The 2016 EU Network Information Security Directive (NIS)set baseline requirements for a high common level of network and information security across the European Union. As leaders in the cybersecurity industry, we recognize the complexity and importance of securing critical infrastructure. Hence Trellix welcomes the European Commission’s efforts to modernize EU law to bolster the cyber-resilience of critical infrastructure entities.
Trellix applauds much of the proposal’s content such as voluntary cyber threat sharing between both governments and companies, the adoption of coordinated vulnerability disclosure (CVD) policies and boosting the powers of national CSIRTs and their international cooperation.
Measures aimed to introduce comprehensive risk management principles based on international standards are also to be supported. Additionally, we welcome the effort to increase cyber resilience across member states, and the legal recognition that security research activities undertaken to enhance the security of cyberspace are permitted under GDPR. All of these policy orientations will contribute to an increased level of cybersecurity in the EU.
This proposal is now in the final stages of negotiation among the three EU co-legislators: the Commission, the Council of the EU and the European Parliament. We support ongoing efforts to finalize the law and recommend that the majority of the European Parliament’s amendments to the text are integrated into the final law. We encourage European decision-makers to consider the following positions.
We support efforts to improve vulnerability disclosure processes and recommend member states establish national CVD policies aligned with ISO standards such as (ISO/IEC 29147) and (ISO/IEC 30111).
To that end, ENISA should play a more central role in global coordinated vulnerability disclosure and management efforts. However, ENISA should not establish a new vulnerability registry. This will serve only to duplicate existing, well-functioning CVD processes. cybersecurity efforts.
We recommend ENISA establish a European vulnerability database that builds on the existing global CVE registry. A European database could provide details on risks, impacts, and fixes in EU languages and focus on ICT products developed or used in the EU. Alongside the database, ENISA should
(a) Become a “Root CVE Numbering Authority (CNA)” giving the EU control over the means for identifying and assigning CVE identifiers to EU vulnerabilities
(b) develop its presence in the global CVE registry by joking the global CVE program’s board of directors
We support improved Computer Security Incident Response Team (CSIRT) access to real-time threat intelligence. We recommend
In addition, the CSIRT network should prioritize the exchange of interoperable threat intelligence feeds (article 13) Improving interoperability will also improve CSIRTs ability to process and consume data and improve cooperation between public and private entities
We support the emerging agreement between EU member states and the European Parliament on the issues of cybersecurity permitted processing and GDPR. The interplay between security and privacy is a crucial regulatory element that needs to be supported. Requirements for cyber security companies and their researchers to obtain ‘consent’ from malicious actors would seriously impede incident response, information sharing and cyberthreat analysis.
We support Recital 69 that ensures the GDPR considers processing of personal data for ensuring network and information security a legitimate interest. The Parliament built upon the Commission’s intent by adding a new Article (Article 2, 6a) to help member states to reinforce this legal basis when transposing NIS 2.0 in national laws. We encourage the co-legislators to accept the Parliament’s approach.
Detecting, neutralizing and preventing cyberthreats requires constant monitoring of many types of data. The ICANN WHOIS domain name registration data search function is particularly valuable in preventing future cyber incidents once a threat has been identified. It gives both law enforcement agencies and cybersecurity companies key data with which to track down website managers and stop illegal activity at the source.
Hence we support that NIS2 addresses the issue of privacy protections and access to the ICANN WHOIS databased. Recital 59 makes clear that “such processing shall comply with Union data protection law’ and gives access and data processing rights a firm legal foundation under NIS2.
To improve this section, we recommend:
We are concerned with EU Member states’ desire to have a 24h notification window as an early warning of an incident. A notification without relevance or context provides no valuable or actionable information. On the contrary it potentially floods competent authorities or CSIRTs with such notification void of actionable content.
Experience from the implementation of GDPR shows that a 72h notification obligation is more practical and enables context to be shared with relevant CSIRTs. If, however, the 24 hours is a critical requirement we believe that the obligations should be refined such that:
Trellix support the European Parliament’s approach that recommends for any period shorter than 72 hours, only incidents that impact the availability of services (the “A” in the confidentiality- integrity-availability (C-I-A) triad) should be reported.
As cybersecurity is a shared problem, information sharing is crucial. Threat information is the lifeblood of cyber defense. Trellix supports robust, real-time information sharing of threat data to help protect citizens and organizations from cyber-attacks.
Hence we support efforts in the proposal which encourage more voluntary cyber threat information sharing across the EU. Voluntary threat information sharing is essential to help all entities to understand threats and take steps to prevent successful cyberattacks.
Relevant stakeholders– such as cybersecurity companies and researchers/experts—should be encouraged to participate in voluntary cyberthreat information sharing. We recommend:
Working with the EMEA key verticals team, we are developing an EMEA level solutions brief and supporting materials (Webinar, country briefs) for the OES market. This builds upon areas of alignment between Trellix products and NIS2 framework.