|
NIS 2 rapporteur calls for purely voluntary cybersecurity certification
Last December, the European Commission proposed a revised version of the NIS directive (NIS 2). The NIS directive aims at ensuring that essential entities (energy companies, transport, cloud providers etc.) take adequate measures against cyber-threats. The NIS 2 proposal is now following the usual legislative procedure within the European Parliament and the Council.
MEP Bart Groothuis (the Netherlands, Renew) is in charge of the file in the European Parliament. He recently published his amended version of NIS 2.
Bart Groothuis toned down the initial proposal on a number of points:
1) He went back to purely voluntary cybersecurity certification. The proposal drafted by the European Commission created an article (Article 21) on cybersecurity certification. This initial proposal stated that:
“Member States may require essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity schemes […]”.
Bart Groothuis modified this paragraph to:
“Member States shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes […] under European cybersecurity schemes […] or under similar internationally recognised certification schemes.”
Bart Groothuis justified his choice by saying that the EU cybersecurity certification framework is a voluntary mechanism and is yet to deliver its first scheme.
2) When it comes to information sharing (Article 26), Bart Groothuis amended the text, Member States “shall support” the exchange of information by encouraging and promoting the creation of trusted communities of essential and important entities.
In the initial draft: Member States “shall ensure” that the exchange of information takes place within trusted communities of essential and important entities.
Bart Groothuis justified this amendment by stating that information sharing is voluntary and based on trust. It should therefore be facilitated but not regulated by the Member States.
3) Bart Groothuis extended the deadline to report cybersecurity incidents to 72 hours, instead of the 24-hour deadline proposed by the Commission.
4) Companies would not have to report “potential incidents” or only on a voluntary basis.
5) CEOs could not be sidelined in case of major data breaches and incidents.
6) Regular audits on essential entities would take place no more frequently than once a year, unless justified on the ground of a significant incident or non-compliance by the essential entity.
Bart Groothuis also added some new elements:
1) Submarine internet cable networks would fall under the scope of NIS 2.
2) The EU could launch a risk assessment of the security of cargo-scanners at airports and ports.
3) Bart Groothuis added that services selling web domains (TLDs and other registries) should collect sufficient personal data on who owns which websites and should provide the information to authorities for law enforcement purposes.
4) Bart Groothuis added that CSIRTs shall enforce authentication and strong access controls.
|
