 54) preferred approach: European Parliament’s Compromise Agreement German industry appreciates the more positive language introduced by the European Parliament’s compromise agreement of recital 54 which recognises the importance of encryption and other cybersecurity measures. We urge the co-legislators to refrain from any measure that could weaken encryption. Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools and help protect entities from espionage and sabotage, hence, they must be legally safeguarded.
Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | S.Heckler@bdi.eu | www.bdi.eu
Towards an NIS 2 Directive that is implementable for Europe’s industry
scope (Article 2 in conjunction with Annex I+II) Article 2: size-cap preferred approach: none While German industry recognises the necessity to broaden the scope, all SMEs falling into the sectors outlined in Annex I and II should be exempted from the scope, apart from those SMEs that are suppliers of critical hardware and software to essential entities. While the European Council’s proposal defining medium-sized entities falling under a sector listed in Annex I as important rather than as essential entities is a positive step, as it will limit the efforts for the respective companies (cf. Article 2 bis), German industry would have appreciated an exemption for most SMEs from the NIS 2’s scope. As we regard such an exemption as rather unlikely – especially in light of the language proposed by Council and Parliament – we would like to urge the co-legislators to rephrase the wording on SMEs in Article 2 by taking into account the Council’s General Approach. However, we also see the need for clarifications concerning the Council’s language especially concerning “meet and exceed” the ceilings of mediumsized companies. Article 2: public administration preferred approach: European Commission / European Parliament In light of recent cybersecurity incidents with severe implications for the operational capacity of NUTS2 and NUTS-3 regions (cf. attacks on various cities and regions in Germany), we oppose the exemptions introduced by the European Council. As these entities handle very sensitive data and also offer vital public services, such as the approval of plans to build new production sites or the issuing of social benefits etc, we urge the co-legislators to refrain from any watering-down of the European Commission’s proposal. Like privately managed entities, public administration entities must ensure a risk-based cybersecurity level. Therefore, all requirements emanating from Articles 17, 18 and 20 that private entities must implement, must be also implemented by public administration. Public administration should lead by example in terms of introducing risk-adequate cybersecurity measures. Article 2 point d and e: potential disruption preferred approach: European Parliament Compromise Agreement German industry welcomes the deletion of references to “potential” in Art. 2 paragraph 2 (d) and (e). This significantly enhances regulatory clarity as it reduces the possibility for arbitrariness or a broad understanding of the directive by Member States. Annex I: inclusion of research institutions preferred approach: European Parliament Compromise Agreement German industry appreciates the inclusion of research institutions into the Directive’s scope since businesses often collaborate with these institutions for research projects. In terms of supply-chain security and to prevent industrial espionage and sabotage, including especially larger entities of various sectors of the value chain into the Directive’s scope seems to be reasonable. Henceforth, we appreciate the inclusion of research institutions. Annex I: inclusion of ICT service management (B2B) preferred approach: European Commission German industry urges the co-legislators to refrain from any extensions of the Directive’s scope beyond the EU Commission’s proposal in terms of in-scope industry sectors. Rather, the EU27-Member States should step up their ambitions in terms of protecting the cyber-resilience of public administration at all levels, as these entities have also been among the prime targets of attack in recent months. 2
Towards an NIS 2 Directive that is implementable for Europe’s industry
Harmonisation (Article 2b General Approach and 3) preferred approach: European Council’s General Approach German industry welcomes the language introduced by the European Council that clarifies that wherever sector-specific Union acts entail cybersecurity requirements that are at least equivalent to those introduced by the NIS 2, these sector-specific Union acts take precedence. Henceforth companies only have to comply with these sector-specific Union acts. However, in light of the already existent hotchpotch of various legal acts addressing cybersecurity, we urge the co-legislators to increase the level of ambition and achieve a complete harmonisation across sectors. National Cybersecurity Strategy (Article 5): preferred approach: European Council’s General Approach in conjunction with European Parliament Compromise Agreement as outlined below Since in particular SMEs face the problem to ensure a risk-based level of cyber resilience, the introduction of a single point of contact in each member state that provides SMEs with guidance on ways to enhance their cybersecurity level would be very useful (Article 5 paragraph 1 point e European Parliament). As currently various actors are providing SMEs with very valuable solutions and materials to enhance their cyber-resilience, SMEs are regularly overwhelmed by the abundance of information available and the measures to be implemented by them. Henceforth, non-discriminatory guidance and coordination of these public and private offerings would be very useful. German industry appreciates that each EU Member State will be obliged to develop a national cybersecurity strategy to define strategic objectives and appropriate policy and regulatory measures in order to achieve a high level of cybersecurity. To enhance Europe’s cyber resilience, it will be of utmost importance that the cybersecurity strategies of the EU-27 Member States will be highly compatible. In addition, increased cooperation among competent authorities is crucial to this end. This is applicable both for cybersecurity-related threats as well as non-cybersecurity-related threats. Therefore, we appreciate that the European Council’s GA stresses the need for intensified cooperation – both on matters concerning the intersection between the NIS 2 and the CER Directive, as well as between competent cybersecurity authorities (cf. Article 5 paragraph 1 points f and fa General Approach). As the cyber threat landscape is constantly evolving, a regular adaptation of national cybersecurity strategies is crucial. However, to provide policymakers and other cybersecurity actors with a better possibility to implement the measures introduced by a national cybersecurity strategy, reducing the frequency for reviewing the strategy from four to five years is sensible (cf. Article 5 paragraph 4 General Approach). Most EU Member States do not have a weakness in terms of strategy but rather on implementation, therefore prolonging the review period to every five years is the right step. Efficient state cyber defence (cf. Article 5 Paragraph 2 point hb European Parliament) is an indispensable component for maintaining cybersecurity and thus public security in the modern information and communication society. At the same time, a discussion on the further development of state instruments is necessary, to take into account the dynamics of the threat situation in cyberspace and its impact on each Member State's security. A spiral of escalation between the Member States as well as national and international cyber-criminals must be avoided. The development of international rules for responsible state behaviour in cyberspace would therefore be desirable over the development of purely national approaches. Active cyber defence / hackbacks must therefore not be an instrument of the private sector or of private persons and institutions. Rather, it can only be a civil or military defence measure of a state within the framework of its monopoly on the use of force taking into account all – also
3
Towards an NIS 2 Directive that is implementable for Europe’s industry
unintended – consequences (false attributions, collateral damage etc.). German industry also strictly rejects the obligation of providers and other companies to cooperate. Coordinated vulnerability disclosure and a European vulnerability registry (Article 6) preferred approach: European Commission with the changes and additions by the European Parliament’s Compromise Agreement and the European Council’s General Approach as stated below German industry appreciates the European Commission’s approach to holistically address cyber-resilience and thereby, also to pay closer attention to the cyber-resilience of products and services. Any security vulnerability, regardless of whether it is an unintentional bug in a product or an intentional backdoor, should be included in the registry. Manufacturers of such products and developers of such services should not only be obliged to report security gaps, but also to swiftly close them. In order to keep the effort for everyone involved as low as possible, the European Commission – together with ENISA – needs to implement a lean and efficient reporting process. The European Parliament’s approach, to leverage global Common Vulnerabilities and Exposures (CVE) does justice to the global nature of developing and selling ICT services and products. Therefore, the co-legislators should include the reference to CVE as proposed by the European Parliament (cf. Article 6 paragraph 2 sentence 1). As information concerning vulnerabilities are highly sensitive – especially as long as no patch / update is available and distributed among the users of the affected product / service – it is much appreciated that both the European Parliament and European Council included language concerning the security and integrity of the vulnerability database. The co-legislators should agree on the inclusion of this language and should act accordingly when setting up the vulnerability register, which has to comply with the highest standards concerning integrity, reliability and confidentiality. ENISA’s cybersecurity report (Article 15) preferred approach: none ENISA publishing a biennial report that includes merely general information will not augment the EU’s cyber-resilience. As neither the EU Parliament nor the Council agreed on substantive changes to the Commission’s proposal, we cannot support any of the existing three options. Rather, ENISA should publish online up-to-date information on cybersecurity incidents on a daily basis. Such concrete and ‘actionable’ information would be much more valuable, for example in situations such as the log4j vulnerability. In contrast, a report every two years will just provide a general overview, which will not be of any help especially for SMEs. Management bodies (Article 17) preferred approach: European Commission BDI recognises that management bodies are responsible for the cybersecurity strategy of an essential or important entity. This step will help to significantly increase the awareness for cybersecurity issues among top-level management. However, we regard it as important that the co-legislators recognise that members of management bodies of essential and important entities have IT security personnel that possesses the necessary qualifications to develop and implement an entity’s cybersecurity strategy. Therefore, BDI welcomes the language introduced by the European Council as it clarifies that the management has to oversee the implementation of risk-adequate cybersecurity measures, while at the same time it softens the language on accountability (“can be accountable”). In contrast, however, we oppose the Council’s language on public authorities. Regardless of the ownership of an entity, all entities falling within the Directive’s scope should have to comply with the same set of obligations and measures – depending on their classification as essential or important. 4
Towards an NIS 2 Directive that is implementable for Europe’s industry
Henceforth, we reject the European Council’s proposal to exempt public entities from obligations concerning members of the management body. Moreover, the co-legislators should refrain from inserting additional requirements, with which essential and important entities have to comply, in Article 17. Rather – and if deemed really necessary – such cybersecurity measures should be integrated into Article 18. The European Parliament’s insertion of requirements concerning the training of employees in Article 17 is misplaced as it belongs to the cybersecurity measures that an entity should implement, i.e. Article 18. Cybersecurity measures (Article 18) Article 18 paragraph 1a General Approach German industry appreciates the notion that the European Council intends to apply an all-hazards approach to the protection of network and information systems and their physical environment. German industry would have appreciated if the European Commission had fused its proposals for an NIS 2Directive and the Critical Entities Resilience Directive. In light of the strong intertwining of analogue and digital risks, a holistic approach to enhance the resilience of entities is much needed. Therefore, we would appreciate, if the co-legislators try to discuss the NIS 2 and the CER Directive in parallel to ensure that the all-hazards approach can be achieved across dossiers. Article 18 paragraph 1 preferred approach: European Council’s General Approach in conjunction with the European Parliament’s Compromise Agreement German industry welcomes the risk-based approach adopted by the European Council. The co-legislators need to ensure that all entities falling within the Directive’s scope have to implement only those measures that make sense in terms of protecting them against cyber threats that would have farreaching implications for their main business activities. We also welcome the language by the European Parliament referring to state of the art as well as to international and European standards, Article 18 paragraph 2 In general, German industry perceives the cybersecurity measures introduced by the NIS 2 Directive as highly prescriptive. We urge the co-legislators to provide entities falling within the scope of the Directive with greater leeway in terms of deciding which measure they have to implement to protect their business from cyber threats and which are voluntary. Nonetheless, we recognise the importance of basic computer hygiene practices and cybersecurity training; the use of cryptography, such as encryption; and the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity as proposed by the European Parliaments in Article 18 paragraph 2 points fa, fb and fc. However, it should always be up to the entity’s decision which measures it deems necessary in which part(s) of its entity. EU coordinated risk assessments of critical supply chains (Article 19) preferred approach: European Parliament’s Compromise Agreement Based on the experience of the EU’s coordinated risk assessment on 5G, German industry welcomes the proposal to conduct such risk assessments of critical supply chains. The risk assessment should be based on genuine risks and take a vendor-independent approach. Critical ICT services, systems, and products shall be hierarchical and focusing on core and sensitive functions. In any case, the measures proposed after having conducted such an analysis must be proportionate and always foresee a sufficient implementation period. We appreciate the European Parliament’s insertion of consultations with stakeholder groups.
5
Towards an NIS 2 Directive that is implementable for Europe’s industry
Reporting obligations (Article 20) Article 20 paragraph 1: incident reporting channel In contrast to the European Parliament’s compromise agreement, the co-legislators should refrain from incident reporting to CSIRTs and rather maintain the established incident reporting channels to the national competent authority. Article 20 paragraph 2: provision of information to users preferred approach: European Parliament’s Compromise Agreement In order to enhance Europe’s cyber-resilience holistically, BDI regards it as necessary that all actors have the necessary information to contribute to enhanced cyber-resilience. Therefore, it is sensible, to urge essential and important entities to provide users of their services with information of protective measures or remedies to incidents and known risks. However, only recipients of services that are affected by a cyber incident should be informed. Therefore, BDI welcomes the deletion of the word “potentially” by the European Parliament. Thereby, the Directive focuses on real incidents with real consequences for users of a service. Article 20 paragraph 3: defining the significance of a cybersecurity incident preferred approach: European Parliament’s Compromise Agreement German industry welcomes that the European Parliament suggests criteria for establishing whether or not an incident classifies as significant. In this regard, it is much appreciated that incidents shall only classify as significant if they have caused real consequences, as the European Parliament deleted all references to “potential” from this paragraph.” However, the co-legislators should note that some of the information listed by the European Parliament will require an in-depth analysis of an incident. Henceforth, they will not be available within 24 hours. Article 20 paragraph 4: timing of reporting preferred approach: European Parliament’s Compromise Agreement in conjunction with EU Commission and European Council’s General Approach German industry appreciates the prolongation of the reporting period to 72 hours for some incidents as proposed by the European Parliament. However, we doubt that it will be feasible to place an incident in one of the three categories established in Article 20 paragraph 4 point a (European Parliament). In general, we urge the co-legislators to prolong the reporting period for all incidents to 72 hours – especially for important entities. It is of utmost importance, that essential and important entities can focus on measures to minimise the implications of a successful cyber-incident first, rather than having to fulfil reporting obligations. Therefore, companies should be required to notify competent authorities within 72 hours after identifying a successful attack. Furthermore, CSIRTs should be allowed to ask for a maximum of one interim report. Rather than establishing a huge amount of bureaucracy by requiring entities to hand in several reports, as proposed by the European Parliament with the introduction of a comprehensive and an additional final report, incident mitigation and the prevention of future incidents should the aim. Therefore, the requested comprehensive and final reports should not exceed two pages and ideally should be fused into one final report after the incident handling has been completed, i.e. following the initial idea of the European Commission, supported by the Council.
6
Towards an NIS 2 Directive that is implementable for Europe’s industry
Article 20 paragraph 4a: establishing a single entry point preferred approach: European Parliament’s Compromise Agreement German industry appreciates that Member States shall provide entities with a single entry point for all notifications required under the NIS 2-Directive and other relevant Union law. Establishing such a onestop-shop is a very useful step. In light of reporting obligations under the Critical Entities Resilience Directive, the NIS 2-Directive and GDPR, such a single entry point is of paramount importance to minimise bureaucracy. As a second step, the single entry point should provide forms that allow the reporting of cases, which fall under more than one act of Union law, such as a significant cybersecurity incident pursuant to NIS 2 and data breaches pursuant to GDPR. Article 20 paragraph 5: information sharing preferred approach: European Parliament’s Compromise Agreement German industry welcomes the concept of information sharing on cyber-incidents in paragraph 5. Pursuant to our comments on paragraph 1, the national competent authority should be provided with this possibility. Use of European cybersecurity certification schemes (Article 21) Article 21 paragraph 1: utilisation of certified solutions preferred approach: European Council’s General Approach in conjunction with European Parliament’s Compromise Agreement German industry appreciates that the European Council recognises in its wording of Article 21 paragraph 1 that it is not the obligation of an essential or important entity, which aspires to utilise an ICT product, service or system, to certify this ICT product, service or system, but rather the obligation of the producer of the respective ICT product, service or system. However, we perceive the need to significantly broaden the possible basis for certification beyond cybersecurity schemes developed based on the EU Cybersecurity Act. Therefore, we appreciate the European Parliament’s approach that foresees the inclusion of internationally recognised certification schemes as a basis for certification. Article 21 paragraph 2: categories of entities that have to utilise certified products preferred approach: European Commission with procedural clarification by the European Council’s General Approach BDI urges the co-legislators to limit the categories of entities that have to utilise certified products to essential entities as proposed by the European Commission. In accordance with our comments above, however, we appreciate the clarification by the European Council that stresses that it is not the duty of the respective essential entity to certify these products under a scheme – which is the duty of a producer or service provider – but rather “to use certain certified ICT products, services and processes”. supervision (Article 29) Article 29 paragraph 2: competences of national competent authorities preferred approach: European Council’s General Approach We recognise that supervision and enforcement are necessary to achieve a European level-playing field. However, these measures must be proportionate, whereas the European Parliament’s proposals are in part excessive. Considering the shortage of qualified IT professionals, these professionals should primarily support entities in enhancing their cyber-resilience, rather than conducting annual audits of essential entities. We urge the co-legislators to delete the reference to annual or at least to clarify that competent authorities are allowed to conduct a maximum of one audit per year per entity. 7
Towards an NIS 2 Directive that is implementable for Europe’s industry
German industry opposes the idea that entities shall pay on an annual basis the costs for audits. We appreciate the language introduced by the European Council in Article 29 paragraph 2 point d stressing that security scans shall be conducted in cooperation with the entity concerned. This is of utmost importance to ensure the safety and security of these entities. Article 29 paragraph 2a: competent authorities exercising their powers preferred approach: European Council’s General Approach German industry appreciates the notion stipulated in paragraph 2a that, where exercising their powers under points (a) to (d) in paragraph 2, the competent authorities shall minimise the impact on the business processes of the essential entity. Article 29 paragraph 4: issuing binding instructions preferred approach: European Parliament’s Compromise Agreement As the European Parliament enables the competent authorities to issue binding instructions, including instructions regarding measures necessary to prevent or remedy an incident, as well as time-limits for the implementation of such measures and for reporting on their implementation (cf. Art. 29 paragraph 4b), the competent authority, when executing its competences pursuant to this article, must take into account the existing and ever-increasing lack of IT security specialists. Henceforth, German industry urges the national competent authorities to provide companies with realistic time-limits. Article 29 paragraph 4 point i: statement to identify natural or legal person responsible for an infringement preferred approach: European Council’s General Approach We appreciate the deletion of Article 29 paragraph 4 point i, as naming and shaming will not enhance Europe’s cyber-resilience. In case of a cyber-incident, the combined effort of all concerned should be focused on mitigating the implications for Europe’s society and industry rather than initiating an unnecessary blame-game. Article 29 paragraph 5b: responsibilities of members of management bodies preferred approach: European Parliament’s Compromise Agreement German industry appreciates that the ITRE Committee changed Article 29 paragraph 5b insofar as a temporary ban against any person holding managerial responsibilities at chief executive officer or legal representative level in that essential entity is now considered only as an ultima ratio. Moreover, we very much appreciate the deletion of any reference to other employees as they do not have the necessary decision powers within an entity to implement certain measures regarded as necessary by law if a CEO withholds the necessary money for such activities. Therefore, we welcome the newly introduced language in comparison to previous wordings. To this end, the wording of Paragraph 6 should mirror the wording of Paragraph 5b. We condemn the special treatment foreseen for public administrations by the European Council. As recent cyber-attacks on public administrations illustrate, it is of utmost importance that leading officials in public entities must also be responsible for any cybersecurity related misconduct, at least if the legislator wishes to introduce such responsibilities for private entities.
8
Towards an NIS 2 Directive that is implementable for Europe’s industry
Supervision and enforcement for important entities (Article 30) Article 30 paragraph 2: powers of competent authorities preferred approach: European Council’s General Approach and European Commission German industry opposes the idea introduced by the European Parliaments that important entities shall pay the costs for targeted audits, especially since the directive does not specify how often such an audit can be deemed necessary. The co-legislators must ensure that such audits are paid for by the competent national authority and cannot take place more than once a year in order to not disrupt disproportionately the entity’s business processes. Henceforth, we urge the co-legislators to refrain from including the following sentence in Article 30 paragraph 2 “The costs of such an audit carried out by a qualified independent body shall be paid by the entity concerned” (cf. EP compromise text). Article 30 paragraph 2 point c: security scans Preferred approach: European Council’s General Approach German industry supports the text introduced by the European Council regarding limiting security scans. Intrusive and unannounced “security scans” are problematic with regard to cybersecurity as, if done incorrectly, they could trigger a cyber incident of their own. Article 30 paragraph 4 point h: statement to identify natural or legal person responsible for an infringement preferred approach: European Council’s General Approach and European Parliament’s Compromise Agreement We appreciate the deletion of Article 30 paragraph 4 point h, as naming and shaming will not enhance Europe’s cyber-resilience. In case of a cyber-incident, the combined effort of all concerned should be focused on mitigating the implications for Europe’s society and industry rather than initiating an unnecessary blame-game. Fines (Article 31) preferred approach: European Council’s General Approach To ensure that all entities implement and fulfil the measures and obligations pursuant to Article 18 and 20, the introduction of administrative fines seems justified. However, such fines must always be proportionate. Therefore, we appreciate the range of fines proposed by the European Council. While we would have preferred the deletion of any reference to annual turnover, the differentiation between essential and important entities is much appreciated. The co-legislators should agree on the framework proposed by the European Council, i.e. 4 million Euro or two per cent of annual turnover in the case of essential entities; and 2 million Euro or one per cent of annual turnover in the case of important entities respectively. Cyber hygiene practices (Recital 45 a) preferred approach: European Parliament’s Compromise Agreement The new text (45a) proposed by the European Parliament is to be supported. Entities should always – based on a risk analysis – adopt a wide range of basic cyber hygiene practices. The European colegislators should strive to support entities in their intention to fulfil legislatively binding cybersecurity requirements by recurring to European and international standards, rather than developing additional, country-specific requirements. By referring to European and / or international standards, the co-legislators will reduce the regulatory complexity and hotchpotch that is currently developing in the cybersecurity realm.
9
Towards an NIS 2 Directive that is implementable for Europe’s industry
Imprint Bundesverband der Deutschen Industrie e.V. (BDI) / Federation of German Industries Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 EU Transparency Register: 1771817758-48 Editor Steven Heckler Deputy Head of Department Digitalisation and Innovation T: +49 30 2028-1523 s.heckler@bdi.eu
BDI document number: D 1480
10