ETNO position paper on the Revised Directive on Security of Network and Information Systems (NIS2)
Introduction
ETNO welcomes the Cybersecurity Package proposed by the European Commission on 16th December 2020, which is an important part of the EU's digital transformation and recovery efforts. The package consists of the EU Cybersecurity Strategy for the Digital Decade (Cybersecurity Strategy), a proposal for a Directive on the Resilience of Critical Entities, repealing the Critical Infrastructure Directive (EC) 2008/114, and notably, a proposal for a Directive on measures for a high common level of cybersecurity across the Union (‘NIS 2'), repealing Directive (EU) 2016/1148 (NIS).
ETNO takes note of the NIS 2 proposal’s aim to increase the resilience of public and private entities across the EU. However, we believe efforts to further streamline and clarify cybersecurity measures for all actors across the EU should be sought. Establishing the maximal common level of security should be one of the objectives of the proposal, which should better focus on harmonising the cybersecurity regulatory framework in the EU digital single market.
The coexistence of a range of European legislative acts and national security laws risks stifling legal certainty and consistency, possibly resulting in conflict of laws and even market distortion. This is especially true for companies operating in multiple EU markets. A notable example is provided by the interpretation and implementation of the 5G Toolbox, which differ significantly across Member States. Clarity on the interplay of cybersecurity measures in the NIS2, in the proposed Directive on Resilience of Critical Entities, and in the European Electronic Communications Code is also crucial.
While we do appreciate that the draft Directive puts increased emphasis on supply chain risk management, we believe that the proposed framework does not fully leverage the role of the supply chain itself in filling the gaps and strengthening the resilience of critical services. The growing role played by providers of key technologies and services in the supply chain (notably hardware and software providers) in determining the resilience of digital infrastructure needs to be reflected in a fairer allocation of responsibility for risk management.
Supply chains are becoming more global and complex, with a multitude of parties involved, and with an intricate web of roles and responsibilities. On its part, the telecommunication sector is undergoing an ever-increasing network sophistication, given the shifts to 5G and to a virtualised, software-defined and cloud-dependent infrastructure. This means that the networks and end-to-end services of tomorrow will be delivered by an ecosystem of operators, managed service providers and other business partners, where important functions and control points will move closer to the end-user and can be outsourced from telecom providers to other actors in the value chain.
Providers of key technologies and services are best placed to identify and solve the vulnerabilities in their products, services, or processes and thus to address cyber threats in the first place, before they spread across the whole supply chain. Therefore, a key objective of NIS 2 should be to introduce direct risk management obligations upon key actors in the supply chain, especially hardware and software providers, since those closest to the problem are closest to the solution.
In this paper, we highlight some specific points of concern and propose some areas of improvement.
Read the Position Paper in full at the link below.