The EU Network Information Security Directive (NIS)


The 2016 EU Network Information Security Directive (NIS)set baseline requirements for a high common level of network and information security across the European Union.  As leaders in the cybersecurity industry, we recognize the complexity and importance of securing critical infrastructure.  Hence Trellix welcomes the European Commission’s efforts to modernize EU law to bolster the cyber-resilience of critical infrastructure entities.

Why the NIS Directive is Important to Trellix

Trellix applauds much of the proposal’s content such as voluntary cyber threat sharing between both governments and companies, the adoption of coordinated vulnerability disclosure (CVD) policies and boosting the powers of national CSIRTs and their international cooperation.

Measures aimed to introduce comprehensive risk management principles based on international standards are also to be supported. Additionally, we welcome the effort to increase cyber resilience across member states, and the legal recognition that security research activities undertaken to enhance the security of cyberspace are permitted under GDPR.   All of these policy orientations will contribute to an increased level of cybersecurity in the EU.

Status

This proposal is now in the final stages of negotiation among the three EU co-legislators: the Commission, the Council of the EU and the European Parliament. We support ongoing efforts to finalize the law and recommend that the majority of the European Parliament’s amendments to the text are integrated into the final law.  We encourage European decision-makers to consider the following positions.

Key Messages

Vulnerability disclosure

We support efforts to improve vulnerability disclosure processes and recommend member states establish national CVD policies aligned with ISO standards such as (ISO/IEC 29147) and (ISO/IEC 30111).

To that end, ENISA should play a more central role in global coordinated vulnerability disclosure and management efforts. However, ENISA should not establish a new vulnerability registry. This will serve only to duplicate existing, well-functioning CVD processes. cybersecurity efforts.

We recommend ENISA establish a European vulnerability database that builds on the existing global CVE registry. A European database could provide details on risks, impacts, and fixes in EU languages and focus on ICT products developed or used in the EU. Alongside the database, ENISA should

(a) Become a “Root CVE Numbering Authority (CNA)” giving the EU control over the means for identifying and assigning CVE identifiers to EU vulnerabilities
(b) develop its presence in the global CVE registry by joking the global CVE program’s board of directors

Requirements and tasks of CSIRTs

We support improved Computer Security Incident Response Team (CSIRT) access to real-time threat intelligence. We recommend

  • CSIRTs to be explicitly resourced to acquire start of the art global threat intelligence offerings in article 10
  • That CSIRTs provide threat intelligence information-sharing between public and private entities based on interoperable solutions

In addition, the CSIRT network should prioritize the exchange of interoperable threat intelligence feeds (article 13) Improving interoperability will also improve CSIRTs ability to process and consume data and improve cooperation between public and private entities

Legal basis and data processing for cyber security purposes

We support the emerging agreement between EU member states and the European Parliament on the issues of cybersecurity permitted processing and GDPR. The interplay between security and privacy is a crucial regulatory element that needs to be supported. Requirements for cyber security companies and their researchers to obtain ‘consent’ from malicious actors would seriously impede incident response, information sharing and cyberthreat analysis.

We support Recital 69 that ensures the GDPR considers processing of personal data for ensuring network and information security a legitimate interest. The Parliament built upon the Commission’s intent by adding a new Article (Article 2, 6a) to help member states to reinforce this legal basis when transposing NIS 2.0 in national laws. We encourage the co-legislators to accept the Parliament’s approach.

Support for ICANN’s database of domain names registration data (WHOIS)

Detecting, neutralizing and preventing cyberthreats requires constant monitoring of many types of data. The ICANN WHOIS domain name registration data search function is particularly valuable in preventing future cyber incidents once a threat has been identified. It gives both law enforcement agencies and cybersecurity companies key data with which to track down website managers and stop illegal activity at the source.

Hence we support that NIS2 addresses the issue of privacy protections and access to the ICANN WHOIS databased. Recital 59 makes clear that “such processing shall comply with Union data protection law’ and gives access and data processing rights a firm legal foundation under NIS2.

To improve this section, we recommend:

  • Broaden the definition of top-level domain (TLD) registries
  • Add language to ensure that registrant databases are accurate, complete, and validated.
  • Ensure key fields such as name, address, organisation, e-mail, and phone number should be available to legitimate access seekers and that replies to data request are expedited
  • Allow Legitimate access seekers based outside the EU to access this data.
  • ensure that data accessed is not used for non-security purposes.

Incident notification and timelines

We are concerned with EU Member states’ desire to have a 24h notification window as an early warning of an incident. A notification without relevance or context provides no valuable or actionable information. On the contrary it potentially floods competent authorities or CSIRTs with such notification void of actionable content.

Experience from the implementation of GDPR shows that a 72h notification obligation is more practical and enables context to be shared with relevant CSIRTs. If, however, the 24 hours is a critical requirement we believe that the obligations should be refined such that:

  • any requirement to notify incidents that have not happened (e.g., threats, near misses, incidents that “could have potentially resulted in” harm or had “potential” affects) are removed

Trellix support the European Parliament’s approach that recommends for any period shorter than 72 hours, only incidents that impact the availability of services (the “A” in the confidentiality- integrity-availability (C-I-A) triad) should be reported.

Information sharing

As cybersecurity is a shared problem, information sharing is crucial. Threat information is the lifeblood of cyber defense. Trellix supports robust, real-time information sharing of threat data to help protect citizens and organizations from cyber-attacks.

Hence we support efforts in the proposal which encourage more voluntary cyber threat information sharing across the EU. Voluntary threat information sharing is essential to help all entities to understand threats and take steps to prevent successful cyberattacks.

Relevant stakeholders– such as cybersecurity companies and researchers/experts—should be encouraged to participate in voluntary cyberthreat information sharing. We recommend:

  • The list of information recommended to be shared should be expanded with a priority for actionable, context-rich information beyond indicators of compromise.
  • That language directing member states to set rules on procedures and operational elements of threat sharing arrangements be deleted. Trellix believes information sharing between government and the private sector should be voluntary and mutually beneficial.
  • To foster public-private information sharing, government should partner with industry to reduce legal and policy barriers that can impede information sharing and promote best practices.
  • Remove language mandating notification to competent authorities when organisations join or leave information-sharing arrangements as this will discourage participation

Next Steps


Working with the EMEA key verticals team, we are developing an EMEA level solutions brief and supporting materials (Webinar, country briefs) for the OES market. This builds upon areas of alignment between Trellix products and NIS2 framework.