The Cybersecurity Coalition (“Coalition”) submits this paper in response to the European Commission’s release of the Revised Directive on Security of Network and Information Systems Directive (“NIS2”).
The Coalition is composed of leading companies with a specialty in cybersecurity products and services, who are dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.1 We seek to ensure a robust marketplace and effective policy environment that will encourage companies of all sizes to take steps to improve their cybersecurity risk management.
As leaders in the cybersecurity industry, we recognise the complexity and importance of securing critical infrastructure. We applaud the Commission’s efforts to modernise the EU’s approach to cybersecurity and are pleased to see that many of the recommendations we made as part of the NIS2 public consultation have been incorporated into the draft Directive. We also share the Commission's desire to promote the protection of essential services and hope that the following feedback helps you to strike the right balance between promoting security activities and avoiding the creation of non-security-enhancing ‘noise’, which inhibits security teams’ ability to prioritise critical activities.
The Coalition was reassured to see many important issues are included in the NIS2 proposal, such as voluntary cyber threat sharing between both governments and companies, the adoption of coordinated vulnerability disclosure (CVD) policies, and restoring access to WHOIS data for security purposes. We also welcome the comprehensive risk management thrust of the revised Directive, reflecting international standards. Additionally, the Coalition welcomes efforts to increase cyber resilience across member states, and we strongly support the clarification that activities undertaken to enhance the security of cyberspace are permitted in accordance with GDPR. We believe these concepts will contribute to increased levels of cybersecurity in the EU.
As Members of the EU Council and Parliament consider the NIS2 proposal, the Coalition would like to offer some suggestions on how to make NIS2 most effective. As such, we provide comments on some of the items above and also stress the importance of including the recommendations outlined below in any continued policy development:
The Coalition thanks the European Commission and Members of the European Council and Parliament for their continued open and participative process as it works with the Commission to shape the final version of NIS2. As the conversation around this topic continues to evolve, we would welcome the opportunity to further serve as a resource on both technical and policy questions to ensure that NIS2 is successful in driving consistent, effective cyber risk management across the European Union.
1 The views expressed in this comment reflect the consensus views of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.