|
First workshop: presentation of the methodology and main issues
Jakub Boratynski, Head of Unit and Acting Director for Digital Society, Trust and Cybersecurity (DG CNECT), referred to the report on assessing the consistency of the approaches in the identification of operators of essential services (OES). This report shows that there are diverging practices among Member States when it comes to identifying OES. As a result, there is no level playing field in the internal market -some companies being identified as OES in one country but not in another one. This also has a negative impact on the spread of cyber-threats.
Alessandro Zamboni, Wavestone, explained that end of August is the deadline for the draft study and September for the finalised report. The study will explore ways to encourage compliance of Digital Service Providers (DSP) and OES with security requirements. Identification of OES and DSP is also an issue.
A public consultation will be published in the coming months, 15 interviews will be organised with stakeholders and a two other workshops (July and October).
A representative from the European Banking Federation stressed the need for improvements in three domains:
-harmonisation between Member States and sector requirements. Cybersecurity requirements may duplicate or overlap (e.g. banking).
-cooperation incident responses deserve streamlined design.
-third party service providers to be covered.
Raluca Stefanuc, DG CNECT, answered that the European Commission is aware of the particular burden for some sectors. However, cross-sectoral harmonisation could be problematic.
Eurosmart asked if the Commission envisaged mandatory certification for OES to ensure compliance with security requirements. The Commission answered that it will investigate how to better comply with requirements.
Participants were asked to answer a survey before the second workshop.
Second workshop: results of the survey
Most of the participants to this call were national competent authorities and single points of contact.
A few questions were asked to the participants through live polls. Over 40% of the respondents thought there was an issue of clarity in the NIS Directive and 60% believed it had successfully increased the level of cybersecurity in the EU.
Lorenzo Pupillo, CEPS, commented on the results from the survey that was previously sent to the stakeholders. National competent authorities and OES composed most of the respondents.
It appears that most of the respondents agreed or strongly agreed that the scope of OES should be enlarged to include additional sectors. Lorenzo Pupillo wondered what sectors could be included: Food? Postal services? What about geolocation services? What about social media? An idea could be to identify a core subset of sectors such as energy, transport, finance and telecommunications to facilitate a minimum level of harmonisation.
Regarding DSP, Lorenzo Pupillo underlined that there is a problem with some definitions, such as DNS (not clearly defined). He also pointed out that the definition of marketplaces could be enlarged. 44% of the survey respondents agreed that the scope of the directive should be enlarged to include additional types of digital services providers.
Other takeaways from the survey:
· A strong majority of the respondents believed that OES and DSP should be put on equal footing ;
· 30% of the respondents thought that primary legislation was needed to better align security requirements (over secondary legislation or non-binding acts) ;
· A great majority (80%) agreed that new reporting methods are needed ;
· 78% of the respondents were in favour of private-public partnerships or information security platforms.
Next steps:
Q2-Q3 2020: public consultation
Q2-Q3 2020: interviews
13 July 2020: workshop
|
