The Charter of Trust Responds to the Revision of the EU’s NIS Directive
The Charter of Trust welcomes the European Commission’s intention to strengthen cybersecurity throughout the European Union and its Single Market.
You can find our detailed response to the NIS Directive proposal here.
Member States and their citizens are facing an ever-changing security threat landscape, with increasing dependence on digitalisation and the complexity of interdependent global markets and supply chains. The COVID-19 pandemic has reinforced the urgent need for increased preparedness and ability of European essential entities to maintain the security and availability of their network and information systems. Consequently, a higher degree of legal and operational harmonisation is needed to enhance EU-wide response capabilities and resilience to threats to the European economy and society. This policy focus is essential as we continue to uncover and comprehend the impacts of the SolarWinds cyberattack and similar recent incidents. From bolstering the role of the capability of national CERTs in Europe to taking critical steps to protect wider parts of our critical infrastructure and supply chains to building a pipeline of advanced cybersecurity professionals, these critical policy areas must be central to the EU policy agenda going forward.
The members of the Charter of Trust – an international alliance of corporations and organizations committed to enabling trust in digital technologies – encourage the European Commission to align its policy priorities with several core principles that emphasize the need to prioritize cybersecurity protection measures and education. The objective of the review of the NIS Directive (“NIS 2.0”) should be to overcome the fragmented legal environment at European and national level, and from an Internal Market perspective, to strengthen risk management in the digital value chain.
Additionally, to be effective, cybersecurity has to cover the entire digital value chain. The Charter of Trust has directly addressed this issue through its baseline security requirements for the supply chain in Principle 2 and Security by Default in Principle 3.
Ownership and Education
Principle 1 of the Charter of Trust establishes that responsibility for cybersecurity should be appropriately designated throughout an organization with proper accountability in management. We strongly support the high-level objective in the proposal to ensure a high level of responsibility for the cybersecurity risk management measures and reporting obligations at the level of the organisations. While the Charter of Trust recognises the necessity to outline basic cybersecurity risk management measures for network and information systems that all essential and important entities have to fulfil, we ask the EU Commission, European Parliament and Member States to take a balanced approach when it comes to incident reporting obligations, and also make sure that reported information is used in the best possible way to mitigate risks.
Within the Charter of Trust, Principle 6 addresses the need for cyber awareness, training, and skills at multiple levels of the organisation. We have developed an educational framework covering different aspects. One of our key recommendations is to have a holistic approach to cybersecurity and involve senior management. We recognise the step to make management bodies more responsible for the cybersecurity strategy of an essential or important entity. With regard to the NIS 2.0 proposal, we would urge stakeholders to consider how organisations should establish responsibility for cyber security – to what extent this is a largely technical or a high-level management issue – we believe that CISOs or IT security personnel should be able to provide members of management bodies with in-depth information. Personal accountability for non-compliance may be a step too far, especially if the goal is to ensure appropriate cybersecurity awareness in companies across sectors.
Overall, it is crucial that the required measures are proportional to the risk. Often, companies have to deal with legacy IT systems, and they have evolved over time (e.g. through acquisitions). Some architectural decisions which had to be made in the past might have an impact on the technical ability to apply the latest state-of-the-art security technologies.
Moreover, such requirements should be congruent across the EU in order to ensure that members of management bodies are not confronted with diverging requirements across the Single Market.
Responsibility throughout the digital supply chain
Principle 2 states that companies and – if necessary – governments must establish risk-based rules beyond the proposed baseline cybersecurity supply chain requirements to ensure adequate protection across the digital supply chain. For critical infrastructures, which correspond to essential entities in the proposal, the Charter of Trust advocates for independent certification in its Principle 7. As was observed in the recent high-profile SolarWinds attacks, third-party and fourth-party cyber risk management has never been more important. It is imperative for organizations to have visibility into the cybersecurity measures of their key vendors. Aligned to what we have developed in our report ‘Common risk-based approach for the Digital Supply Chain’, the Charter of Trust calls on the all stakeholders to establish tangible measures providing organizations with guidance and frameworks for assessing third-party risk. Tactically, this includes promoting standards across secure software development and engaging in a coordinated, improved approach to vulnerability management. Risk assessments should include both technical and non-technical factors and not going to be able to fully address the security and resilience of the value chain alone.
To substantially improve resilience and security of supply chains, the direct inclusion of providers of key technologies and services for critical infrastructure into the regulatory framework should be considered. However, as the NIS Directive is primarily aimed at the security of suppliers’ network and information systems rather than product or services, it is not the best vehicle for this. Hence we propose that sector-specific cyber security certification schemes under the Cybersecurity Act and other product-related legislation that is currently being revised are considered for this purpose.
The Charter of Trust has directly addressed need for higher cyber resilience in the supply chain through its baseline security requirements for the supply chain in Principle 2.
Security by default
Principle 3 of the Charter on ‘Security by Default’ calls for the adoption of the highest appropriate level of security and data protection to be preconfigured into the design of products, functionalities, processes, technologies, operations, architectures, and business models. As industrial production – especially in the technology and mobility sectors – continues to recover in the wake of the pandemic, security by default is now more essential than ever. We encourage and anticipate further discussion on device-based security standards when contemplating next steps in crafting more advanced, flexible cybersecurity principles.
Transparency and Incident Response
In accordance with Principle 8, which is focused on threat information sharing, we believe that reporting of significant incidents to the regulatory authority is an important phase in the process, however the deadline proposed in the NIS 2.0 should be realistic. Despite the minimum amount of information required, the proposed 24-hour deadline for an initial notification report to the competent authorities constitutes a very short timescale in view of the priority for businesses to rectify the problem and restore continuity of services should these have been disrupted. Exposing information about an incident before a patch is applied or operations restored makes operators and their customers vulnerable to increased hacker attacks. In our submission, we recommend adopting a timeframe similar to the GDPR, under which a breach should be reported without undue delay, but no later than 72 hours.
In addition, we would also welcome a more balanced approach, defining specific deadlines that reflect the complexity and effort of incident analysis and take into account the criticality of a disruption of provision of service (supply of electricity, water supply vs. e.g. manufacturing of electronic components).
While we support more effective threat information sharing, we believe that the proposal to capture not only incidents but significant potential threats or so-called near misses in reporting obligations might be counterproductive. Decreasing the threshold to near misses will likely result in an overflow of notifications and a decreased efficiency from regulators. It also raises questions about the provenance of such information, the reliability and related liability issues. Such notification should be made voluntary.
With regard to “give and take” in terms of information sharing, we believe ENISA could assume a more active role in the threat intelligence network, providing up-to-date information and advice to essential and important entities. Regarding vulnerability disclosure (Art. 6), policy makers should take existing instruments like CVE – the de facto industry standard – into account and avoid setting an additional platform.
Principle 9 deals with Regulatory Frameworks. We strongly believe that policymakers should ensure seamless and clear application between horizontal legislative proposals vs lex specialis. Several regulations in the digital domain addressing security and data protection have been adopted since the NIS Directive came into force. To benefit from those already existing cybersecurity related requirements like the European Cyber Security Act (CSA), Radio Equipment Directive (RED), Machinery Directive (MD), Medical Device Regulation (MDR), eIDAS Regulation and EUid, General Product Safety Directive (GPSD) and General Data Protection Regulation (GDPR), it is of utmost importance to increase coherence between those and the NIS Directive. To avoid additional effort industry should be able to make use of already demonstrated conformity towards associated cybersecurity requirements. In order to support Member States in strengthening their respective capabilities and competences, and improve (cyber)security and resilience, NIS 2.0 should ensure that there are no overlaps or double reporting required amongst all cyber related legislative proposals, while at the same time acknowledging the attributes of different sectors. In addition to avoid verifying security levels across the EU, it is of highest priority to avoid different standards and procedures in the different countries, also leading to varying security levels across the EU.
Coherence should also be strengthened between requirements by all Member States, while at the same time acknowledging the attributes of different sectors. One possible solution might be to extract agreed horizontal requirements of the NIS Directive into a regulation in order to harmonize them throughout all European Member States.
Joint Initiatives in Cybersecurity (International Norms and Leadership)
We recognize that success will require global support and joint initiatives between industry, governments, academia and research organizations, as laid out in both Principle 10 of our Charter of Trust and its Joint Initiatives and Associate Partner Forum, which support a collaborative approach between these three important stakeholder groups. To also strengthen the global digital supply chain for industry harmonization of standards and requirements with other regions should become a priority of the European Commission.
Cybersecurity is at the core of defence, future stability and economic growth. Its importance should not be underestimated or placed down the list of highest governmental priorities. The members of the Charter of Trust stand by to help inform and support these policy actions.