Demands And Criticism of The NIS-2 Directive

Demands And Criticism of The NIS-2 Directive

From the EU Commission’s point of view, NIS 2 (Network and Information Security Directive 2) will lead to a strengthening of EU-wide cyber security and resilience. However, business associations are critical of the planned directive and are calling for adjustments to the reporting requirements. What is needed, they say, is an unbureaucratic reporting system for IT security incidents. But is the criticism justified?

The EU Commission has welcomed the political agreement reached between the European Parliament and EU member states on the directive on measures for a high common level of cybersecurity in the Union (NIS-2 Directive).

Margrethe Vestager, Executive Vice-President in charge of “A Europe for the Digital Age,” said, “This is another major breakthrough in delivering our European digital strategy, this time to ensure that citizens and businesses are protected and can trust essential services.”

Internal Market Commissioner Thierry Breton added: “Cyber threats have become bigger and more complex. To keep our citizens and our infrastructures protected, we need to stay a few steps ahead. In today’s cybersecurity environment, collaboration and rapid information sharing is absolutely critical. The modernized regulations to secure services critical to our society and economy are another step in that direction.”

From NIS to NIS 2

The existing rules on the security of network and information systems (NIS) were the first EU-wide piece of legislation in the field of cybersecurity. Due to the increasing digitalization and interconnectedness of society and the rising number of malicious cyber activities worldwide, a revision has become necessary.

The NIS-2 directive is also intended to cover medium and large entities from a wider range of sectors that are critical to the economy and society, including providers of public electronic communications and digital services, wastewater and waste management, critical product manufacturing, postal and courier services, and public administration.

READ:  What is a CA (Certificate Authority or Certification Authority)?

Expanding the scope of the new rules, and requiring more entities and sectors to take action, should help raise the level of cybersecurity in Europe in the medium and long term.

The NIS-2 directive tightens security requirements for businesses and also addresses supply chain security and vendor relationships, according to the EU Commission. The proposal aims to streamline reporting requirements, establish stricter oversight measures for national authorities, and introduce stricter enforcement rules and harmonization of sanctions regimes across member states. The directive is intended to contribute to greater information sharing and better cooperation in dealing with cyber crises at the national and EU levels.

What NIS 2 aims to improve in concrete terms

Demands And Criticism of The NIS-2 Directive

With NIS 2, the EU Commission aims to address the following main problems in cybersecurity: the insufficient cyber defense capability of companies operating in the EU, the inconsistent resilience across member states and sectors, and an insufficient common understanding of the main threats and challenges among member states and the lack of a common crisis response.

Looking specifically at the reporting obligations of operators found in Article 20 of NIS 2, they can be described as follows (according to “Draft Directive on measures for a high common level of cybersecurity in the Union – Council General Approach”):

Essential and key entities shall immediately notify the competent authorities or the CSIRT of any security incident that has a significant impact on the provision of their services. Where applicable, such entities shall immediately inform the recipients of their services of such security incidents that could affect the provision of the respective service.

READ:  What is Information Security?

For the purposes of notification, the entities concerned shall transmit to the competent authorities or to the CSIRT:

(a) without undue delay, and in any event, within 24 hours of becoming aware of the security incident, an initial notification as an early warning, indicating, as appropriate, whether the security incident is believed to be the result of unlawful or malicious acts;
(b) upon request of a competent authority or CSIRT, an interim report of relevant status updates;
(c) no later than one month after submission of the initial notification […], a final report containing at least the following:
1. a detailed description of the security incident, its severity, and impact;
2. information on the nature of the threat or underlying cause that likely triggered the security incident;
3. details of remedial actions taken and in progress.

Industry criticizes planned reporting system

Associations such as the digital association Bitkom point to problems with the implementation of reporting requirements, for example. “The bottleneck for cybersecurity remains the lack of skilled personnel,” explained Susanne Dehmel, a member of Bitkom’s management board. “There is a need for expert personnel in companies and public authorities who have the time and knowledge to implement security-enhancing measures on-site. An additional bureaucratic superstructure with reporting requirements of just 24 hours is hardly conducive to this. “The DIGITALEUROPE association also sees a need for change, for example in the reporting requirements.

“Due to the significant increase in serious cyberattacks, it makes absolute sense to strengthen the cyber resilience of European companies and institutions. The planned reporting and notification requirements impose an immense bureaucratic burden on German business. They need to be designed in a more practical way. The massive shortage of IT specialists in Germany and Europe makes implementation even more difficult,” said Iris Plöger, a member of the BDI’s Executive Board. “A non-bureaucratic reporting system is needed. If a cyber attack occurs, companies must be able to focus on remediation and return to production as quickly as possible. The Federal Office for Information Security should process reports immediately and warn companies on a daily basis,” Iris Plöger continued.

READ:  What is OpenID?

The goal should be real-time information

There is no doubt that the increased requirements from NIS 2, including the reporting obligations, represent a major challenge because with the prevailing shortage of specialists, on the one hand, the quality of incident reports could be affected, and on the other hand, in an emergency, one would like to concentrate all forces on incident response, as the BDI also says.

However, reporting is always part of security incident response, not just from a compliance perspective. The digital association Bitkom had rightly demanded elsewhere: “We need the possibility for every person and every company to be informed about the cyber threat situation in real-time. To this end, we need to use real-time information and collect it EU-wide in a central dashboard – similar to the Robert Koch Institute’s Corona dashboard. Only if indications of threats are collected down to the second can we also react to them immediately and better protect ourselves and our economy.”

However, real-time information on the threat situation is hardly conceivable without very fast notifications. The aim should therefore be not so much to make the reporting obligation less stringent, but rather to automate the reports as much as possible so that security experts would ideally only have to release the report prepared by an AI (artificial intelligence). Reporting requirements and short reporting deadlines are right and important, but the implementation must be simplified, not the content.