|
[To Eurosmart members only]
NIS 2 Directive moves forward
Yesterday [28 October], MEPs from the Committee for Industry, Research and Energy (ITRE) adopted the report on the NIS 2 Directive. Member States are also progressing on the file, with a compromise text being circulated.
For now, the legislative process is going quite smoothly in the European Parliament. The ITRE Committee adopted the text with 70 votes in favour, 3 against and 1 abstention. MEPs also largely voted in favour of opening negotiations with the Council. On their side, Member States hope to agree on a text by the end of the year. This means that negotiations between the European Parliament and the Council could start during the first half of 2022.
However, negotiations between the European Parliament and the Council will likely be problematic. One central point of divergence is the scope of the text: Member States are unsure whether they want to include their central government IT networks. MEP Bart Groothuis (Renew, The Netherlands), rapporteur, firmly believes that government IT networks should be covered by NIS 2 because they are so frequently targeted. Regarding local governments, the position of the European Parliament is that only very large regions and cities are in the scope. These new cybersecurity requirements should not cover smaller communities.
Another divergence on the scope is the inclusion of root name servers. The European Parliament excluded them from the scope, while Member States kept them in.
Please find below a summary of the two approaches and the links to the relevant documents.
MEPsā approach of NIS 2
MEP Bart Groothuis excluded from the scope of the Directive root name servers. His explanation is that regulating them is contrary to the EUās vision of a single, open, neutral, free, secure and un-fragmented network. This could encourage states to advocate for a top-down, state-controlled Internet governance approach instead of the multi-stakeholder approach. However, Bart Groothuis extended the scope of the NIS 2 proposal to cover operators of smart charging services for electric vehicles, as well as higher education and research institutions. Legislators added that Member States should notify the Commission of the names of the identified essential and important entities.
When it comes to cybersecurity measures applicable to essential and important entities, MEPs added a few elements. For instance, the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems. MEPs also changed the requirement on encryption, adding that cryptography should be used āwhere appropriateā, while the Commissionās proposal only stated that cryptography and encryption should be used. In the introduction, MEPs referenced ISO31000 and ISA/IEC 27005.
In the introductory paragraph on encryption, MEPs referenced āother data-centric security technologies, such as tokenisation, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisionsā. Regarding the Councilās projects of lawful access to encrypted communications, MEPs added that āthis should not lead to any efforts to weaken end-to-end encryptionā.
MEPs withdrew the possibility for the European Commission to adopt implementing acts to lay down technical and methodological specifications relating to the cybersecurity requirements. Only delegated acts would be possible, meaning that the European Parliament and the Council would have an oversight.
On cybersecurity certification, MEPs toned down the initial proposal from the Commission. The Commissionās text stated that Member States may require essential and important entities to certify certain ICT products, services and processes under a European cybersecurity certification scheme. MEPs modified this to state that Member States shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes under a European certification scheme or, if not yet available, an internationally recognised scheme. They also added that Member States shall encourage essential and important entities to use qualified trust services (eIDAS).
However, by contrast with the initial text proposed by Bart Groothuis, MEPs kept the possibility for the Commission to adopt delegated acts to specify which categories of essential and important entities are required to obtain a certificate under a European scheme. Such delegated acts shall be preceded by an impact assessment.
In addition, for the information-sharing communities, MEPs wrote that Member States āshall facilitate the exchange of information by enabling the establishment of trusted communities of essential and important entities and their service providers, or, where relevant, other suppliers.ā
Regarding the guidelines and policies that Member States should adopt, MEPs added guidelines on encryption requirements and the use of open-source cybersecurity products. Member States should also develop a policy to promote and support the development and integration of emerging technologies, such as AI.
Finally, MEPs want ENISAās budget to be increased because of its enhanced role.
Member Statesā approach of NIS 2
Member States do not want to be tasked with identifying essential and important entities. They want to have the possibility (not the obligation) to establish national mechanisms for self-notification.
They also added that āpublic administration entities that carry out activities in the areas of public security, law enforcement, as well as the judiciary and parliaments, should be excluded from the scope of this Directiveā. They chose not to exclude root name servers from the scope.
Member States specified in the text that NIS 2 also covers the physical and environmental security of network and information systems. Thus, essential and important entities should consider access control. They should also rely on European and internationally recognised standards, in particular the ISO 27000 series.
Among the cybersecurity measures applicable to essential and important entities, Member States added āhuman resources security, access control policies and asset managementā.
Member States tried to achieve consistency with the eIDAS Regulation. NIS 2 covers trust service providers, but Member States clarified that the NIS 2 obligations complement the requirements stemming from eIDAS. Member States may assign the role of competent authorities for trust services to the eIDAS supervisory bodies in order to ensure the continuation of current practices.
On certification, Member States want to be able to require entities to use particular ICT products, services and processes certified under specific European cybersecurity certification schemes. This phrasing is close to the Commissionās proposal. They also want the Commission to be able to adopt implementing acts specifying which categories of essential or important entities may be required to use certain certified ICT products, services and processes. However, before adopting such an act, the Commission shall consider the impact on manufacturers, providers and users. It shall also consult Member States and relevant stakeholders.
Member States also added that Member States may require essential and important entities to use qualified trust services or notified eID schemes (eIDAS).
Interestingly, in the introduction, Member States mention managed security services providers (MSSPs), stating that they play an important role in assisting entities via penetration testing, security audits etc. However, MSSPs can themselves be the target of attacks. Therefore, the Commission should consider the possibility of establishing a European certification scheme for those MSSPs.
|
