NIS2 Implementing Act: Collected ECSO Member’s feedback

The European Cybersecurity Organisation (ECSO) welcomes the NIS2 Implementing Act and highlights several risks based on feedback from its 300+ members. Key concerns include excessive and disproportionate cybersecurity implementation costs, ambiguous security requirements, and an overly extensive list of criteria for defining significant incidents that could lead to over-reporting. ECSO advocates for a risk-based approach and calls for clearer guidelines on incident reporting, including the removal or adaptation of subjective criteria such as reputational damage and financial loss.

The European Cybersecurity Organisation (ECSO), composed of 300+ Members, welcomes the publication of the NIS2 Implementing Act and offers feedback based on the input of ECSO Member organisations. Targeted feedback can be found in the document below, while here we provide a high-level overview of the crucial points. The Implementing Act is a good step towards increasing the overall level of cybersecurity; however, in the current stance, it presents the following risks

  • Excessive and non-proportional costs for implementing cybersecurity requirements. Cybersecurity controls should be risk-based, tailored to address the specific threats and vulnerabilities faced by individual entities, while avoiding unnecessary excessive and disproportionate costs.
  • Ambiguous security requirements, whose implementation may not be streamlined.
  • Highly extensive list of criteria for defining significant incidents might lead to over-reporting of incidents, causing additional financial and administrative burden on the affected entities. 

The Implementing Act requirements should follow a risk-based approach, linked to existing and recognised compliance schemes such as ISO/IEC 27001. In some cases, it may not be possible to implement certain requirements due to technical limitations, while still achieving the appropriate level of cybersecurity. The specific monitoring and logging requirements might not always be required or even technically feasible. Authorities could instead ask for documentation of decisions and risk appetite, instead of prescribing specific requirements without knowing the organisation’s environment and risk posture. 

Furthermore, two or more criteria should be met for an incident to be considered significant. Prescriptive incident reporting thresholds do not match the proportionality approach. Entities in scope have different sizes, they use different technologies and have different business models. As a result, it can be challenging for them to accurately measure the expected metrics. 

The following points should be taken into consideration with regards to the articles tackling ‘significant incidents: 

  1. The Implementing Act should provide more focus on actionable technical references for cybersecurity teams compared to high-level guidelines that are more focused on legal, financial, or managerial aspects. 
  2. It should be clarified whether the incident has to be reported in the entities’ main country of establishment or all member states impacted by the incident.
  3. The phrase “becoming aware”, as a criterion to submit an “early warning” within 24 hours, should be better clarified, providing a formal and operational definition. 
  4. Categories such as “reputational damage”, “reporting in the media”, “complaints from users”, and “the risk of losing customers” should be removed or adapted as measurement criteria for categorising incidents due to major risks of manipulation and non-objective measurement. 
  5. Financial loss following an incident should be removed or adapted as  criteria to identify an incident as significant since the economic assessment exceeds the 24-hour reporting time and the current threshold is considered as too low which will inevitably lead to over-reporting. 
  6. When assessing incidents, determining a figure for the duration of operational disruption deemed significant poses a challenge. The current number should be at least increased. 
  7. Criteria for defining significant incidents should be tied to the requirements of digital service providers and not to the entity benefiting from the service, given that providers lack visibility on key incident information from a customer.  
  8. A link should be made between the categorisation of incidents as significant, and the risk management measures outlined in the Annex.  
  9. Further clarification is needed to understand whether a single incident, affecting both the Digital Service Provider and the service user should be reported by the provider, the user, or both. 

 

Share this article on social media

Search

Recent Posts