Proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive) - a BusinessEurope position paper

Key messages

• The annual cost of cybercrime is growing in 2020 this was estimatedat EUR 5.5 trillion, the largest transfer of economic wealth in history.
• The current NIS Directive has increased cybersecurity awareness andresilience, yet Member State inconsistencies continue, this means Europe’s joint situational awareness and crisis response remains insufficient.
• The NIS 2.0 Directive vastly widens the scope of the current Directive, whether deemed an essential or important entity blanket obligations apply. Such an expansion should only take place after thorough assessment of the actual risk and impact posed by entities andgrading obligations.
• Reference to the full Commission Recommendation 2003/361/EC within the proposal should be made so that all micro, small andmedium-sized enterprises are covered by the exemptions offeredunless defined as an entity of "critical importance".
• There is a need for better coordination amongst Member State and Union level authorities to share information, prepare and react to cyber threats. We support the "one stop shop" mechanism in this regard.
• Information regarding vulnerabilities should only be made public once mitigation knowledge is available while upholding protection ofsensitive business information.
• The focus following an incident should primarily be on mitigation. In the interests of cybersecurity capacities and proportionality, we would urge the incident notification timeframe to be extended from 24 hours to 72 hours.
• Businesses make a conscious effort to keep their systems secure, but 100% security is not realistic. Incidents will occur while businesses try to defend against malicious attackers. The solution to heighten and broaden more of these measures should be sought in a collaborative approach rather than through imposing draconian one size fits allfines.