POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
NIS 2-Directive German industry’s position on the ITRE Committee draft report for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 31st May 2021 Executive Summary German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. While the EU Commission’s proposal strikes a good balance between targeted regulatory interventions and strengthening the EU’s cyber-resilience holistically, German industry regards it of utmost importance to amend the Commission’s proposal. In this regard, we welcome most amendments proposed in the ITRE draft report by rapporteur Bart Groothuis, MEP. Nonetheless, we still see the necessity for inter alia the following additional alterations: ▪
scope (Article 2 & Annex I+II): While we recognise the necessity to broaden the scope, all SMEs falling into the sectors outlined in Annex I and II should be exempted from the scope, apart from those SMEs that are suppliers of critical hardware and software to essential entities.
▪
definitions (Article 4): BDI urges the co-legislators to alter the proposed definition of “network and information system”, “online marketplaces” and “cloud computing services”. Also, a definition of “management bodies” should be introduced in the NIS 2 Directive.
▪
ENISA’s cybersecurity report (Article 15): ENISA publishing a biennial report that includes mainly general information will not augment the EU’s cyber-resilience. Rather, ENISA should publish online up-to-date information on cybersecurity incidents.
▪
management bodies (Article 17 in conjunction with 29): We recognise the responsibility of management bodies for the cybersecurity strategy of an entity. However, no single member should be held accountable for any cybersecurity-related misconduct. We urge the Commission to publish binding recommendations on what constitutes sufficient knowledge and skills.
▪
fines (Article 31): In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. We advocate for a maximum of two million Euros and a deletion of any reference to percentages of annual turnover.
Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu