European Commission’s proposal for a revised Directive on Security of Network and Information Systems (NIS2): EBF key messages
Publication date: 17 June 2021
Ensuring high levels of cybersecurity across the EU is one of the biggest challenges, affecting citizens, customers, and businesses alike. Cyber threats are by nature cross-sectoral and may arise from and expand to any field of economic activity, with possibly immense repercussions. Therefore, adopting cybersecurity measures that target entities across sectors is crucial and the European Commission’s review of the Directive on Security of Network and Information Systems (NIS2) is a welcomed initiative.
Some of the sectors within the scope of NIS2 are also covered by sector-specific rules, as is the case of the financial sector where, in addition to a number of existing policies, the Commission has also published a proposal for a Regulation on digital operational resilience for the financial sector (DORA). The Regulation includes provisions on ICT risk management, cyber incident reporting, digital operational resilience testing, information-sharing arrangements and managing of ICT third-party risk. Given the extent of the DORA provisions, the EBF welcomes its function as lex specialis to NIS2, thereby providing legal certainty to banks in terms of obligations.
However, some elements of the current NIS2 text require further clarification, so as to ensure clear and smooth implementation:
- DORA’s function as lex specialis to NIS2 should be stated clearly and unconditionally.
- The requirement to notify competent authorities and recipients of services on cyber threats creates should be carefully re-assessed as it is bound to create more risks than those it intends to address.
- The revised text should aim at enabling the establishment of meaningful and voluntary cyber threat information-sharing arrangements among trusted circles.
Dimos Karalis, Policy Adviser Innovation & Cybersecurity, firstname.lastname@example.org