How EU Legislators Can Improve the NIS 2.0 Directive

The growing number of large-scale cyberattacks in recent years have been accompanied by a wide range of legislative, as well as strategic, initiatives around the world to bolster cybersecurity. The EU is no exception. In December 2020, the European Commission (Commission) proposed “NIS 2.0” as a revision of the Network and Information Security (NIS) Directive – a 2016 law aimed at fostering the cyber-resilience of critical infrastructure entities in the EU. This proposal is now being negotiated among the three EU co-legislators: the Commission, the Council of the EU and the European Parliament (Parliament).

As the global cybersecurity leader, Palo Alto Networks is in a unique position to witness the challenges and the opportunities of regulatory measures while we secure governments, businesses and societies in 150 countries every day.

We strongly support the Parliament’s position and urge it to be integrated into the final law. All three EU co-legislators are encouraged to consider the following when finalising negotiations on NIS 2.0 (some of these are in the Parliament’s text). Our aim is to improve the efficacy of the law to meet the EU’s goal of improved cybersecurity.

1. Make the database of domain names registration data (WHOIS) a useful tool to enable cybersecurity efforts.

We strongly support the Commission’s inclusion of this topic (Article 23), which aims to restore access to legitimate access seekers of domain name registration information (WHOIS data) to enable cybersecurity efforts. Domain names and registration data play an important role for cybersecurity companies to prevent and combat Domain Name System (DNS) abuse, to prevent, detect and respond to cybersecurity incidents on behalf of customers, including those based in the EU. Because many types of organisations provide domain registration services, all entities providing such services {not only Top-Level Domain (TLD) registries} should be required to maintain accurate domain name registration data. In addition, as anonymity of the domain owner effectively undermines the security value of this data, it is important to be able to identify the ultimate beneficial owner – the person who actually owns the domain – even if it is registered under another name.

Domain name registration data should be available for legitimate access seekers, which should include the list of organisations in the Commission’s original Recital 60, as well as cybersecurity researchers. It should also include organisations based outside the EU. Cyberthreats and cyberattacks are global, and organisations based globally need to access WHOIS data in a timely manner (while complying with EU data protection law). Replies to data requests should be immediate for data used to identify ownership of domains that can be used for immediate cybersecurity purposes. Imminent cyberattacks happen all the time, and incident response must be automatic. Historical data, and a permanent record of historical changes to the data, are also vital.

2. Make the existing global vulnerability registry a powerful and efficient tool for the European Union.

We support the European Cybersecurity Agency (ENISA) playing a more central role in global coordinated vulnerability disclosure and management efforts. However, we caution against ENISA starting a new vulnerability registry. The global cybersecurity community has been leveraging one global Common Vulnerabilities and Exposures (CVE) registry for decades. This benefits global cybersecurity, as companies and other stakeholders that are handling incidents have just one registry to check, and know they are talking about the same incident. Rather than establishing a new European registry, ENISA should set up a new database that leverages the existing CVE programme. This can address challenges that European organisations may face, such as providing details on risks, impacts and fixes in all EU languages and focusing on ICT products developed or used in the EU.

One such model is the “Known Exploited Vulnerabilities Catalogue” produced by the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security. Rather than recreate the international CVE registry, CISA’s list helps defenders prioritise the vulnerabilities that are known to be exploited by malicious actors. ENISA could similarly drive attention and prioritisation to vulnerabilities targeting organisations in Europe.

When member states establish coordinated vulnerability disclosure and management policies, they should align with existing international standards for vulnerability disclosure (ISO/IEC 29147) and management (ISO/IEC 30111). These standards lay out best practices for validating, prioritising and remediating reported vulnerabilities, so all known vulnerabilities can be addressed in a coherent and efficient manner, while carefully considering the nuances of vulnerability handling and disclosure.

3. Provide clear legal guidance for member states under what conditions the processing of personal data for cybersecurity purposes is legitimate under GDPR.

We appreciate that the Commission proposes to make clear (Recital 69) that the GDPR considers processing of personal data for ensuring network and information security a legitimate interest. The Parliament built upon the Commission’s intent by adding a new Article (Article 2, 6a) to help member states reinforce this legal basis when transposing NIS 2.0 in national laws. We encourage the co-legislators to accept the Parliament’s approach, which would also help to create legal clarity for cybersecurity stakeholders.

4. Encourage effective, voluntary cybersecurity information-sharing arrangements.

We strongly support the Commission’s Article 26 proposal, which aims to encourage more voluntary cyberthreat information sharing across the EU. Voluntary threat information sharing is essential to help all entities to understand threats and take steps to prevent successful cyberattacks. To improve this section, we recommend that relevant stakeholders aside from NIS 2.0-covered entities, such as cybersecurity companies and researchers, be allowed to participate in threat-sharing arrangements established under this law. Cybersecurity companies play an important role in threat sharing. They often have unique or specific visibility of threats that others, such as sector-specific groups, might not see and can contribute that information. At the same time, cybersecurity companies can leverage threat data from sector-specific, information-sharing arrangements to protect customers (including governments and private sector entities) and enhance their overall view of the threat landscape.

Directing member states to set rules specifying procedures and operational elements of threat information-sharing arrangements will discourage more voluntary sharing. The role for governments in promoting greater voluntary threat sharing should be to promulgate best practices and remove legal impediments that hinder greater voluntary sharing, with a focus on protecting privacy. Finally, there should not be a mandate to notify competent authorities when organisations join or leave information-sharing arrangements. This could discourage participation.

5. Introduce reasonable, meaningful and operational security incident reporting obligations.

The increase of severe cyber incidents in recent years has prompted policy makers to propose incident reporting regimes as a tool to gain earlier insight and greater visibility into cybersecurity attacks. If structured effectively, cyber incident reporting can indeed play an important role in informing actions to respond to incidents and contain or prevent further impact. Here we support nearly all of the Parliament’s amendments.

The proposal by the European Commission that in-scope entities must report incidents (even those that have not yet happened) within 24 hours would be largely unworkable for companies and, equally important, not useful for EU governments in terms of improving cybersecurity. In this regard, we like to highlight recommendations that were developed by global companies in the September 2021 Global Policy Principles for Security Incident Reporting report on how policymakers can develop meaningful incident reporting regimes. This includes allowing for at least a 72-hour reporting window after an entity has verified an incident and limiting incident reporting to confirmed or verified incidents.

The Parliament, recognising the challenges with short reporting windows, proposed (Article 20) that for any period shorter than 72 hours, only incidents that impact the availability of services {the “A” in the confidentiality-integrity-availability (C-I-A) triad} should be reported. While we continue to believe the 72-hour window is ideal, this compromise greatly improves the Commission’s original proposal. Of the three, it is more reasonable to report incidents impacting the availability of services in that timeframe because often loss of availability is much clearer within a 24-hour window.

6. Promote leading cybersecurity practices for electronic communications networks and services.

The Commission proposes that electronic communications networks and services be added to the law’s scope and that encryption should be promoted and potentially be mandated for these entities (Recital 54). In the cybersecurity context, encryption should be expected on critical segments of the network, but by itself is insufficient. While encryption provides security against tampering of data travelling through a network, it does not provide visibility into whether the encrypted data carries cybersecurity threats. If traffic is encrypted, it is scrambled, and electronic communication organisations (or their cybersecurity providers) will be unaware of the presence of threats in the traffic and unable to stop them. In addition, with an encrypted network, there is no way to know if data (including personal data) is being exfiltrated.

In short, relying solely on encryption creates a secure “pipe” for bad cybersecurity actors to leverage. It is technically possible to deploy encryption side-by-side with technologies that can identify threats traversing through networks and stop those threats in real-time. ENISA’s 5G Supplement to the Guideline on Security Measures under the EECC (July 2021) lists “data encryption, network visibility, automated monitoring and access control” as security fundamentals. ETSI announced it was aware of encryption’s cybersecurity limitations in a September 2021 press release stating, “The rise of the use of encryption places networks and users at risk, whilst offering promises of security.” This recital should inform electronic communications providers to take all relevant steps to secure their networks.

Conclusion

EU policymakers recognise that cybersecurity is essential to economic prosperity and growth, as well as to user confidence in online activities. The proposed NIS 2.0 Directive is a good step forward to ensure Europe is stepping up its cybersecurity capabilities. Palo Alto Networks welcomes the opportunity to engage with the co-legislators in 2022 to elaborate on the aforementioned points and other suggestions in detail, to ensure that NIS 2.0 can effectively contribute to improved cybersecurity throughout the EU.