In May 2021, the European Parliament’s Committee on Industry, Research and Energy published a draft report on the Commission proposal for a NIS 2.0 Directive (Rapporteur: Bart Groothuis).
The Rapporteur welcomes the Commission proposal for a NIS 2.0 Directive, and in particular, the expansion of the scope of the Directive. The Report suggests a further sector to be included, namely research and academic institutions, since their intellectual property deserves protection from outside attacks.
A central element to increase the security of NIS, is the reporting of incidents. The Rapporteur criticises the timeframe within which an initial report has to be filed and suggests an alignment with the GDPR, under which personal data breaches have to reported within 72 hrs. Although it is correct that all efforts should be invested in mitigating the incident, we do not share the Rapporteur’s argument that in the first stage of an incident, reporting should be of secondary interest. The initial report only requires very basic information, and thus, is unlikely to be overly burdensome once an incident is detected. Furthermore, the argument of “alignment” with other EU interventions is rather weak, since reporting of security incidents in the financial sector requires much shorter timeframes (Art. 17 DORA Proposal).
In addition to the reporting of incidents that cause harm, the Commission Proposal also requires the reporting of incidents that have the potential to cause harm. The Rapporteur considers the requirement to report incidents that only have the potential to cause harm or affect others as unrealistic. There is fear that the competent national authorities could be overwhelmed by receiving too many notifications, which in turn could divert attention and limit security resources away from the essential tasks of actually examining and handling incidents. While over-reporting cannot be outruled, there is hardly any evidence that the requirement to report “near misses” challenges the handling of actual incidents. For instance, the German implementation of the NIS Directive foresees such reporting, but there is no information whether this has resulted in the feared over-reporting. It also has to be born in mind that a “near miss” may be the result of appropriate cybersecurity, but that near miss may constitute a severe threat to other service providers.