Task Force NIS 2.0
NIS Directive 2.0
Position Paper
Die Stimme der Sozialen Marktwirtschaft
Wirtschaftsrat der CDU e.V.
Bereich Innovation und Digitales
Luisenstr. 44
10117 Berlin
Tel.: +49 (0) 30 / 240 87 - 150
E-Mail: digitales@wirtschaftsrat.de
Andreas G. Barke
Referent Innovation und Digitales
Tel.: +49 (0) 30 / 240 87 - 227
E-Mail: a.barke@wirtschaftsrat.de
February 14, 2022
Position Paper on the revised Directive on Security of Network and Information Systems (NIS 2.0) – Executive Summary
The European Union (EU) and its Digital Single Market (DSM) have undergone a digital transformation that has been accelerated by the COVID-19-Pandemic. Accordingly, the cybersecurity threat landscape is rapidly evolving and changing in a way that it became increasingly challenging. With the review process of the Directive on Security of Network and Information Systems (NIS 2.0), the EU institutions and the Member States are addressing the tasks to design and agree on legislation that ensures a common level of harmonized security standards and regulations across the DSM.
In accordance with the European Commission’s priority to ensure that the EU remains fit for the digital age and in order to catch up with the rest of the digitized world, the revised NIS 2.0 seeks to address the underlined deficiencies of the current NIS Directive and the cybersecurity landscape of the EU. The NIS 2.0 aims to strengthen the cyber-resilience of the EU and creates a level playing field for essential and important entities across the European market. For German companies, regarding the implementation process of NIS 2.0, numerous challenges lie ahead.
The Economic Council of Germany (Wirtschaftsrat der CDU e.V.) has been monitoring the evolution of the NIS 2.0 since its first publication in 2020. A cross-sectoral task force collected recommendations, amendments, and suggestions to improve the current draft of the NIS 2.0. To increase the cyber-resilience, sovereignty, and security of the European Union and its member states the task force believes that the following challenges should be addressed:
The NIS 2.0 needs to be flexible enough to cope with the ever-changing threat scenarios.
The training and qualification of IT experts in the field of cyber security have not kept pace with the rapid evolution of the digital economy and its potential threats.
To meet the demands of regulators, the implementation of new regulations, standards, and certification processes need sufficient expertise and resources, currently missing both in the public and private sectors.
One of the obvious shortcomings of the current NIS Directive is the fragmented degree of implementation on the national level across the EU. Parallel, sometimes overlapping coexisting of legislative acts and national laws create legal uncertainty and confusion for businesses of all sizes. Lawmakers urgently need to address this regulatory inconsistency.
The Economic Council’s Task Force concludes the following ten points and aspects:
1. Defining a clear scope of the NIS Directive 2.0 to appropriately consider all organizations and entities having impact on the digital supply chain.
2. Harmonizing the IT- and cybersecurity landscape within the EU to combat growing complexity and dynamic of cyberattacks and make implementation easier for entities.
3. Promoting secure end-to-end encryption without lawful access mechanisms such as backand front doors for national authorities to ensure security is not deliberately weakened
4. Avoiding a one-way street when it comes to reporting security vulnerabilities to allow all stakeholders to address security vulnerabilities as promptly as possible
5. Strengthening cyber-resiliencies across Europe through co-operation among national Computer Security Incident Response Teams (CSIRTs)
6. Clarifying the roles of executives in regard to cyber security risk management and reporting to clearly define responsibility and accountability
7. Promoting the implementation of organizational cybersecurity for key employees to address increased cybersecurity risks especially in digitally interconnected environments
8. Granting of extended reporting deadlines to cope with the complexity of cyber attacks in technical and organizational terms.
9. Implementing cybersecurity requirements contingent on the New Legislative Framework (NLF) and based on international standards to avoid national isolated solutions and to foster compatibility and transparency.
10. Capping the conditions for the imposition of fines on material and significant entities to reach an adequate balance between a penalty and the damage an entity is experiencing due a cyber incident.
Preamble
The European Union (EU) and its Digital Single Market (DSM) have undergone a digital transformation that has been accelerated by the COVID-19-Pandemic. Accordingly, the cybersecurity threat landscape has rapidly evolved and changed in a way that it became increasingly malicious. With the review process of the NIS-directive (NIS 2.0) the EU’s institutions and the Member States are addressing the tasks to design and agree on legislation that ensures a common level of harmonized security standards and regulations across the Single Market. At the same time, the “NIS 2.0” needs to be flexible enough to cope with the ever-changing threat scenarios.
For the industry, for German companies, the challenges which lie ahead in the NIS 2.0-implementation process are numerous. The training and qualification of IT experts in the field of cyber security have not kept pace with the rapid evolution of the digital economy and its potential threats. To meet the demands of regulators, the implementation of new regulations, standards, and certification processes need sufficient expertise and resources, currently missing both in the public and private sectors.1
One of the obvious shortcomings of the current NIS directive is the fragmented degree of implementation on the national level across the EU. Companies, operating within the EU’s Digital Single Market, are confronted with an imbroglio of European and national legislation. The parallel, sometimes overlapping co-existing of legislative acts like the NIS, General Data Protection Regulation (GDPR), Cybersecurity Act (CSA), European Electronic Communications Code (EECC), and national laws like the IT-SiG 2.0 creates legal uncertainty and confusion for businesses of all sizes. Lawmakers urgently need to address this problem of regulatory inconsistency.
For instance, according to reports on cybercrime and cybersecurity by the Bundeskriminalamt (BKA) [Federal Criminal Police Office]2 and the Bundesamt für Sicherheit in der Informationstechnik (BSI) [Federal Cyber Security Authority]3, threats from cyberattacks such as ransomware and Denial-ofservice attacks (DDoS) as well as theft of digital identities increased significantly.4 In accordance with the European Commission’s priority to ensure that Europe remains fit for the digital age and in order to catch up with the rest of the digitized world, the revised Directive on Security of Network and Information Systems (or NIS 2.0 Directive) seeks to address the underlined deficiencies of the current NIS Directive and the cybersecurity landscape of the EU. The NIS 2.0 aims to strengthen the cyberresilience of the EU and creates a level playing field for essential and important entities across the European market.
1. Defining a clear scope of the NIS Directive 2.0
The definition of essential entities as it is mentioned in Annex I of the NIS Directive 2.05 encompasses a wider range of companies and exempts most micro and small entities (MSEs).6 In comparison to the first NIS Directive (Directive (EU) 2016/1148), this is a clear improvement as it establishes a foundation for defining critical infrastructures within the EU and strengthens the definition of cybersecurity in Europe. Nevertheless, a broad definition translates into ambiguity. Many companies, especially the ones that offer intersectional products and services, cannot be specifically allocated to one sector. Thus, the Economic Council demands a clear definition of each sector and clear guidelines on how companies are divided and defined – to ensure transparency and fairness.
Small-and-medium-sized enterprises (SMEs) often do not have the necessary financial resources to meet all the directive’s obligations. Therefore the Economic Council supports an approach, which generally exempts companies operating in sectors classified as “non-critical” and only includes suppliers of critical hardware and software to essential entities and companies, which are a critical part of the digital supply chain 7 An approach on how this could be put into action is the example of “Indispensable baseline security requirements for the procurement of secure ICT products and services” provided by the European Union Agency for Cybersecurity (ENISA).
Additionally, the COVID-19-Pandemic has shown that there is a reliance on infrastructures that are not yet defined as “critical”. While some associations argue that the definition of critical infrastructures should not be expanded in order to avoid the inflation of the definition, the Economic Council believes that the term critical infrastructure should be revaluated – taking into consideration the lessons learned from the pandemic. Lately, the policy focus has been on "systemically important critical infrastructure". The idea here is to understand what specific elements of critical infrastructure would create cascading effects or other systemic disruptions in the event of their attack or failure, and to regulate and/or resource them more aggressively. For instance, due to the Corona pandemic, ventilators and protective equipment have become essential also in terms of their supply chains. How much equipment gets to where it is needed emphasized that a definition of critical infrastructures needs to be rethought. Furthermore, due to the increased automation and digitalization, electricity, the internet, and mobile communications are closely interlinked and mutually dependent. All kinds of infrastructures have become vulnerable to cyberattacks as they have been increasingly connected to the internet. Thus, a clear definition that is guided by scientific reasoning and that focuses on new threats such as cyberthreats is necessary. If done so, the Economic Council believes that a fragmentation of the definition can be avoided.
2. Harmonizing the IT- and cybersecurity landscape within the EU by publishing a follow-up regulation
As mentioned before, cybercrime such as cyberattacks are immensely complex, dynamic, and transitional causing enormous social and economic harm. Thus, to combat cybercrime or defend against cyberattacks highly depends on creating coordinated and harmonized approaches to cybersecurity strategies and cyber criminality policies across the EU. It is thus questionable why the Commission only published a directive instead of a regulation that holds all EU Member States accountable.
While the directive is a useful and appropriate step towards a harmonized EU, the Economic Council calls on the EU to issue a regulation as a next step after the NIS 2.0. Also, we call upon the EU to closely monitor the European Member States to ensure that the directive is implemented at least in its most basic form through national legislation. To avoid inconsistent legislation across the EU, the Economic Council welcomes Article 5 of the directive that calls each Member State to adopt a national cybersecurity strategy as it potentially increases the cybersecurity- and cyber-resilience in each member state and in the EU as a whole. However, the Economic Council also sees the potential that countries will just implement cybersecurity strategies to tick a box or, as has been this case with the original NIS Directive, may adopt interpretations that fragment the common market and ability of covered entities to implement the best technologies 8
By giving Member States less room for interpretation on how to define such strategy, the NIS 2.0 works against regulatory arbitrage regulations across the EU. However, the Economic Council urges the EU to give more specifics on the policies that member states are supposed to implement instead of solely saying that a policy is needed to “[…] address cybersecurity in the supply chain for ICT products and services […]”. Furthermore, we call upon the Commission to follow up the NIS 2.0 with an EU-wide cybersecurity regulation to anchor a homogenous minimum standard of IT- and cybersecurity across the EU. The EU regulations such as but not limited to the Cybersecurity Act must be aligned with the purpose and goals of the NIS 2.0 to reduce ambiguity within European legislation.
3. Encrypting to prevent unauthorized lawful access mechanisms including but not limited to back- and front doors for national authorities
The Economic Council endorses the idea of promoting the use of (end-to-end) encryption and it allowing encryption where feasible and reasonable. While the Council understands that authorities need to collect electronic evidence to carry out successful investigations, this needs to be done without mandating changes to the secure implementation of strong encryption in products and services. Law enforcement and intelligence agencies already have access to a vast amount of (digital) evidence. Any form of lawful access, e.g. through backdoors, needs to be avoided in general as weakened security entails a weakened European digital sovereignty and a potential gateway and exploitation for third parties such as hackers or cyber-criminals.9
The implementation of lawful access measures carries the undeniable risk that the associated capabilities are not only open to authorized users or entities, but also to other attackers such as criminals and adversarial intelligence services who might actively exploit them. The EU needs a trustworthy and secure IT-security landscape to digitally transform administration, industry, and society.
Accordingly, the use of securely implemented strong encryption, especially end-to-end encryption in transit should be promoted and become obligatory for providers in accordance with the principles of security and privacy by default and by design as addressed in Article 18. The respectful authorities across the EU Member States ought to promote the use of cryptographic processes to safeguard Europe’s digital sovereignty and digital transformation.
4. Avoiding a one-way street when it comes to reporting security vulnerabilities
The Economic Council welcomes the European Commission’s goal to institutionalize the coordinated disclosure of vulnerabilities across the EU by utilizing national computer security incident response teams (CSIRT) to act as intermediaries and points of contact between manufacturers, providers of ICT products or ICT services, and reporting entities. In order to avoid increased complexity, bureaucracy, and redundant CVE numbers it should be taken into account if discovered vulnerabilities were reported directly by the discoverers to the affected organizations. Maintaining an additional database should not be a redundant effort.
However, the Economic Council recommends amending the directive accordingly:
● The sharing of information cannot be a one-way street: To address security vulnerabilities or gaps as promptly as possible, the disclosure of sharing information on any vulnerabilities and gaps needs to be allowed in both directions. This means that ENISA needs to be obligated to report back to the companies and to give feedback on what ENISA has accomplished with the information. Accordingly, when disclosing vulnerabilities, ENISA must work with the relevant manufacturer of a product or provider of a service and inform them in a timely manner prior to any disclosure;
● To promote the coordinated disclosure of security vulnerabilities – coordinated vulnerability disclosure (CVD) – the Economic Council believes that the EU should base their considerations on broadly adopted international standards, best practices, and industry standards. An alignment in accordance with the ISO international standards such as ISO/IEC 29147 (2018) and 30111. They seem to be a reasonable choice given the international nature of technology and vulnerability management processes. When establishing the vulnerability registry, it should specify the degree of severity of the security vulnerability, including precise time intervals for the provision of patches or updates;
● The Economic Council proposes a differentiated approach in regard to the obligation for manufacturers disclosing security vulnerabilities:
- For the customers: Manufacturers must provide their customers with the ability to update or patch their devices (including end of support products, excluding end-oflife products) to mitigate the risks of the vulnerability before a vulnerability is disclosed by a third party.
- For the public: Manufacturers should not be obligated to disclose security vulnerabilities until a patch or any other adequate countermeasures (e.g. registry key at MS) has been issued or taken, unless the company cannot issue a patch within 90 days of becoming aware of the vulnerability, if found by a third party. As it is essential to avoid the exploitation of disclosed vulnerabilities to the detriment of cybersecurity in Europe, a reasonable timeframe should be established, within which ENISA has to notify the manufacturer and for how long the manufacturer must review, respond to, and, if necessary, remediate the requirements.
● In addition to the previous point and as soon as these products/services exist, the Economic Council recommends obliging companies to create bills of materials (BOM) or cybersecurity BOMs (also called CBOM/SBOM)10 that are incorporated into the build of a software product to continuously monitor their devices for new security vulnerabilities, which will help make sure that devices are not at threat of cybersecurity incidents. SBOM disclosure can disrupt security by obscurity and pose trade secrets implications.
For the time being it would be premature to mandate it now, because the result would be a compliance-only exercise that likely would not drive meaningful cybersecurity improvements So it shouldn’t be mandatory, because the result would be a compliance-only exercise that likely would not drive meaningful cybersecurity improvements, although SBOMs are an important internal tool for companies.
● Authorities should encourage and facilitate networking within the groups of essential and important entities that fall under the jurisdiction of the NIS 2.0 to foster information sharing and to learn from best practices. Such collaboration could be extended cross-border and facilitated by multiple authorities in numerous jurisdictions.
● The responsible authorities must be obliged to share knowledge about publicly known vulnerabilities and to enter it into the registry. Information sharing about vulnerabilities should be standardized and automated as far as possible to prepare for the processing of a constantly growing amount of vulnerabilities. For that purpose, the Economic Council proposes the use of the Common Security Advisory Framework (CSAF).11 Furthermore, if the applicable agencies have not yet incorporated ENISA recommended best practices such as Extended Detection and Response (XDR), threat hunting, Zero Trust, etc., then it may be a security risk for them to hold blueprints of all vendors software components.
● The ENISA should develop and maintain confidentiality assuring European vulnerability registry for publicly known security vulnerabilities, leveraging the existing global Common Vulnerabilities and Exposures (CVE) of the National Institute of Standards and Technology, and ensuring that a high level of automation is possible (see also above comments on SBOM and CSAF). In case it is planned the vulnerability registry will be used to store information about not publicly known vulnerabilities or those where no patches are available (“Zero-Days”), it is of utmost importance to assure confidentiality. In this case, it can be expected that adversaries, hackers, or nation-states show a high interest in the stored vulnerability information and hackers could exploit the disclosed information which would have serious repercussions for Europe’s cyber-resilience. Therefore, Economic Council advises against using the central database for not yet publicly available security vulnerability information or vulnerabilities where no patches are available yet (“Zero-Days”).
5. Strengthening cyber-resiliencies across Europe through cooperation among national Computer Security Incident Response Teams (CSIRTs)
The Economic Council sees the cooperation between the national CSIRTs as a necessity and vital for strengthening cyber-resiliencies across Europe. However, there is no need to broaden the operation field of CSIRTs. Instead, their responsibility should entail improving the quality of already assigned tasks in the first place. As mentioned above, to avoid a one-way street while building trust when it comes to sharing security vulnerabilities, companies and manufacturers need to be kept in the loop and receive all information without any disclosure. Otherwise, the objective of the NIS 2.0 – to enhance the security of information systems as well as to broaden trust and cooperation among the EU-Member States and companies when it comes to IT- and cybersecurity – will not be met. Moreover, it is essential that CSIRTs do not interfere extensively in the sovereign realm of companies.
6. Clarifying the roles of executives in regard to cyber security risk management and reporting
While the Economic Council welcomes the fact that the European Commission wants to increase cybersecurity awareness on the executive level and emphasizes that it is also vital for management
bodies of an essential or important entity to care about their cybersecurity strategy, the Economic Council believes that the Commission confuses responsibility with accountability. We believe that management bodies should be held accountable but not responsible for cyber security risk management and reporting To do so, we believe that it should be specified to what extent the management board would need to undergo strategic and awareness exercises on cyber threats and the importance of IT security and response planning. The EC needs to clarify what it considers as mandatory training on IT security and should publish information on what constitutes "sufficient knowledge and skills".
While cybersecurity awareness and general computer training are necessary and surely beneficial, executives do not always need to learn technical IT- or cybersecurity skills. For that, there are experts such as but not limited to Chief Information Security Officers (CISOs) or Chiefs of Defence Staff (CDSs) who have the technical knowledge, know-how, and who can brief them on essential issues. The European Commission needs to recognize that members of governing bodies of essential institutions and key institutions have IT security personnel who have the necessary qualifications to continuously develop and implement a company's cyber security strategy.
7. Implementing organizational cybersecurity for key employees
Technical cybersecurity alone will not lead to the desired goal. Everybody in the field of IT- and cybersecurity is aware of the fact that employees are one of the biggest cybersecurity threat gateways. It would be thus advisable for the EU to ask member states to give companies the option of implementing “organizational cybersecurity” by having employees in key positions such as key administrators for example to be security-checked. This can be done by clarifying certain processes of how information is shared within the company and among employees or the 4-eyes-principle of having employees check upon each other’s behavior. This could be achieved by:
1. Clarify rules/permissions/obligations for insider detection threat programs.
2. Strengthen security practices by emphasizing the principle of least privilege; rolebased access controls; and identity-centric zero trust architectures
8. Granting of extended reporting deadlines
For facilitating an active cyber defense posture anticipating upcoming risks, subject to clear reporting requirements and convenient and easy to use reporting tools (e.g. online portal), the Economic Council supports that businesses and organizations providing essential services to be obliged to report cyberincidents to the competent authority and CSIRT immediately but no later than 72 hours starting from becoming aware of them. This is driven by the Economic Council’s view of considering a 365/24/7 cyber defense as a must-have for any businesses and organizations providing essential services.
Any shorter reporting period wouldn’t be reasonable because organizations concerned would only be able to provide very limited information at this time such as information about affected parts of the compromised entity like Office iT or Operational IT (OT). Integrity and confidentiality assessments and reporting incl. details to technical parameters Indicators of Compromise (IoCs), Tactics, Techniques, and Procedures (TTP), Actor Attribution may take up to 72 hours. In addition, an extended reporting
time enables businesses and organizations concerned to focus on reacting to and solving the incident, and assessing the risk of the attack to the organization, and providing intelligence for threat hunting.
If incident reporting involves personal data in terms of the GDPR, the Economic Council calls for NIS 2.0 requiring the EU Member States to enact national law providing a dedicated legal ground for the lawful processing of personal data granting permission to managing cyber-incidents and reporting to competent authority and CRIST. Regardless of Recital 49 of the GDPR and the reference made in there to the controller’s legitimate interest of data processing for network and information security protection purposes, the GDPR doesn’t fully enable businesses and organizations providing essential services to apply state of the art tools for cyber-incident detection, response and reporting appropriately increased by the verdict on Schrems II (C-311/18) by the Court of Justice of the European Union (CJEU).
For protecting the confidentiality and economical interest of businesses and organizations providing essential services, the Economic Council further arrogates the option to share information intermediated by trusted third parties acting on behalf of businesses and organizations in an anonymized fashion under mutually agreed terms. We think this is appropriate and required in particular with respect to businesses and organizations providing essential services that are impacted by any news and might suffer significant harm at being obliged to make each and any cyber-incidents public – regardless of its verification and relevance to the businesses.
As to the proposed central reporting repository for cyber-incidents, the Economic Council further encourages to take into account that state-of-the-art cybersecurity is based on Big Data (telemetry data) and file analysis potentially involving personal data. Anonymization and pseudonymization of personal identifiers might not be technically feasible everywhere without making it useless. Involvement of the ENISA might help to resolve a trade-off and identify the processing and data required for appropriate cyber-incident information management.
9. Implementing cybersecurity requirements contingent on the New Legislative Framework (NLF)
To ensure the cyber-resilience of essential and important entities, a holistic approach is vital. However, the Economic Council does not agree with the focus being solely on European cybersecurity certification schemes adopted to Article 49 of Regulation (EU) 2019/881. Instead, the Economic Council proposes to legislatively act horizontally on the cybersecurity requirements contingent on the New Legislative Framework (NLF). Companies should be able to decide whether they would certify their product, services, or process in accordance with European cybersecurity certification schemes as anchored in Article 49 of Regulation (EU) 2019/881.
To achieve horizontal cybersecurity requirements and cyber-resilience, protection targets should be defined by law and specified by harmonized European standards. As referring to the development of the „state-of-the-art” leaves much room for interpretation, we suggest referring to international standards, such as e.g. ISO 27001 or IEC 62443. Additionally, protective measures and resilience against cyber-attacks must be based on the specific application and the associated threat situation. The NLF allows the coverage of different risk levels and follows the necessary risk-based approach. In this
context, it is the responsibility of the manufacturer as the economic actor placing the product on the market to determine the intended area of use (and thus, the threat level) of the product.
The Digital Single Market will only be successful if national isolated solutions are avoided and compatibility with international standards is ensured.
10. Capping the conditions for the imposition of fines on material and significant entities
To ensure that entities implement the cybersecurity risk mitigation measures as stated in Article 18 and fulfill their duty to mitigate the cybersecurity risk as written in Article 20, we understand the intention of fines driving businesses and organizations providing essential services to apply state of the art cybersecurity measures flanked by regular upcoming, checklist-based, streamlined, easy to meet reporting obligation to the by any businesses and organizations providing essential services. This shall make transparent potential gaps and help to make statistics with the competent supervisory authorities for taking preventive action.
In any case, by implementing a sanction regime, it may not happen that the EU Member States create different levels of monitoring and enforcement by different staffing of supervisory authority bodies driving unfair competition within the European Single Market.
In addition, the Economic Council is in favor of capping the fees to 2% of the annual worldwide turnover with a maximum fee of 2 million EUR. Especially as, unlike data protection, no fundamental right, such as the right to informational self-determination, is violated. Such a fine would strike an adequate balance between the intention to penalize companies that violate the requirements of Articles 18 and 20 and our requirement of administrative penalties to not be too excessive.
1 In the meantime a new compromise text from the EU member states for the trialogue negotiations on the NIS 2.0 Directive has been published. In the task force´s estimation, some of the changes come closer to this position paper:
• The directive no longer affects institutions that are subject to the EU-Digital Operational Resilience Act Directive (DORA)
• The amount of the fines was reduced to 4 million or 2% of the worldwide annual turnover for essential entities and 2 million or 1% for important entities
2 Bundeskriminalamt (2021): Bundeslagebild Cybercrime 2020, April 2021.
https://www.bka.de/SharedDocs/Downloads/DE/Publikationen/JahresberichteUndLagebilder/Cybercrime/cybercrimeBu ndeslagebild2020.pdf [2021-12-02]
3 Bundesamt für Sicherheit in der Informationstechnik (BSI) (2021): Die Lage der IT-Sicherheit in Deutschland 2021, Oktober 2021.
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2021.pdf [2021-12-02]
4 See for example reports of members of the Task Force NIS2.0:
CrowdStrike Global Threat Report 2021
https://www.crowdstrike.de/ressourcen/reports/global-threat-report/ [2021-12-02]
Deloitte Cyber Security Report 2021
https://www2.deloitte.com/de/de/pages/risk/articles/cyber-security-report.html [2021-12-02]
G DATA threat report (2021)
https://www.gdatasoftware.com/news/2021/09/36993-g-data-threat-report-attacks-without-malware-on-the-increase [2021-12-02]
Hiscox Cyber Readiness Bericht 2021
https://www.hiscoxgroup.com/sites/group/files/documents/202104/Hiscox%20Cyber%20Readiness%20Report%202021.pdf [2021-12-02]
SoSafe Human Risk Review 2021
https://sosafe.de/human-risk-review-2021/ [2021-12-02]
5 Proposed EU NIS2 directive, 2020/0359 (COD), 16.12.2020
https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72166 [2021-12-02]
Annex to NIS2 directive, COM(2020) 823 final, 16.12.2020
https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72172 [2021-12-02]
6 See scope of the Directive in Article 2 in accordance with Commission Recommendation 2003/361/EC
7 Compare to the standpoint in a position paper of The Federation of German Industries (BDI): Towards an NIS 2 Directive that is implementable for Europe’s industry, January 14, 2022. p. 2.
https://english.bdi.eu/publication/news/nis-2-co-legislators-proposals-for-trilogue-cybersecurity-it-data/ [2022-02-04]
8 Allusion to recently issued Italian presidential decree on the compulsory hosting of data in Italy for certain organizations under questionable compatibility with European law.
9 In some cases lawful intercept may be appropriate, which is why in certain areas, particularly chat apps, the ability to use for instance E2EE can be sought. Also many categories of networking infrastructure/equipment are CALEA compliant, so this has potential supply chain and/or trade implications.
10 National Telecommunications and Information Administration (United States Department of Commerce): SOFTWARE BILL OF MATERIALS (SBOM)
https://www.ntia.gov/SBOM [2021-12-02]
11 OASIS Common Security Advisory Framework (CSAF)
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf [2021-12-02]