Bitkom’s response to the public consultation for the implementing act under Articles 21 and 23 of the NIS2 Directive

The Cybersecurity Committee of the European Commission has issued a draft implementing act on the NIS2 directive (EU) 2022/2555. It serves the purpose of aligning the risk management requirements for some operators from the digital sectors with cross-border activities at the EU level and specifies in which cases an incident must be considered significant. Bitkom welcomes the Commission’s initiative to seek a clear and harmonized understanding of the NIS2 directive. It is in the interest of the industry to have an equal ground with a European framework across all member states.

The position paper examines the individual articles of the implementing act, explores their effects on businesses and offers improvements, if needed. We specifically suggest maintaining a clear focus on actual impacts, as some criteria for determining significant incidents within the regulation are often subjective and lack clear, measurable standards. The Commission should use qualitative criteria accompanied by non-legislative guidance, allowing entities to assess incidents accurately. The Annex lacks explicit references and imposes significant burdens on companies; thus, requiring alignment with existing standards is necessary for high security levels and harmonization.