POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
ITRE-Amendments to NIS 2-Directive German industry’s position on the ITRE Committee’s amendments to the Commission proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 July 2021 Executive Summary German industry welcomes the European Commission’s aim to significantly strengthen Europe's cyber-resilience and to create a regulatory level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation. All those involved – from hardware and software manufacturers to commercial operators, government agencies and private users – must be actively and holistically involved in strengthening cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyberresilience is a prerequisite for the smooth functioning of highly digitalised processes in companies. In light of the amendments 92 to 600 proposed by members of the ITRE Committee, German industry wishes to stress the need for a high degree of European harmonisation on cybersecurity legislation. To ensure that the NIS 2 Directive will at the same time not overstrain companies, German industry espouses the following further amendments to the Commission’s NIS 2 proposal: ▪
scope (Article 2 & Annex I+II): While we recognise the necessity to broaden the scope, all SMEs falling into the sectors outlined in Annex I and II should be exempted from the scope, apart from those SMEs that are suppliers of critical hardware and software to essential entities.
▪
definitions (Article 4): BDI urges the co-legislators to alter the proposed definition of “network and information system”, “online marketplaces” and “cloud computing services”. Also, a definition of “management bodies” should be introduced in the NIS 2 Directive.
▪
ENISA’s cybersecurity report (Article 15): ENISA publishing a biennial report that includes merely general information will not augment the EU’s cyber-resilience. Rather, ENISA should publish online up-to-date information on cybersecurity incidents.
▪
management bodies (Article 17 in conjunction with 29): We recognise the responsibility of management bodies for the cybersecurity strategy of an entity. However, no single member should be held accountable for any cybersecurity-related misconduct. We urge the Commission to publish binding recommendations on what constitutes sufficient knowledge and skills.
▪
fines (Article 31): In order to ensure that all entities implement the cybersecurity risk mitigation measures laid down in Article 18 and fulfil their reporting obligations pursuant to Article 20 the introduction of administrative fines seems justified. We advocate for a maximum of two million Euros and a deletion of any reference to percentages of annual turnover.
This paper contains a discussion of selected amendments. For our detailed position, please see: https://english.bdi.eu/publication/news/policy-paper-on-eu-commission-proposal-for-a-nis-2-directive/ Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu