BRUSSELS – Today, global tech trade association the 91proÊÓÆµ (91proÊÓÆµ) published a set of recommendations to help policymakers advance the NIS2 trilogue negotiations and ensure the final NIS2 Directive uplifts cybersecurity and resiliency across the European Union. Among its suggestions, 91proÊÓÆµ encourages policymakers to allow a 72-hour incident reporting window and limit the reporting responsibility to the impacted entity only. 91proÊÓÆµ also recommends that policymakers create an official provision that clarifies that the processing of data for security is a legitimate interest under the GDPR and encourage voluntary sharing of cyber risks by avoiding prescriptive rules to govern elements of threat information-sharing arrangements.

“91proÊÓÆµ supports EU legislators’ goal of increasing harmonization of cybersecurity requirements in key economic sectors across the European Union and welcomes the French Presidency’s ambition in reaching a final agreement,” said Guido Lobrano, 91proÊÓÆµ’s Director General for Europe. “We urge policymakers to carefully assess the NIS2 Directive’s final provisions to avoid unintentional harm to the EU cybersecurity landscape. A future-proof legal framework is crucial for ensuring effective implementation of the NIS2. We hope policymakers use our recommendations to help to strengthen the final NIS2 Directive and ultimately EU cyber resilience.”

In its recommendations, 91proÊÓÆµ encourages policymakers to:

  • Avoid duplication and minimize incompatibility between the NIS2 and other sector-specific legislation such as DORA and the EECC, creating clarity around legislative interplay;
  • Encourages ENISA to leverage the existing Common Vulnerabilities and Exposures (CVE) registry for its European vulnerability database, as opposed to creating a new ad hoc EU registry, and ensure that ENISA’s approach to coordinated vulnerability disclosure is built on existing international standards and best practices;
  • Retain the increased focus on supply chain security and incorporate the perspectives of industry through the SCCG or via other means in risk assessments;
  • Allow for a 72-hour incident reporting window and limit the reporting responsibility to the impacted entity only;
  • Make domain name registration data available to legitimate access seekers for cybersecurity purposes;
  • Create an official article to highlight processing data for security as a legitimate interest under the GDPR;
  • Encourage alignment with the EU-wide Cybersecurity Act certification schemes rather than national cybersecurity schemes, and;
  • Avoid prescriptive rules to govern elements of threat information-sharing arrangements in order to encourage voluntary sharing.

Find 91proÊÓÆµ’s NIS2 Directive trilogue recommendations here.

Trade & Investment]" tabindex="0">Related [Trade & Investment]