ECSO, the European organisation for cybersecurity, comprising over 300 members, has shared its views on the recently published NIS2 Implementing Act.
While acknowledging the progress towards enhancing cybersecurity across Europe, ECSO has identified several areas of concern and provided recommendations to improve the Act’s effectiveness.
Concerns over implementation costs and requirements
One of the primary concerns raised by ECSO is the potential for excessive and disproportionate costs associated with implementing the cybersecurity requirements outlined in the Act.
The organisation emphasises that cybersecurity measures should be risk-based and tailored to the specific threats and vulnerabilities faced by individual entities.
This approach would help avoid unnecessary financial burdens on organisations while ensuring adequate protection against cyber threats.
ECSO also highlights the ambiguity in some of the security requirements, which could hinder effective implementation. The lack of clarity might lead to inconsistent application of the rules across different entities, potentially undermining the overall security objectives.
Reporting of significant incidents
Another issue identified by ECSO is the extensive list of criteria for defining significant incidents.
The organisation warns that this could lead to over-reporting, increasing both the financial and administrative load on affected entities. ECSO suggests that the Act should require two or more criteria to be met for an incident to be considered significant, ensuring a more proportional approach.
Furthermore, ECSO recommends aligning the Act’s requirements with existing compliance schemes, such as ISO/IEC 27001. This alignment would help streamline the implementation process and reduce the burden on entities, particularly those with technical limitations.
Need for clearer incident reporting guidelines
ECSO calls for more detailed and actionable technical references for cybersecurity teams, as opposed to high-level guidelines focused on legal or managerial aspects.
Clarification is needed regarding whether incidents should be reported in the entities’ primary country of establishment, or all member states impacted by the incident.
The term “becoming aware,” used as a criterion for submitting an early warning within 24 hours, also requires a formal definition.
ECSO notes that some current criteria for categorising incidents, such as “reputational damage” and “complaints from users,” could lead to manipulation and should be revised or removed.
Recommendations for improved risk management
ECSO recommends tying the criteria for defining significant incidents to the requirements of digital service providers rather than the entities using the services.
This is crucial, as providers may not have visibility into key incident information from their customers.
The organisation also advises increasing the duration of operational disruption considered significant and clarifying whether incidents affecting both a digital service provider and its users should be reported by one or both parties.
In the end, while ECSO acknowledges the progress made with the NIS2 Implementing Act, it calls for several adjustments to ensure that the measures are practical, proportionate, and effectively enhance cybersecurity across Europe.