POSITION | CYBERSECURITY | EUROPEAN LEGISLATION
Towards an NIS 2 Directive that is implementable for Europe’s industry Developing a holistic approach from the European Commission’s, European Parliament’s and European Council’s positions
14 January 2022 Enhancing Europe’s cyber-resilience while delivering an implementable regulatory framework for industry With the adoption of the General Approach by the European Council on December 2, 2021 and the adoption of the ITRE Committee’s report on October 28, 2021, the co-legislators have now formulated their opinions on the EU Commission’s proposal for an NIS 2 Directive. German industry appreciates the speedy dealing with this file by the co-legislators, which is doing justice to the importance of the regulatory file under consideration. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. For the upcoming trilogue negotiations between the co-legislators, German industry below details which proposals it would prefer to see in the final text of the NIS 2 Directive in order to ensure that Europe’s cyber-resilience will be enhanced holistically while simultaneously ensuring that the respective regulatory requirements can be implemented by the entities falling within the scope of the directive. Nota bene: BDI’s paper takes as a baseline the assumption that only those points that have been raised by any of the three co-legislators have a chance to be included into the Directive’s final wording. Therefore, we do not flag again those points that we would have appreciated to be changed, introduced or delete but rather compare the available three options and outline our preferred one, even if this option does not mirror our preferences as stated in earlier position papers. Nevertheless, we want to emphasize again that every actor along value chains – from hardware manufacturers and software developers to commercial operators, government agencies and private users – must be actively and holistically involved in strengthening Europe’s cyber-resilience. The European co-legislators must ensure that all these actors are obliged by regulations to contribute their share to prevent cyber-incidents. Henceforth, the European Commission should utilise the announced Cyber Resilience Act to complement the NIS 2 Directive. Recital 54 encryption (recital 54) preferred approach: European Parliament’s Compromise Agreement German industry appreciates the more positive language introduced by the European Parliament’s compromise agreement of recital 54 which recognises the importance of encryption and other cybersecurity measures. We urge the co-legislators to refrain from any measure that could weaken encryption. Cryptographic methods (e.g. end-to-end cryptography) strengthen trust in digital communication tools and help protect entities from espionage and sabotage, hence, they must be legally safeguarded.
Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | S.Heckler@bdi.eu | www.bdi.eu