Lobbying on Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

Digital economy and society

The NIS2 Directive strengthens cybersecurity risk-management measures and streamlines incident-reporting obligations for entities in its scope. Given the cross-border nature of certain entities from the digital infrastructure, ICT service management and digital providers sectors, NIS2 provides that they should be subject to a high degree of harmonisation at EU level, facilitated by an implementing act. This act will also specify the cases when an incident shall be considered to be significant.

Links

Public consultation

ID: 14241

Lobbying Activity

64 responses

Microsoft urges clearer incident reporting thresholds for NIS2

Microsoft Corporation, 25 Jul 2024

Microsoft requests clearer significance thresholds for incident reporting, particularly regarding when entities become aware of incidents and financial loss calculations. They advocate for removing the €100,000 aggregate threshold and using only percentage-based metrics. They also seek clarification on when service unavailability triggers reporting obligations.

This would reduce their compliance burden and allow them to focus resources on truly significant incidents.

Regulators and affected parties may receive delayed incident notifications during investigation periods.

Consultation response

Bundesverband der Deutschen Industrie e.V., 25 Jul 2024

Considering the current implementation of the NIS-2 Directive, German industry appreciates the European Commissions intention to harmonise risk-management measures and the definition of when an incident is deemed significant. Especially for companies operating across EU Member States, common…

Consultation response

Amazon Europe Core SARL, 25 Jul 2024

Amazon is grateful for the opportunity to respond to the draft European Commission Implementing Regulation laying down rules for the application of Directive (EU) 2022/2555 (NIS2) with regards to technical and methodological requirements of cybersecurity risk-management measures and further…

Consultation response

Telefonica, S.A., 24 Jul 2024

Telefónica welcomes the opportunity to comment on the draft implementing act under the NIS2 Directive on Cybersecurity Risk Management and Reporting for Digital Infrastructure and Service Providers. We highlight some aspects in the attached document, in particular the need for consistent and…

Consultation response

Orgalim – Europe's Technology Industries, 25 Jul 2024

Orgalim represents Europes technology industries, comprised of 770,000 innovative companies spanning the mechanical engineering, electrical engineering and electronics, ICT and metal technology branches. Together they represent the EUs largest manufacturing sector, generating annual turnover of…

Consultation response

IBM Corporation, 25 Jul 2024

We welcome the draft implementing regulation on cybersecurity risk management and reporting obligations for digital infrastructure and ICT service providers. The proposed draft ensures better alignment of NIS2 implementation across the EU and provides a streamlined framework for entities operating…

Consultation response

Wirtschaftskammer Österreich, 19 Jul 2024

Sehr geehrte Damen und Herren, die Wirtschaftskammer Österreich übermittelt im beiliegenden Dokument einige punktuelle Überlegungen zu den hier konsultierten Rechtsakten betreffend Cybersicherheits-Risikomanagement und Meldepflichten für digitale Infrastrukturen, Anbieter und IKT-Dienstleister und…

Consultation response

Connect Europe, 24 Jul 2024

ETNO and the GSMA welcome the opportunity to share their views on the draft implementing regulation regarding cybersecurity risk management and reporting obligations for various digital infrastructure and service providers. Our members, who represent the leading telecommunication network and…

Consultation response

Leonardo S.p.A., 25 Jul 2024

Please find the feedback in the document attached.

Consultation response

Association Française des Entreprises Privées / French Association of Large Companies, 25 Jul 2024

Madam, Sir, Please find attached the position paper of our association on the drafts submitted for public consultation by the Commission. We remain at your disposal for any clarification that you may need. Kind regards, Jocelyn Goubet

Consultation response

Ibec, 24 Jul 2024

Ibec, Ireland's largest lobby and business representative group, welcomes the opportunity to respond to the European Commissions draft Implementing Act further specifying the cyber risk management measures and incident reporting thresholds applicable to digital infrastructure, digital providers,…

Consultation response

Cisco Systems Inc., 25 Jul 2024

Cisco welcomes the Implementing Regulation ("IR") as a means of harmonising the cybersecurity risk management measures listed in Article 21(2) of the NIS2 Directive and the thresholds for incident reporting obligations under Article 23(3). Cisco supported the adoption of NIS2 as a way to strengthen…

Consultation response

Gesamtverband der Deutschen Versicherungswirtschaft e.V., 25 Jul 2024

Please find attached the German Insurance Association input to the European Commissions public consultation on the implementing act of the Directive (EU) 2022/2555.

Consultation response

Bitkom e.V., 25 Jul 2024

Please find attached Bikom's input to the European Commissions public consultation on the implementing act under Articles 21 and 23 of the Directive (EU) 2022/2555.

Uber urges EU to streamline cybersecurity incident reporting requirements

Uber, 24 Jul 2024

Uber requests that the EU harmonize cybersecurity incident reporting requirements across different regulations (GDPR, NIS2, DORA) and raise financial thresholds for what qualifies as a 'significant' incident. They want the same incident report to comply with all EU reporting requirements and propose raising the threshold from €100,000 to 5% of annual turnover.

This would dramatically reduce their compliance burden by allowing one report for multiple regulations.

Regulators lose visibility into smaller incidents that could still harm consumers or workers.

Consultation response

DOT Europe, 25 Jul 2024

DOT Europe welcomes the opportunity to comment on the Draft Implementing Regulation laying down requirements on cybersecurity risk management measures and specifications of cases when an incident is considered significant. Our comments will draw on the expertise of our members, which represent…

Consultation response

ITI - The Information Technology Industry Council, 25 Jul 2024

Please find attached the response to the consultation from ITI, the Information Technology Industry Council.

Consultation response

GSMA Europe, 24 Jul 2024

Please find attached the GSMA and ETNO feedback to the NIS 2 draft implementing act.

Consultation response

Intesa Sanpaolo, 24 Jul 2024

In case an European financial entity, such as a bank, should also issue a service as a qualified trust service provider (both roles covered by the same legal entity), should this financial entity also apply the NIS 2 (draft) implementing act, currently under consultation, to those services?…

Consultation response

CEOE - Confederación Española de Organizaciones Empresariales, 24 Jul 2024

Feedback in the file attached.

Consultation response

SAP, 24 Jul 2024

Dear Sir/Madam, Attached are the comments to the draft act on behalf of SAP. Yours faithfully, Marta Przywała, Senior Manager, EU Government Affairs, SAP

Consultation response

Business Software Alliance, 25 Jul 2024

Dear Sir / Madam, Please find attached BSA | The Software Alliance's input to the European Commissions public consultation on the laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and…

Consultation response

Schwarz Corporate Affairs International GmbH, 25 Jul 2024

Schwarz Group welcomes the opportunity to give feedback to the NIS-2 implementation regulation. In general terms, we ask for congruence with other existing regulations and standards. Specific remarks: 1. The asset management mentioned in Recitals 22-25 is currently implemented by only a few…

Consultation response

WIENER STADTWERKE GmbH, 25 Jul 2024

Die Wiener Stadtwerke Gruppe bedankt sich für die Gelegenheit zur Einreichung einer Stellungnahme, die Sie anbei finden können.

Consultation response

LA POSTE, 25 Jul 2024

Par ses missions et activités, La Poste Groupe se doit de garantir un niveau élevé de détection et de réaction aux incidents de cybersécurité. Les principes de gestion et de traitement des risques « cyber » constituent, dans ce cadre, un des enjeux de La Poste Groupe. Elle rassemble également une…

Consultation response

Confédération des Petites et Moyennes Entreprises, 24 Jul 2024

La Confédération des petites et moyennes entreprises (CPME) travaille activement - à l'échelle française aux côtés de l'ANSSI - à la transposition de la directive NIS 2, alors que les TPE-PME sont de plus en plus ciblées par la menace des cyberattaques. A ce titre, la Confédération salue la…

Consultation response

Palo Alto Networks Inc., 25 Jul 2024

Palo Alto Networks supports the overall goal of the proposed regulation, aiming to provide clearer criteria for identifying significant incidents under NIS 2 and offering guidance on technical and methodological requirements for cybersecurity risk-management measures. We appreciate the opportunity…

Consultation response

Svaz průmyslu a dopravy ČR, 25 Jul 2024

Enclosed

Consultation response

European Cyber Security Organisation, 25 Jul 2024

The European Cybersecurity Organisation (ECSO) composed of 300+ Members welcomes the publication of the NIS2 Implementing Act and offers feedback based on the input of interested ECSO Member organisations. Targeted feedback can be found in the two attached documents, while here we provide a…

Consultation response

Decathlon SE, 25 Jul 2024

DECATHLON welcomes the opportunity to comment on the Draft Implementing Regulation laying down requirements on cybersecurity risk management measures and specifications of cases when an incident is considered significant following the NIS 2 Directive. As a global and European sports company…

Consultation response

Seznam.cz, a.s., 25 Jul 2024

Seznam.cz welcomes the opportunity to participate in the public consultation. Seznam.cz is leading tech company and publisher in the Czech Republic. The definition of significant incidents stipulated in Article 8 (related to data center service providers), Article 11 ( related to providers of…

Consultation response

Cloudflare, 24 Jul 2024

Cloudflare welcomes the opportunity to contribute and respond to the public consultation on the NIS2 Implementing Regulation on Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers. Please find our detailed contribution attached.

Consultation response

Bundesdruckerei GmbH, 19 Jul 2024

Generally, the implementing regulation could have been limited to a reference to the implementation of current common standards, such as ISO 27001, ISO 27002 and ETSI EN 319 401, which are constantly adapted to the state of the art. /// Apart from this general consideration, we would like to…

Consultation response

United Internet AG, 25 Jul 2024

United Internet welcomes the efforts of the European Commission to assist companies affected by the NIS-2 Directive in choosing appropriate security measures and identifying significant incidents. However, we believe that changes to the Commission's draft are necessary in order to ensure a…

Consultation response

European Data Centre Association, 25 Jul 2024

The European Data Centres Association (EUDCA) has been representing the interest of data centre operators in Europe since 2011. The EUDCA is the voice of the data centre industry, with a diverse membership which includes European and international operators, vendors, and a network of national trade…

Consultation response

Hospodářská komora České republiky, 25 Jul 2024

We send our comments in the attachment.

Consultation response

International Information System Security Certification Consortium, Inc., 22 Jul 2024

Please find feedback in attached file

Consultation response

Association Européenne des Concessionnaires d'Autoroutes et d'Ouvrages à Péage, 24 Jul 2024

ASECAP, the European Association of Operators of Toll Road Infrastructures, would like to take the opportunity to highlight the following points: - In the Road Transport sector, cybersecurity is of particular importance as the sector is named as Critical Infrastructure by the EU directive…

Consultation response

European Association of E-Pharmacies, 24 Jul 2024

The European Association of E-Pharmacies (EAEP), which represents the online pharmacy sector in Europe and its patients, welcomes the opportunity to provide its feedback on the Draft Implementing Regulation as regards technical and methodological requirements of cybersecurity risk-management…

Consultation response

The Internet Corporation for Assigned Names and Numbers, 25 Jul 2024

ICANN is submitting contributions to the European Commissions consultation on the Draft Implementing Regulation laying down the rules for the application of Directive 2022/20551 (NIS2 Directive) regarding technical and methodological requirements for cybersecurity risk management measures and…

Consultation response

DigitalES - Asociación Española para la Digitalización, 25 Jul 2024

Please find attached feedback from DigitalES - Spanish association for digitalisation.

Consultation response

Numeum, 24 Jul 2024

Numeum is the leading trade association for the tech sector in France, representing 2500 companies, ranging from startups to major players in the digital field. Numeum and its members welcome the opportunity to provide feedback on the NIS2 Implementation Act for ICT providers. Please find attached…

Consultation response

CENTR - Council of European Top Level Domain Registries, 24 Jul 2024

CENTR is the association of European country code top-level domain registries (hereinafter ccTLDs). All EU Member State and EEA country ccTLDs (such as .hu, .eu and .no) are members of CENTR. The ccTLD registries are responsible for operating and maintaining the technical Domain Name System (DNS)…

Consultation response

DATEV eG, 8 Jul 2024

DATEV welcomes the opportunity to provide feedback on the Commissions draft implementing act specifying the technical and methodological requirements of cybersecurity risk management measures and specifying when an incident shall be considered significant under the NIS2 directive. Significant…

Consultation response

Free Software Foundation Europe e.V., 13 Jul 2024

Feedback by NLnet Labs, OpenSSF and FSFE.

Consultation response

eco - Verband der Internetwirtschaft, 25 Jul 2024

About eco: With more than 1,100 member companies, eco is the largest Internet industry association in Europe. Since 1995, eco has been instrumental in shaping the Internet, fostering new technologies, forming framework conditions, and representing the interests of members in politics and…

Consultation response

European Committee for Interoperable Systems, 24 Jul 2024

Please see attached ECIS response to the public consultation on the implementing act under Articles 21 and 23 of the NIS2 Directive.

Consultation response

Equinix (EMEA) Holdings B.V., 25 Jul 2024

Please find Equinix's feedback attached.

Consultation response

Kaspersky Labs Limited, 24 Jul 2024

Kaspersky welcomes the Commissions Implementing Regulation proposal, which establishes rules for applying Directive (EU) 2022/2555, in particular on technical and methodological requirements of cybersecurity risk-management measures and further specifies cases in which incidents are deemed…

Consultation response

Eclipse Foundation AISBL, 25 Jul 2024

With a desire to contribute to more representation of the European open source ecosystem in European policy making, we are grateful for the opportunity to provide feedback on this implementing regulation related to the NIS2 Directive obligations concerning Cybersecurity risk management & reporting…

Consultation response

Gewerkschaft der Polizei, 25 Jul 2024

I. - Vorbemerkung Mit über 205.000 Mitgliedern ist die GdP die größte Polizeigewerkschaft in Deutschland und wir bedanken uns für die Möglichkeit zur durch die Europäische Kommission geplante Durchführungsverordnung Ares(2024)4640447 Stellung nehmen zu dürfen. II. - Stellungnahme Aus Sicht der…

Consultation response

European Signature Dialog - Associated European Trust Centers, 23 Jul 2024

We are pleased to share our Comments of the European Signature Dialog (ESD) on the Draft of NIS2 Implementing Regulation. ESD stands as the pinnacle consortium of leading European Qualified Trust Service Providers (QTSPs), facilitating secure digital interactions across Europe every day. ESD…

Consultation response

TomTom International bv, 18 Jul 2024

TomTom welcomes the opportunity to provide feedback on the Commissions draft implementing act specifying the technical and methodological requirements of cybersecurity risk management measures and specifying when an incident is considered significant under the NIS2 directive. Please see our…

Consultation response

Assotelecomunicazioni, 25 Jul 2024

Please find Asstel comments in the attached file.

Consultation response

Associazione Italiana per l’Information and Communication Technology, 25 Jul 2024

Please find attached Anitec-Assinform's comments to the draft implementing act regarding cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers under the NIS 2 directive. The association welcomes the opportunity to contribute to this…

Consultation response

Confindustria Servizi Innovativi e Tecnologici, 19 Jul 2024

Some comments follow on document "Commission Implementing Regulation laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is…

Consultation response

Alliance for AI, IoT and Edge Continuum Innovation IVZW, 25 Jul 2024

The Network and Information Security Directive (NIS2 Directive) strengthens cybersecurity risk-management measures and streamlines incident-reporting obligations for a large number of operators across the EU. From the point of view of the Internet of Things and Edge computing that are among the key…

Consultation response

Eesti Infotehnoloogia ja Telekommunikatsiooni Liit, 24 Jul 2024

Eesti Infotehnoloogia ja Telekommunikatsiooni Liidu (ITL) põhisõnumid Euroopa Komisjonile ettepaneku kohta võtta vastu direktivi (EU) 2022/2555 (NIS2) rakendusmäärus on järgmised: 1) Kuna juba täna kehtivad rakendusmääruse skoobis olevatele ettevõtetele mitmed sektoriaalsed ja siseriiklikud…

Consultation response

Movimento Difesa del Cittadino, 9 Jul 2024

The Citizen Defense Movement (MDC) supports the European Commission's initiative to establish technical and methodological requirements to ensure the security of networks and information systems. The attached opinion emphasizes the importance of involving Consumer Associations in identifying best…

Consultation response

DENIC eG, 25 Jul 2024

DENIC eG would like to provide feedback in the attached document.

Consultation response

Eircom Ltd t/a eir, 25 Jul 2024

eir appreciates the need to take appropriate measures to address the risk of threats to cybersecurity. We understand the proposed draft Implementing Regulation is intended to further specify the cases in which an incident shall be considered to be significant as referred to in Article 23(3) and to…

Consultation response

Réseaux IP Européens (RIPE) Network Coordination Centre (NCC), 25 Jul 2024

Please find the comments from the RIPE NCC in the document attached.

Consultation response

Netnod AB, 25 Jul 2024

Netnod sees issues with the proposal: - It defines incidents based on whether explicit metrics have been achieved or not Netnod suggests that significant incidents are defined as incidents which lead to actual negative impact on for the society essential services - In an ex-ante manner, it sets…

Consultation response

The Fast Identity Online (FIDO) Alliance, 24 Jul 2024

The Fast Identity Online (FIDO) Alliance appreciates the opportunity to provide comments to the European Commission on the draft implementing act under the NIS2 Directive. Our comments are attached. We greatly appreciate the Commissions consideration of our comments, and look forward to further…