×

NIS 2 implementation: CENTR issues Board statement on the Cybersecurity risk management & reporting obligations for digital infrastructure

News 24-07-2024

CENTR has issued a Board statement to provided feedback to the European Commission’s Draft implementing regulation of the NIS 2 Directive.

As entities that are directly targeted by the provisions of the European Commission’s Draft implementing regulation laying down rules for the application of the NIS 2 Directive, CENTR members provide feedback and express their concerns in regards to cybersecurity risk management and reporting obligations for digital infrastructure under the regulation.

CENTR would like to draw the European Commission’s attention to the following areas of concern:

  • In order to provide legal clarity for essential entities, and ensure manageability of handling incident reporting for CSIRTs and competent authorities, CENTR calls for keeping Article 3 as focused as possible. A voluntary reporting mechanism available in NIS 2 Directive will provide necessary leverage for more ambiguous situations and facilitate cooperation between CSIRTs and essential entities.

  • CENTR calls for further clarifications in Articles 5 and 6 regarding disruptions of authoritative domain name resolution service that should only include situations under control of the affected entity, within their managed network systems.

  • In order to avoid the overlap of competence between authorities, CENTR calls for narrowing down a significant incident criteria in Article 6(c) to cover breaches of the integrity, confidentiality or authenticity of stored, transmitted or processed data in relation to technical operation of the TLD under the definition provided in the NIS 2 Directive.

  • CENTR calls for including a reasonable and uniform transition period for compliance with the mandatory cybersecurity risk management measures in Annex.

Read the full Board statement here.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.