BRUSSELS -- Today, global tech trade association ITI welcomed the publication of a package of new cybersecurity initiatives in the European Union, including a new EU Cybersecurity Strategy for the Digital Decade (Cybersecurity Strategy), and the updated Network and Security Information (NIS 2) Directive.
“As cybersecurity threats diversify, malicious cyber activities not only threaten the global economy and the Single Market, but also Europe’s democracies, freedoms, and values. The tech industry shares the EU’s goals as reflected in the Cybersecurity Strategy and NIS 2 Directive of enhancing resilience against cyber threats and increasing trust in digital tools, and is committed to cooperating with governments to increase cybersecurity and address these challenges,” said John Miller, Senior Vice President for Policy and Senior Counsel. “Together these measures represent an opportunity to ensure cybersecurity resilience of all key economic sectors and in the global supply chain, and increase the level of harmonisation of requirements across different sectors. We appreciate the European Commission’s consideration of ITI’s recommendations and welcome an ongoing dialogue as the Directive and the Cybersecurity Strategy are implemented.”
ITI and its members support risk-based 5G policies that take into account threats to the 5G ecosystem beyond those associated with specific supply chain actors and equipment, and welcome the EU Cybersecurity Strategy’s focus on enhancing 5G security through the implementation of the 5G Security Toolbox as well as the strategy’s considerations around 5G supply chain security.
As connected devices continue to grow in number, ITI agrees with the Commission on the importance of securing Internet of Things (IoT) from potential malicious attacks. Cooperation among all stakeholders involved in the IoT ecosystem as well as a broad industry consensus around an IoT security baseline grounded in international standards and best practices will facilitate a holistic and effective approach to IoT security.
While still under review, ITI welcomes clarifications to the scope of the proposed NIS 2 Directive. A clearer distinction between important and essential service providers can enable governance efforts to focus more resources in areas that are most essential. The Directive also reflects ITI’s recommendations to enhance harmonisation across Europe by strengthening the role of the Cooperation Group and coordinating with Member States, European Union Agency for Cybersecurity (ENISA), and the Commission to apply the Directive consistently across Member States.
Further, the introduction of the single point of contact is important to streamline incident notification procedure and avoid duplicative efforts for notifying multiple Member States. However, the stringent incident notification timeline is unduly restrictive and impractical as well as inconsistent with the GDPR’s data breach notification requirements, and calls for any cybersecurity certification proposal under the updated NIS Directive must be risk-based, flexible and technology neutral.