07 Feb 2022

Joint industry letter on the NIS2 trilogue negotiations

Our associations, representing sectors central to Europe’s digital transformation, welcome the recently launched institutional trilogue negotiations on a new Directive on measures for a high common level of cybersecurity across the Union (NIS2). To achieve the proposal’s aim of tackling the limitations of the current regime and achieving a more harmonised level of cybersecurity, the final text must be clear and reliable.

Our common priority through the NIS reform should be to remove inconsistencies in resilience across Europe and sectors by ensuring a high level of harmonisation. In doing so, we must also ensure that the reform does not unduly hamper the many entities that will be subject to the new framework.

To this end, we urge co-legislators to focus on the following:

  • Scope. Risk-based, objective criteria should guide Member States’ identification of essential and important entities. More reassurance should be provided in the final text that only truly critical entities will be included, and too much flexibility for Member States should be prevented. We invite co-legislators to consider an exclusion for SMEs – not only micro and small businesses – unless they meet relevant criteria for criticality. The final text should also make it clear that only activities within the EU are in scope, as stipulated in the Parliament position. This is particularly important for manufacturing.
  • Reporting obligations. We welcome both co-legislators’ efforts to ensure that efforts go towards reporting significant incidents, as opposed to potential threats that would merely overburden entities and authorities alike. The Parliament, in addition, has reintroduced and expanded on criteria to determine an incident’s significance. We urge the co-legislators to converge around a final 72-hour deadline for incident notification, which will help entities focus on mitigating incidents in the crucial phases of their emergence. We also support the Parliament’s position that the establishment of a single entry point for all notifications under NIS2 and other legislation should be mandatory for Member States.
  • Certification. There should be no fragmentation as to if and how cybersecurity certification schemes are mandated to demonstrate compliance with NIS2. Individual Member States should be encouraging the use of certification, not mandating it. Schemes should instead only be mandated by the European Commission through delegated acts, and subject to the rigorous assessment of existing schemes stipulated under Art. 56 of the Cybersecurity Act.
  • Link with sector-specific laws. Entities should have clarity as to the cybersecurity obligations they are subject to. We welcome the Council’s inclusion of a dedicated article setting out conditions for equivalence of risk management and incident notification measures under sectorial laws, tasking the Commission to conduct periodical reviews.

We look forward to engaging with the European Parliament and the Council to ensure these crucial aspects are soon reflected in the final agreement.


For more information, please contact:
Zoey Stambolliu
Manager for Infrastructure & Security Policy
Back to Cybersecurity
View the complete Policy Paper
PDF
Our resources on Cybersecurity
16 Jun 2022 Publication & Brochure
Data transfers in the data strategy: Understanding myth and reality
24 May 2022 Policy Paper
Building blocks for a scalable Cyber Resilience Act
09 May 2022 Policy Paper
Reporting, mandatory certification and main establishment in final NIS2 trilogues
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept