Revision of the NIS Directive: answer to the public consultation

The European Commission will review the NIS Directive by the end of this year. Last July, it launched a public consultation to gather stakeholders’ views on the revision of the text.

Eurosmart answered this consultation to point out several areas of improvement. Please find below the link to the full answer and a summary of Eurosmart’s answer.

Background

The NIS Directive is cornerstone legislation for cybersecurity in Europe. In this framework, Member States need to ensure that Operators of Essential Services (OES), such as banks and health services, put in place appropriate security measures. In addition, OES must notify national authorities of any serious cybersecurity incident.  

Digital Service Providers (DSPs) are also covered by the NIS Directive but in a light-touch approach, meaning that requirements are lighter than those applied to OES and supervisory activities are ex-post, e.g. following an incident. This also means that DSPs are not identified as such by national authorities, unlike OES.

The NIS Directive has fostered a culture of cybersecurity among OES and DSPs. It has also considerably improved cooperation between national authorities by setting up the NIS Cooperation Group and the CSIRTs network.

Main points of Eurosmart’s answer

- The NIS Directive should become a Regulation to deepen harmonisation, including harmonisation of identification processes and harmonisation of security requirements. This would resolve the current distortion of competition, where companies of the same nature are identified as OES in one Member State but not in another one. This would also facilitate the application of security requirements for companies operating cross-border.

- OES and DSPs should be put on an equal footing. Given the increasing importance of DSPs in our society, they should be subject to clear and harmonised security requirement, e.g. requirement on strong authentication (level “substantial” or “high” pursuant to eIDAS).

- The list of OES and DSPs should be enlarged to include other critical sectors: telecommunication operators, Over-the-top (OTT) services, eGovernment, food supply, manufacturing, chemicals, wastewater and data centres.

- An attack on a supplier can adversely impact the functioning of OES. Therefore, suppliers of OES should comply with the same security requirements.

- DSPs rely on physical infrastructures (server, datacentre etc.). The security of these physical anchors depends on external factors such as their location, their security and the law ruling them. To ensure the security of their network and information, all physical anchors of DSPs should be protected against any external actions that cannot be assessed, controlled mitigated, nor countered by the Member States. Therefore, DSPs should use physical infrastructure exclusively located in Europe.

- The NIS Directive should leverage on the European certification schemes created in the framework of the Cybersecurity Act (CSA) to demonstrate the ability of OES and DSP to meet a high level of protection. Following a risk-based approach, certification of highly critical products must be done at a level “High” pursuant to the CSA. Security certificate at level “High” ensures a continuous monitoring and maintenance of the certification scheme by a community of recognised experts from the industry. It is the only way to ensure “the state of the art” of security for critical infrastructures.

You can find here Eurosmart’s position on the revision of the NIS Directive.

If you have any questions on these issues, do not hesitate to contact Camille Dornier, Policy Manager: camille.dornier@eurosmart.com