Feedback on the Commission’s proposal concerning the review of the NIS Directive on the security of network and information systems
CSC welcomes the Commission’s proposal and especially its ambition to further harmonise the level of cybersecurity across the EU by expanding the scope of the Directive, spelling out many of its requirements in more detail and equipping the Member States with more stringent supervision and enforcement powers. Cybersecurity is a field where clear and robust common rules are needed, and the Commission’s proposal is clearly a step in the right direction in this respect.
CSC also appreciates the more strategic and forward-looking approach where more focus is put on policy-level cooperation among the Member States as well as measures concerning cyber threats, risks and vulnerabilities rather than just incidents. The new peer review system (Art. 16) must be used effectively to promote policy-level cooperation among the Member States as well as more harmonised implementation of the Directive across the Union. Harmonisation, along with more proactive security measures, will also be supported by the use of cybersecurity certification schemes as suggested in Art. 21 of the Commission’s proposal. In this context, it would be most efficient to endorse well-known international security certifications, such as ISO 27001.
In the context of cybersecurity regulation, any underlying political considerations, such as those related to Europe’s digital sovereignty, must be made as transparent and explicit as possible. Their potential impact on cost and access to state-of-the-art technologies must also be acknowledged and assessed, in order to reach the best possible added value for Europe. In general, improving Europe’s digital resilience and sovereignty is a good objective that must be supported with broad-scale measures to develop European technological competences and skills. At the same time, excellence, cost-efficiency and environmental sustainability must remain the main criteria for developing the digital infrastructures in Europe.
Cybersecurity issues cannot be solved and managed by government actions and government agencies alone. CSIRTs (Computer Security Incident Response Team) and ISACs (Information Sharing and Analysis Center) have vital and well-established roles in incident mitigation and prevention. It is very important to ensure an early flow of trusted information on vulnerabilities and incidents between governmental CSIRTs as well as CSIRTs and ISACs in the private sector and in the NRENs (National Research and Education Networks) and research infrastructures. Existing mechanisms for trust, such as the Trusted Introducer Protocol and SIM3 or Sirtfi certification, should enable access to some early information on vulnerabilities and incidents.
Considering the vital importance of timely and efficient information flows, CSC is pleased with the proposal’s emphasis on increasing cooperation and information sharing among the authorities and service providers covered by the Directive, especially the obligation for the Member States to facilitate information sharing among essential and important entities (Art. 26). When identifying the parties and channels of information sharing, all existing networks, such as those between the private-sector CSIRTs and ISACs described above, must be fully leveraged. The aim must be to allow for as much information sharing as possible without compromising on confidentiality.
CSC is also happy to see that the national cybersecurity strategies are to include a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure (Art. 5.2.f). These policies must also fully leverage existing structures and prior self-regulation efforts, e.g. in the framework of the emerging European data infrastructure landscape and ecosystems, including European Open Science Cloud, GAIA-X, EuroHPC and European research and education networks.