Feedback on Inception Impact Assessment NIS Directive
networked devices. 4 The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups. However, digitalisation also poses, as previously mentioned, numerous challenges with regard to safety and security, as well as privacy. While some of these potential challenges, such as regarding safety, are already adequetly and holisticly addressed, other areas still require a more holistic regulatory approach. These can result in additional risks for everyone’s health, as well as for the environment, the economy and public safety at large. These risks can be countered by targeted technical (such as security-by-design), regulatory (unambiguous and holistic regulatory framework) and behavioural measures (e.g. cyber-hygiene). Thereby, the remaining residual risks are kept within acceptable limits. Therefore, the European Union should adopt a holistic approach on cybersecurity, which can only be achieved with the inclusion of all players in the Digital Value Chain. This can be achieved, if the NIS Directive, regulating the resilience and security of critical infrastructures and, and product-related regulations on cybersecurity work hand-in-hand. Revising the NIS Directive: Towards enhanced EU-wide harmonisation of cybersecurity requirements for OES and DSP When introducing more harmonised elements in the process of identifying OES, as well as expanding the scope of the Directive with the aim to cover further sectors or services, the process should follow a risk-based and layered approach combined with an impact assessment of the potential implications for the competitiveness of European companies. The existing inconsistencies in applying the NIS Directive should not just be addressed by simply extending these areas of application to all member states, as most of them stem from services only identified in some but not all the member states. The NIS Directive deliberately provides a flexible framework for the identification of sectors of OES, allowing member states a certain degree of flexibility and allowing for national and sectoral specificities. A targeted regulatory intervention should, therefore, strive for an EU-wide harmonisation of cybersecurity regulations (incl. definitions of sectors falling under the scope of the NIS Directive). While harmonising the scope of the NIS is important, national authorities should nonetheless be provided with a certain leeway in the identification process so that national and sectoral specificities can be accommodated. The same considerations should apply in the context of a future alignment at the EU-level of thresholds above which a company operating in an OES-sector has to fulfil 4
CISCO. 2019. Visual Networking Index: Forecast Highlights Tool. https://www.cisco.com/c/m/en_us/solutions/service-provider/vni-forecast-highlights.html#
www.bdi.eu
URL: Page 5 of 17
