Mr. Roberto Viola
Communications Networks, Content and Technology
Subject: Cybersecurity – review of EU rules on the security of network and information systems
Dear Director General Viola:
The U.S. Chamber of Commerce welcomes the opportunity to provide comments on the European Commission’s (“Commission” consultation of the revision of the Directive (EU) 2016/1148 concerning measures for a common, high-level of security of network and information systems across the Union (“NIS Directive” or “the Directive”) aimed at fulfilling the Commission’s requirements to review the functioning of the NIS Directive periodically.
The U.S. Chamber of Commerce (“Chamber”) is the world’s largest business federation, representing the interests of more than three million enterprises of all sizes and sectors. The Chamber is a longtime advocate for stronger commercial ties between the United States and the European Union. According to a recent Chamber study jointly commissioned with AmCham EU, the U.S. and EU are together responsible for over one-third of global gross domestic product, and transatlantic trade and investment supports 16 million jobs on both sides of the Atlantic. The Chamber is also a leading business voice on digital economy policy, including cybersecurity, artificial intelligence, data privacy, digital trade, and e-commerce. In the U.S. and globally, we advance sound policy frameworks that support economic growth, promote consumer protection, and foster innovation.
We want to emphasize five fundamental principles as the Commission evaluates the functioning of the NIS 2 Directive.
In a constantly evolving technological and threat landscape, the Chamber believes that the following recommendations will further strengthen the NIS 2 Directive.
- Harmonization Across the Digital Single Market.
- Cybersecurity Risk Management Measures.
- Harmonize Incident Notification Requirements.
- Leverage International Standards and Best Practices.
- Commitment to Government and Important and Essential Entity Collaboration.
The Chamber strongly believes that risk management is foundational to adequate cybersecurity. We commend the Commission on imposing a cybersecurity risk management approach by providing a minimum list of security elements and requirements that must be applied. By introducing security requirements and setting baseline capabilities across the European Union, the Chamber appreciates the national security importance and positive outcomes associated with implementing the NIS 2 Directive. As the NIS 2 Directive develops, we recommend continuing a risk-based approach that relies on best practices to identify and protect against threats to important and essential services. Such an approach will foster innovation and reward security and innovation since the NIS 2 Directive will adapt to new technologies.
Private industry greatly benefits when governments incorporate existing cybersecurity frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the International Organization/International Electrotechnical Commission (ISO/IEC) 27001:2013, into any future policy enactments and avoid mandating national or regional approaches to standards and requirements that diverge from these international norms. Furthermore, the Chamber believes, to achieve greater harmonization and alignment a codified partnership between the EU Cooperation Group and important and essential entities on a wide range of issues, such as risk management measures, use of international standards and frameworks, and incident reporting requirement thresholds and timeframes needs to be realized. This will support efforts to alleviate divergent approaches that may only serve to fragment the digital single market.
The Chamber appreciates the Commission’s willingness to consult with industry throughout the process. Public-private partnerships between important and essential entities and national competent authorities (i.e., ENISA and the CSIRTs Network) will support efforts to ensure that effective, transparent, accountable, and consultative processes are put in place. Our goal is to foster a more resilient ecosystem through the creation of industry-led, market-based cybersecurity solutions. We strongly believe that a multi-stakeholder approach to cybersecurity is the most effective way to encourage economic activity while ensuring the digital infrastructure’s security.
The Chamber appreciates the opportunity to share with you our primary concerns with the Directive. We stand ready to work with the European Commission and key stakeholders, and industry in ongoing consultations regarding new policies and sound policy implementations associated with the Security of Network and Information Systems.
Thank you again for your time, and we look forward to a continuing dialogue that helps achieve Europe’s goals for a high common level of cybersecurity across the Union. If you have any questions or clarify our positions, please contact Vince Voci (firstname.lastname@example.org) and Abel Torres (email@example.com).