Netnod AB
Netnod
Bolaget ska bedriva nationella knutpunkter för Internettrafik.
ID: 132766341878-97
Lobbying Activity
Response to Impact assessment on retention of data by service providers for criminal proceedings
13 Jun 2025
See attached PDF for full feedback. Netnod welcomes the opportunity to provide feedback on May 21 from EU-commission on Call for Evidence on Metadata Retention for Criminal Proceedings. Netnod hereby give the following commentary: - The call for evidence is based on the notion that it is beneficial to harmonise the legal frameworks for number dependent services with number independent services. There is no reason to assume that services built and maintained in such different ways should be harmonised, as the travaux préparatoires for the relevant electronic communication codes mentioned. - It is not possible to provide the clear text communication of end-to-end encrypted communications services to a third party without also introducing vulnerabilities and backdoors which can be used by competent fourth parties. Clear text adaptability requirements cannot be part of the legal framework. Harmonising and binding the new by the old is not the way forward. As the commission has noted before, todays procedural framework needs to be better adapted to the internet age, not that legacy era solutions should be applied to the Internet age. For further motivation, see Netnod response to the Swedish data storage act, Netnod response to the Swedish data storage act and End-end-encryption: architecturally-necessary. Netnod leaves the rest of the call without comment. Links: - https://www.netnod.se/regular-page/netnod-response-swedish-data-storage-act - https://www.netnod.se/regular-page/netnod-response-swedish-data-storage-act-2 - https://www.netnod.se/blog/end-end-encryption-architecturally-necessary
Read full responseResponse to Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive
25 Jul 2024
Netnod sees issues with the proposal: - It defines incidents based on whether explicit metrics have been achieved or not Netnod suggests that significant incidents are defined as incidents which lead to actual negative impact on for the society essential services - In an ex-ante manner, it sets requirements on measures to be implemented Netnod suggests that the act should define requirements on services in an ex-post manner, and leave the choice of measures entirely up to the covered entity - It relies on the ability to for a covered entity to identify its role in a supply chain Netnod suggests the act needs to explicitly take into account any kind of business relationships and not only contractual agreements, and in that context specifically recognize suppliers of wholesale services See attached file for details.
Read full responseResponse to How to master Europe’s digital infrastructure needs?
30 Jun 2024
Netnod welcomes the opportunity to provide feedback on the consultation launched on 24 February 2024 on the European Commissions White Paper How to Master Europes Digital Infrastructure Needs? (hereinafter WP). Netnod has the following comments: - The leitmotif of the WP concerns further convergence and vertical integration of networks in the EU; This is contrary to the Internet model and contrary to the findings of BEREC - The WP confuses access technologies, such as 5G, copper and optofibre, with backbone infrastructure, which is only optofibre. The commission needs to take account of the fact that 5G and copper are access technologies. They do not provide end-to-end connectivity, and only access to backbone networks. - The WP does not in any meaningful detail discuss the Internet The commission should consider that digital and electronic communication today is based on the Internet architecture using an Internet infrastructure Please see the attached paper for further motivations and elaborations. Patrik Fältström CSO Netnod
Read full responseResponse to Cyber Resilience Act
23 Jan 2023
A summary of Netnod comments on the content of the suggested regulation can be found below. For the full response, see attached document. 1. There is no recognition that a product can consist of many components. Netnod is of the opinion that many products consists of products that might or might not exist on the wholesale market, and although one can build secure solutions with insecure components, the proposed regulation does not discuss what requirements there are on such components one build more complex products with, for example open source libraries used in a car. 2. Requirements on the functionality of a product is not properly addressed. Netnod is of the opinion that having a description of the functionality is key to attaining cybersecurity (regardless of definition), and in this dimension the suggested regulation falls short. 3. Updatability of products is not properly addressed, for example the situations where the manufacturer of the product does not provide support anymore. Netnod is of the opinion that all devices with software components need an upgrade route, and those who do not provide upgrade routes must publish specifications for third parties so that all software components can be upgraded. 4. Default configurations are not properly addressed, by for example not defining what a secure default configuration implies. Netnod argues that a proper installation and setup process is key, no product should ever be accessible with default credentials or any other type of secret. 5. Adherence to previously agreed on norms and standards is not covered in relevant detail. Netnod argues that a key component of security is the possibility to replace devices, therefore all configuration should be exportable and all products should follow relevant networking standards.
Read full responseResponse to Revision of the NIS Directive
18 Mar 2021
Netnod have in the attached PDF comments on the proposed directive.
A summary:
Regarding CSIRTs Netnod believe it is not only the reporting to a CSIRT that is important, but also what a CSIRT produces with the help of that information. The directive because of this should include requirements for CSIRTs to produce good reports.
Regarding the domain name system (DNS) the definitions must be much more clear. For example, we do not see recital 14 match what is specified in Article 4(13)-(15) and Appendix I.
Regarding DNS service providers, we do not believe what is in recital 15 separates enough between the manager of zones, providers of authoritative servers and providers of recursive resolvers. Specifically, Netnod do not believe the directive should apply to all providers of DNS services along the DNS resolution chain.
Regarding cross border provisioning of services Netnod agree with the view that each organisation should only be under regulation in one member state.
Regarding the proposed requirement for providers of services outside of the EU that provides services in the EU to designate a representative within the EU, we do not see that being possible to implement for DNS.
Regarding small and medium companies, we find the definitions of who is covered is unclear and uncertain.
We find providers referred to in point 8 of Annex I be covered be covered by the directive regardless of size, which is something that we do not find being acceptable as long as for example domain name system (DNS) service providers are not more well defined.
Netnod do in general support the initiative the Commission has initiated to refine its Cybersecurity Strategy for the Digital Decade and operationalize its contingency plan for dealing with extreme scenarios, including integrity and availability of the global DNS root system. Netnod wants to emphasize that as the Internet is a global network, it requires a single globally unique name space. This is rooted in the one and only root zone managed by processes defined by the multi stakeholder processes hosted and defined by the Internet Corporation for Assigned Names and Numbers (ICANN), where Internet Assigned Numbers Authority (IANA) is the source of the root zone data. This One Internet has been, and should continue to be, a core principle guiding all Member State's and Commission’s actions and any plan should take care not to fracture the single, authoritative root in any way. This must specifically be taken into account when implementing Article 23 of the proposed NIS2 Directive. The root must remain “unbroken” and implemented in a way so that the Internet remains a global interoperable network. Otherwise it could create a precedent for other countries outside of the EU Member States that may seek to regulate DNS and the Internet in such a way that it is fragmented, and global communication ends up being impossible.
Read full response