Netnod replies to EC act on NIS2 Cybersecurity risk management

Netnod welcomes the opportunity to provide feedback on the consultation launched on 27 June on the  “Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers” implementation act of the larger NIS2-framework. It consists of an implementation act and an annex.

Netnod hereby gives the following commentary on the proposal:

• It defines incidents based on whether explicit metrics have been achieved or not
  Netnod suggests that significant incidents are defined as incidents which lead to actual negative impact on for the society essential services
• In an ex-ante manner, it sets requirements on measures to be implemented
  Netnod suggests that the act should define requirements on services in an ex-post manner, and leave the choice of measures entirely up to the covered entity
• It relies on the ability to for a covered entity to identify its role in a supply chain
  Netnod suggests the act needs to explicitly take into account any kind of business relationships and not only contractual agreements, and in that context specifically recognize suppliers of wholesale services

Please read the full answer below (pdf) for further details.