03 December, 2021
EU Cyber Directive Moves Ahead, But Falls Short of Securing the ICT Supply Chain
Brussels, 3 December 2021 – ETNO, the Association representing Europe’s leading telecom operators, acknowledges progress made by EU governments with the proposed measures for a high common level of cybersecurity of networks and information systems (‘NIS 2’ Directive). The General Approach endorsed at the Telecommunications Council today opens the door to inter-institutional discussions with the European Parliament, in view of adopting rules that bolster resilience of critical socioeconomic sectors in the internal market.
ETNO has viewed the NIS 2 Directive as an opportunity to achieve a coherent framework for network and service security in the telecommunications sector that streamlines the existing landscape of European and national rules, which in some instances have led to legal uncertainty and fragmentation due to differing security standards across EU markets. To this end, it would be imperative that co-legislators ensured clear and proportionate risk management and incident reporting obligations, as well as a sensible oversight and enforcement system that build on the telecom sector’s long-standing experience in protecting the integrity of crucial infrastructures. However, some shortcoming of the proposed directive remain unresolved.
We particularly regret that the positions on the table fall short of adequately filling the gaps in the security of critical ICT supply chains. Supply chains are becoming more complex and global, with a multitude of actors involved. Telecommunications networks are becoming more sophisticated given the shift to 5G and to a virtualised, software-defined and cloud-based infrastructure. Telcos, as much as all organisations in every sector, are increasingly dependent on ICT services, especially software, which means that the role of the providers of these services in determining the resilience of digital infrastructure has become essential. This needs to translate into a more effective allocation of responsibility for risk management of the networks and IT systems of key sectors, since ICT providers are best placed to analyse and mitigate the security risks in their own products and services.
Member States’ decision to expand the scope of NIS 2 obligations to business-to-business ICT service management – including managed service providers and managed security service providers – marks a positive step by introducing direct risk management and reporting obligations upon these key service providers. Yet, this new category leaves out providers of software and firmware that support the critical functions performed by regulated entities and that frequently become an integral part of the networks and services delivered to European citizens and businesses.
As co-legislators prepare to embark on negotiations to finalise the Directive, ETNO calls upon them to properly reflect the importance of supply chain security by taking a broader look to ICT service providers and by providing for a comprehensive and future-proof cybersecurity framework for all crucial ICT suppliers, to the great benefit of the overall resilience of the vital sectors in Europe’s economy and society.