Revision of the NIS Directive: answer to the public consultation

Revision of the NIS Directive: answer to the public consultation

The NIS Directive is cornerstone legislation for cybersecurity in Europe. In this framework, Member States need to ensure that Operators of Essential Services (OES), such as banks and health services, put in place appropriate security measures. In addition, OES must notify national authorities of any serious cybersecurity incident.  

Digital Service Providers (DSPs) are also covered by the NIS Directive but in a light-touch approach, meaning that requirements are lighter than those applied to OES and supervisory activities are ex-post, e.g. following an incident. This also means that DSPs are not identified as such by national authorities, unlike OES.

The NIS Directive has fostered a culture of cybersecurity among OES and DSPs. It has also considerably improved cooperation between national authorities by setting up the NIS Cooperation Group and the CSIRTs network.

The European Commission will review the NIS Directive by the end of this year. Last July, it launched a public consultation to gather stakeholders’ views on the revision of the text.

Eurosmart answered the consultation to point out the following areas of improvement:

  • The NIS Directive should become a Regulation to deepen harmonisation, including harmonisation of identification processes and harmonisation of security requirements. This would resolve the current distortion of competition, where companies of the same nature are identified as OES in one Member State but not in another one. This would also facilitate the application of security requirements for companies operating cross-border.

  • OES and DSPs should be put on an equal footing. Given the increasing importance of DSPs in our society, they should be subject to clear and harmonised security requirements, e.g. requirement on strong authentication (level “substantial” or “high” pursuant to eIDAS).

  • The list of OES and DSPs should be enlarged to include other critical sectors, including telecommunication operators, Over-the-top (OTT) services, eGovernment, food supply, manufacturing, chemicals, wastewater, and data centres.

  • An attack on a supplier can adversely impact the functioning of OES. Therefore, suppliers of OES should comply with the same security requirements.

  • DSPs rely on physical infrastructures (server, datacentre, etc.). The security of these physical anchors depends on external factors such as their location, their security, and the law ruling them. To ensure the security of their network and information, all physical anchors of DSPs should be protected against any external actions that cannot be assessed, controlled mitigated, nor countered by the Member States. Therefore, DSPs should use physical infrastructure exclusively located in Europe.

  • The NIS Directive should leverage on the European certification schemes created in the framework of the Cybersecurity Act (CSA) to demonstrate the ability of OES and DSP to meet a high level of protection. Following a risk-based approach, certification of highly critical products must be done at a level “High” pursuant to the CSA. Security certificate at level “High” ensures continuous monitoring and maintenance of the certification scheme by a community of recognised experts from the industry. It is the only way to ensure “the state of the art” of security for critical infrastructures.

Please find below Eurosmart’s full answer to the public consultation on the revision of the NIS Directive.

You can find here Eurosmart’s position on the revision of the NIS Directive.