A strong cybersecurity environment poses a key priority for Europe’s economy. As the use of digital solutions grows, the need to ensure that Europe’s networks and information systems are resilient against evolving cyberattacks is paramount. Our suggestions for an improved resilience of the EU’s cybersecurity focus on the scope of the proposal for a revised Directive on Security of Network and Information systems (NIS 2 Directive), the risk-based approach, proportional obligations, legislative overlap and conflicting requirements as well as offering insight on reporting obligations and thresholds. Read our response here.

As the EU’s economy and society continue to embrace digital solutions in an accelerated fashion, the need to ensure that Europe’s networks and information systems are resilient against evolving cyberattacks has never been higher. A strong cybersecurity environment is thus a key pillar for both industry and government stakeholders alike. To achieve a more resilient cybersecurity, increased collaboration through public-private-partnerships, harmonization and global cooperation will be paramount going forward. The European Commission’s proposal for a revised Directive on Security of Network and Information systems (NIS 2 Directive) aims to address these issues and to increase cyber resilience across the EU.

To ensure the European Commission’s ambitions can become a reality and contribute to a safer and stronger cybersecurity environment, AmCham EU puts forward a number of recommendations to further enhance the legislative proposal. Our suggestions for an improved resilience of the EU’s cybersecurity focus on the scope of the NIS 2 Directive, the risk-based approach, proportional obligations, legislative overlap and conflicting requirements as well as offering insight on reporting obligations and thresholds. Furthermore, AmCham EU offers insights on how to ensure a more streamlined industry involvement as well as on certification, international standards, and encryption. Moreover, we highlight crucial angles of the discussion around vulnerability disclosures, supervision and enforcement, as well as remaining issues on the provisions focusing on top level domain registration data.