Comments on the Proposal for a Revised Directive on Security of Network and Information Systems (NIS 2 Directive)

Comments on the Proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive)

The Cybersecurity Coalition (“Coalition”) submits this paper in response to the European Commission’s release of the Revised Directive on Security of Network and Information Systems Directive (“NIS2”).

The Coalition is composed of leading companies with a specialty in cybersecurity products and services, who are dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.1 We seek to ensure a robust marketplace and effective policy environment that will encourage companies of all sizes to take steps to improve their cybersecurity risk management.

As leaders in the cybersecurity industry, we recognise the complexity and importance of securing critical infrastructure. We applaud the Commission’s efforts to modernise the EU’s approach to cybersecurity and are pleased to see that many of the recommendations we made as part of the NIS2 public consultation have been incorporated into the draft Directive. We also share the Commission's desire to promote the protection of essential services and hope that the following feedback helps you to strike the right balance between promoting security activities and avoiding the creation of non-security-enhancing ‘noise’, which inhibits security teams’ ability to prioritise critical activities.

The Coalition was reassured to see many important issues are included in the NIS2 proposal, such as voluntary cyber threat sharing between both governments and companies, the adoption of coordinated vulnerability disclosure (CVD) policies, and restoring access to WHOIS data for security purposes. We also welcome the comprehensive risk management thrust of the revised Directive, reflecting international standards. Additionally, the Coalition welcomes efforts to increase cyber resilience across member states, and we strongly support the clarification that activities undertaken to enhance the security of cyberspace are permitted in accordance with GDPR. We believe these concepts will contribute to increased levels of cybersecurity in the EU.

As Members of the EU Council and Parliament consider the NIS2 proposal, the Coalition would like to offer some suggestions on how to make NIS2 most effective. As such, we provide comments on some of the items above and also stress the importance of including the recommendations outlined below in any continued policy development:

• Ensure that the language in the draft which affirms the legality of security activities and maintenance of the WHOIS database under GDPR remains in the final text;
  Adapt Recital 69 to clarify that the personal data listed is non-exhaustive
• Clearly delineate the factors that Member States should use when determining whether small- or micro-entities are designated as ‘essential’ or ‘important’, making determinations based upon empirical data and engagement with the private sector, with a mechanism for the private sector to contest their designation;
• Ensure proportionate and differentiated obligations between ‘essential’ and ‘important’ entities based upon their respective criticality;
• Effectively implement the CVD proposals by ensuring:
  That efforts are closely aligned with existing international standards
  That any new programs are coordinated with, and not duplicative of, widely utilised mechanisms such as the Common Vulnerabilities and Exposures (CVE) program
  That CSIRTs are used as an intermediary for CVD only and that their use is voluntary
• Align incident notification requirements under GDPR and NIS2, by increasing from 24 to 72 hours the timeline for reporting;
• Ensure that effective incident response is prioritised over unnecessary and counterproductive incident reporting requirements, by ensuring that the threshold for reporting incidents is sufficiently high and that ‘near misses’ do not need to be notified;
• Align certification requirements under NIS2 with provisions of the Cyber Security Act and clarify that they apply to ‘essential’ or ‘important’ entities and not individual products, while avoiding making certifications mandatory;
• Enable essential and important entities to take a risk-based approach to the use of security capabilities such as encryption; and
• Incorporate representatives of the cybersecurity industry into the work of the NIS Cooperation Group, as appropriate.
  

The Coalition thanks the European Commission and Members of the European Council and Parliament for their continued open and participative process as it works with the Commission to shape the final version of NIS2. As the conversation around this topic continues to evolve, we would welcome the opportunity to further serve as a resource on both technical and policy questions to ensure that NIS2 is successful in driving consistent, effective cyber risk management across the European Union.

See PDF document for additional details and tables.

1 The views expressed in this comment reflect the consensus views of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.

‍