Skip to main content

Draft Implementing Regulation for the Application of Directive (EU) 2022/2555

Page 1

POSITION | DIGITAL POLICY | CYBERSECURITY

Draft Implementing Regulation for the Application of Directive (EU) 2022/2555 Harmonisation of risk-management measures and the definition of significant incidents

25 July 2024 Executive Summary Considering the current implementation of the NIS-2 Directive, German industry appreciates the European Commission’s intention to harmonise risk-management measures and the definition of when an incident is deemed significant. Especially for companies operating across EU Member States, common measures and definitions are essential to reduce the implementation costs associated with the NIS 2. While German industry appreciates the possibility to contribute to the European Commission’s consultation, we strongly encourage the European Commission to improve stakeholder involvement already at earlier stages of the development of such regulations. German industry’s policy recommendations German industry would appreciate if the European Commission were to alter the following points before ratifying the implementing regulation:

Article 3 – significant incidents Each essential or important entity is different. Hence, defining incident thresholds using strictly quantitative metrics is likely to be overtly prescriptive and will not capture the situation within each entity. We therefore urge the European Commission to reevaluate the currently proposed thresholds. ▪

Article 3(1)(a) – financial burden: Article 3(1)(a) determines that incidents with regard to relevant entities that have caused or are capable of causing losses over EUR 100,000 or 5 per cent (which ever is lower) of the relevant entity’s annual turnover are to be considered as significant. An entity shall report these significant incidents without delay and at the latest within 24 hours. In most cases, companies will not be able to calculate the damage caused by an incident within the first 24 hours, as companies will do everything they can to minimise the economic implications of such an incident; and will strive to be operational as quick as possible. Henceforth, the information on financial losses caused by the incident may be more suited for the final report one month after the incident, but not as a triggering point to identify whether the incident is or is not significant. Moreover, while a financial damage of EUR 100,000 might have severe implications for a smaller medium-sized entity, it most likely will not have these repercussions for a large multi-national corporate. Therefore, German industry urges the

Bundesverband der Deutschen Industrie e.V. / Federation of German Industries EU Transparency Register: 1771817758-48 | German Lobbyregister: R000534 Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu


Turn static files into dynamic content formats.

Create a flipbook