Summary of the Opinion of the European Data Protection Supervisor on the Cybersecurity Strategy and the NIS 2.0 Directive

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 183/03)

On 16 December 2020, the European Commission has adopted a proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (‘the Proposal’). In parallel, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy issued a Joint Communication to the European Parliament and the Council, titled ‘The EU’s Cybersecurity Strategy for the Digital Decade’ (‘the Strategy’).

The EDPS fully supports the overall objective of the Strategy to ensure a global and open internet with strong safeguards for the risks to security and the fundamental rights, recognising the strategic value of the Internet and its governance and reinforcing the Union action therein, in a multi-stakeholders model.

The EDPS therefore equally welcomes the aim of the Proposal to introduce systemic and structural changes to the current NIS Directive in order to cover a wider set of entities across the Union, with stronger security measures, including mandatory risk management, minimum standards and relevant supervision and enforcement provisions. In this regard, the EDPS considers that it is necessary to fully integrate Union institutions, offices, bodies and agencies in the overall EU-wide cybersecurity framework for achieving a uniform level of protection, by including Union institutions, offices, bodies and agencies explicitly in the scope of the Proposal.

The EDPS further highlights the importance of integrating the privacy and data protection perspective in the cybersecurity measures stemming from the Proposal or from other cybersecurity initiatives of the Strategy in order to ensure a holistic approach and enable synergies when managing cybersecurity and protecting the personal information they process. It is equally important that that any potential limitation of the right to the protection of personal data and privacy entailed by such measures fulfil the criteria laid down in Article 52 of EU Charter of Fundamental Rights, and in particular that they be achieved by way of a legislative measure, and be both necessary and proportionate.

It is the expectation of the EDPS that the Proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments. This means that all cybersecurity systems and services involved in the prevention, detection, and response to cyber threats should be compliant with the current privacy and data protection framework. In this regard, the EDPS considers it important and necessary to establish a clear and unambiguous definition for the term ‘cybersecurity’ for the purposes of the Proposal.

The EDPS issues specific recommendations to ensure that the Proposal correctly and effectively complements the existing Union legislation on personal data protection, in particular the GDPR and the ePrivacy Directive, also by involving the EDPS and the European Data Protection Board when necessary, and establishing clear mechanisms for the collaboration between competent authorities from the different regulatory areas.

Furthermore, the provisions on managing internet Top Level Domain registries should clearly define the relevant scope and conditions in law. The concept of the proactive scans of network and information systems by the CSIRTs equally requires further clarifications on the scope and the types of personal data processed. Attention is drawn to the risks for possible non-compliant data transfers related to the outsourcing of cybersecurity services or the acquisition of cybersecurity products and their supply chain.

The EDPS welcomes the call for the promotion of the use of encryption, and in particular end-to-end encryption, and reiterates his position on encryption as a critical and irreplaceable technology for effective data protection and privacy, whose circumvention would deprive the mechanism of any protection capability due to their possible unlawful use and loss of trust in security controls. To this end, it should be clarified that nothing in the Proposal should be construed as an endorsement of weakening end-to-end encryption through ‘backdoors’ or similar solutions.

1. INTRODUCTION AND BACKGROUND

On 16 December 2020, the European Commission has adopted a proposal for a Directive of the European Parliament and of the Council, on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (1) (‘the Proposal’).

On the same date, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy issued a Joint Communication to the European Parliament and the Council, titled ‘The EU’s Cybersecurity Strategy for the Digital Decade’ (‘the Strategy’). (2)

The Strategy aims to strengthen the Union’s strategic autonomy in the fields of cybersecurity and to improve its resilience and collective response as well as to build a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. (3)

The Strategy contains proposals for regulatory, investment and policy initiatives in three areas of EU action: (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace.

The Proposal constitutes one of the regulatory initiatives of the Strategy, and in particular in the area of resilience, technological sovereignty and leadership.

According to the Explanatory Memorandum, the aim of the Proposal is to modernise the existing legal framework, i.e. Directive (EU) 2016/1148 of the European Parliament and of the Council (‘NIS Directive’) (4). The Proposal aims to build on and repeal the current NIS Directive, which was the first EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the Union. The Proposal takes account of the increased digitisation of the internal market in recent years and of an evolving cybersecurity threat landscape, as amplified since the onset of the COVID-19 crisis. The Proposal aims to address several identified shortcomings of the NIS Directive and aims to increase the level of cyber resilience of all those sectors, public and private, that perform an important function for the economy and society.

The main elements of the Proposal are:

(i)	the expansion of the scope of the current NIS Directive by adding new sectors based on their criticality for the economy and society;

(ii)	stronger security requirements for covered companies and entities, by imposing a risk management approach providing a minimum list of basic security elements that have to be applied;

(iii)

addressing the security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships;

(iv)	enhancement of cooperation between Member State authorities and with Union institutions, offices, bodies and agencies in dealing with cybersecurity related activities, including cyber crisis management.

On 14 January 2021, the EDPS received a request for formal consultation from the European Commission, on the ‘Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’.

3. CONCLUSIONS

77.

In light of the above, the EDPS makes the following recommendations:

Concerning the Cybersecurity Strategy

—

to take into account that the first step to mitigate data protection and privacy risks that are associated with new technologies for improving cybersecurity, such as AI, is to apply the data protection by design and by default requirements laid down in Article 25 GDPR, which will assist in integrating the appropriate safeguards such as pseudonymisation, encryption, data accuracy, data minimization, in the design and use of these technologies and systems;

—

to take into account the importance of integrating the privacy and data protection perspective in the cybersecurity related policies and standards as well as in the traditional cybersecurity management in order to ensure a holistic approach and enable synergies to public and private organisations when managing cybersecurity and protecting the information they process without useless multiplication of efforts;

—	to consider and plan for resources to be used by EUIs to strengthen their cybersecurity capacity, including in a way that is fully respecting the EU’s values;

—

take into account the privacy and data protection dimensions of cybersecurity by investing in policies, practices and tools where the privacy and data protection perspective is integrated in the traditional cybersecurity management and effective data protection safeguards are integrated when processing personal data in cybersecurity activities;

On the scope of the Strategy and of the Proposal to the Union institutions, offices, bodies and agencies

—	to take into account the EUIs needs and role so that EUIs be integrated in this overall EU-wide cybersecurity framework as entities enjoying the same high level of protection as those in the Member States; and

—	to include Union institutions, offices, bodies and agencies explicitly in the scope of the Proposal.

Concerning the relationship to existing Union legislation on personal data protection

—	to clarify in Article 2 of the Proposal that the Union’s legislation for the protection of personal data, in particular the GDPR and the ePrivacy Directive apply to any processing of personal data falling within the scope of the Proposal (instead just within specific contexts); and

—	to also clarify in a relevant recital that the Proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments;

Concerning the definition of cybersecurity

—

to clarify the different use of the terms ‘cybersecurity’ and ‘security of network and information systems’; and to use the term ‘cybersecurity’ in general and the term of ‘security of network and information systems’ only when the context (e.g. a purely technical one, without having regard to impacts also on users of systems and other persons) allows it.

Concerning the domain names and registration data (‘WHOIS data’)

—	to clearly spell out what constitutes ‘relevant information’ for the purposes of identification and contacting the holders of the domain names and the points of contact administering the domain names under the TLDs;

—	to clarify in greater detail which categories of data domain registration data (which do not constitute personal data) should be the subject of publication;

—	to clarify further which (public or private) entities might constitute ‘legitimate access seekers’;

—

to clarify whether the personal data held by the TLD registries and the entities providing domain name registration services for the TLD should also be accessible by entities outside the EEA, and if that would be the case to clearly lay down the conditions, limitations and procedures for such access, taking into account also the requirements of Article 49(2) GDPR, where applicable; and

—	to introduce further clarification as to what constitutes a ‘lawful and duly justified’ request on the basis of which access shall be granted, and under which conditions.

Concerning the ‘proactive scanning of network and information systems’ by CSIRTs

—	to clearly delineate the types of proactive scanning which CSIRTs may be requested to undertake and to identify the main categories of personal data involved in the text of the Proposal.

Concerning outsourcing and supply chain

—	to take into account the features enabling the effective implementation of the principle of data protection by design and by default, when assessing supply chains for technology and systems processing personal data;

—	to take into account specific requirements in the country of origin that might represent an obstacle to compliance with EU privacy and data protection law, when assessing the supply chain risks of ICT services, systems or products; and

—	to include in the legal text the mandatory consultation of the EDPB when defining the aforementioned features and, as necessary, in the coordinated sectoral risk assessment mentioned in the recital 46;

—	to recommend to mention in a recital that open source cybersecurity products (software and hardware), including open source encryption, might offer the necessary transparency to mitigate specific supply chain risks.

Concerning encryption

—	to clarify in recital 54 that nothing in the Proposal should be construed as an endorsement of weakening end-to-end encryption through ‘backdoors’ or similar solutions.

Concerning Cybersecurity risk management measures

—

to include both in recitals and in the substantive part of the Proposal the concept that integrating the privacy and data protection perspective in the traditional cybersecurity risk management will ensure a holistic approach and enable synergies to public and private organisations when managing cybersecurity and protection the information they process without useless multiplication of efforts;

—	to add in the legal text an obligation for ENISA to consult the EDPB when drawing up relevant advice.

Concerning personal data breaches

—	to change the text ‘within a reasonable period of time’ of Article 32(1) to ‘without undue delay’.

Concerning the Cooperation Group

—	to include in the legal text the participation of EDPB in the Cooperation Group, taking into account the link between the task of this Group and the data protection framework.

Concerning jurisdiction and territoriality

—	to clarify in the legal text that the Proposal does not affect the competences of data protection supervisory authorities under the GDPR;

—	to provide a comprehensive legal basis for the cooperation and exchange of information among competent and supervisory authorities, each acting within their respective areas of competence; and

—

to clarify that competent authorities under the Proposal should be able to provide to the competent supervisory authorities under Regulation (EU) 2016/679, upon request or on their own initiative, any information obtained in the context of any audits and investigations that relate to the processing of personal data and to include an explicit legal basis to that this effect.

Brussels, 11 March 2021.

Wojciech Rafał WIEWIÓROWSKI

(1) Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM (2020) 823 final.

(2) The EU’s Cybersecurity Strategy for the Digital Decade, JOIN (2020) 18 final.

(3) See chapter I. INTRODUCTION, page 4 of the Strategy.

(4) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).