Netnod replies to EC act on NIS2 Cybersecurity risk management
Netnod believes that the act named Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers will not lead to the intended effect.
Netnod welcomes the opportunity to provide feedback on the consultation launched on 27 June on the “Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers” implementation act of the larger NIS2-framework. It consists of an implementation act and an annex.
Netnod hereby gives the following commentary on the proposal:
- It defines incidents based on whether explicit metrics have been achieved or not
Netnod suggests that significant incidents are defined as incidents which lead to actual negative impact on for the society essential services - In an ex-ante manner, it sets requirements on measures to be implemented
Netnod suggests that the act should define requirements on services in an ex-post manner, and leave the choice of measures entirely up to the covered entity - It relies on the ability to for a covered entity to identify its role in a supply chain
Netnod suggests the act needs to explicitly take into account any kind of business relationships and not only contractual agreements, and in that context specifically recognize suppliers of wholesale services
Please read the full answer below (pdf) for further details.
Tags
Netnod response to EC NIS2
Netnod response to comments