New European proposals – NIS2 and cybersecurity agenda – FS 03 2021
You are invited to become a member of the session Org Team! By joining an Org Team, you agree to your name and affiliation being published on the respective wiki page of the session for transparency. Please subscribe to the mailing list to join the Org Team and answer the email that will be sent to you requesting your subscription confirmation.
This session will provide insights from some of the key players in the co-legislative process and offer an opportunity to contribute to shaping the message from EuroDIG on the topics of NIS2 and the EU Cybersecurity Strategy. Expect 135 minutes of intense collaboration and informative discussions.
In December 2020, the European Commission adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive) and presented a new EU Cybersecurity Strategy. Both documents sparked discussions in the technical community in the EU and globally with regards to their possible impact on the governance of technical internet infrastructure. The session will discuss the NIS2 Directive and the EU Cybersecurity strategy from the technical community perspective, assessing the broader implications of the proposed regulation in Europe and beyond. This session will start with some of the key actors sharing their views, followed by focussed discussions in small groups and concluded by a plenary session where we aim to get consensus messages on these focussed topics.
This session consists of three parts:
Part I: Plenary: Laying out the landscape: (45 mins)
- Introduction of the NIS2 proposal and the Cybersecurity Strategy by the Commission (Benjamin Bögel, DG CONNECT)
- Reflections on NIS2 proposal by the EP rapporteur (Bart Groothuis, MEP)
- Cybersecurity Strategy (Robert Schischka, Austrian CERT)
- Speakers get 6 minutes each.
- 20 mins Q&A with the room.
Part II: Break-out rooms: Focused discussion (45 mins)
- The group will be able to choose which one of the 4 topics they would like to discuss in a breakout session:
- NIS2: Scope and impact (Root, private DNS, …)
- NIS2: Data Accuracy obligations (EDPS advice, data driven discussions on link between data accuracy and security)
- NIS2: Encryption and minimum Cybersecurity risk management measures (Art 18)
- Cybersecurity strategy and Multistakeholder Governance
Part III: Plenary: Download from break-out rooms and messaging (45 mins)
- Download from each break-out room (5 mins each)
- Come to a consensus based message from the attendants of this session. (25 mins)
- NIS2 proposal: https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union
- ITRE report: https://www.europarl.europa.eu/doceo/document/ITRE-PR-692602_EN.pdf
- Cybersecurity Strategy: https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0
- EDPS: https://edps.europa.eu/data-protection/our-work/publications/opinions/edps-opinion-cybersecurity-strategy-and-nis-20_en
Until 20 May 2021.
Please provide name and institution for all people you list here.
Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles
- Peter Van Roste, CENTR
Organising Team (Org Team) List Org Team members here as they sign up.
Subject Matter Expert (SME)
- Tatiana Tropina
The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.
- Peter Van Roste, CENTR
- André Melancia
- Desara Dushi, Vrije University Brussels
- Wout de Natris, De Natris Consult/DC-ISSS
- Gergana Petrova, RIPE NCC
- Marco Hogewoning, RIPE NCC
- Andrea Beccalli
- Fotjon Kosta, Coordinator of Albania IGF
- Bart Groothuis
- Benjamin Bögel
- Robert Schischka
Moderators: Overall moderator
- Peter Van Roste
Break-out session leads:
- NIS2: Scope and Impact [Marco Hogewoning]
- NIS2: Data Accuracy [Polina Malaja]
- NIS2: Encryption [Tatiana Tropina]
- Cybsersecurity Strategy and Multistakeholderism [Andrea Beccalli]
Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.
Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:
- are summarised on a slide and presented to the audience at the end of each session
- relate to the particular session and to European Internet governance policy
- are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
- are in (rough) consensus with the audience
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page. Please use this page to publish:
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.
- FYI: companies outside EU have to choose a representative in EU (DNS, cloud, data centre, search engine)
- Might be worth to further look into or discuss horizontal vs vertical approaches when defining scope and seeking alignment between NIS2 and other instruments (e.g. EECC)
- Multistakeholder bodies rely on multilateral bodies for their support, rather then trying to immediately seek multi-lateral solutions
- Need to educate companies on what is applicable to them, help them and guide them into compliance
- Concerning registration data, GDPR defines the principles that data controllers should follow. NIS2 is compliant with these principles.
- There are existing policies within European ccTLDs to ensure registration data accuracy, dependent on national laws and availability of eID solutions.
- More clarity is needed on accountability and the roles of different entities under the scope of NIS2.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
>> NADIA TJAHJA: Welcome. We’re excited to start the final day with focus session 3, moderated by Peter Van Roste. However, before we start...
>> REMOTE MODERATOR: We believe in open dialogue, and that’s why we have the session rules. You can see those on the screen now, but just going to read out the main principles.
Firstly, if the display name on Zoom is not the full name yet, we ask that you change it now so that we can see who is on the call.
Secondly, you will have a chance to ask questions later on during this session. When the time comes, you can ask for the floor by raising your hand from Zoom so we can unmute you.
The chat is available for you to use, it will not be live streamed. You can use it to communicate with other participants on the call. The video itself is available live streamed on YouTube.
With that I’m going to hand the floor to the moderator, and we’ll be in the background here to make sure that the discussion is inclusive and good spirited. I wish you all a great session.
>> PETER VAN ROSTE: Thank you.
I’m not sure if everybody can hear me. I don’t get a visual. I see – thumbs up. Okay.
Hello, everyone. Welcome to the focal session 3 on security. I’m Peter Van Roste. Today I’m taking on the role of moderator for the debate that is timely and in the perspective of the overall E.U. regulatory efforts. It also is a perfect fit for the EuroDIG exchange where we hope to hear from many of the stakeholders who are interested in this particular topic.
One thing that I wanted to ask the audience is, some of you may have seen the magician yesterday evening. There was an even more spectacular vanishing act taking place yesterday, and that’s been a focus session and the breakout rooms opened up, 75% of the participants, they vanished, stick around when we do the breakout sessions. The whole purpose of the session is to have you speak. Make use of that opportunity and have your voice heard especially when it comes to agreeing on the statements coming out of the session. This is really important.
We’re extremely happy to have been able to secure three excellent speakers for this session. I’ll briefly introduce you and then I’ll give them the floor for their opening remarks.
I’m going to introduce you in the order that you will be listening to them.
First, Benjamin Bogel, from the European Commission. Benjamin has been – or is a college of Europe alumni working as an advisor in the European Parliament for eight years and for three years as the officer in cybersecurity at the DG CONNECT. He is one of the few that I have heard speak on clarity and specificity with the topic and known for answer questions rather than evade them. Benjamin, thank you for accepting this offer and we look forward to hear from you.
The second speaker, Mr. Bart Groothuis, an economist from the Netherlands, Director of the Cybersecurity Bureau of the Dutch Ministry of Defense for eight years and Bart Groothuis has joined the European Parliament at the beginning of 2020 and is recognized across party lines as one of the very few things that have resulted from Brexit. He is one of the most informative Twitter accounts in the cybersecurity areas, so if you don’t, I strongly recommend that you follow him to keep abreast of recent developments.
Our third speaker, Robert Rshischka. Robert studied business administration at University of Vienna and since 2008 is the head of the Austrian National Computer Response Team, CERT. He’s closely involved with E.U.-wide CERT coordination and collaboration and code together with colleagues and has opinions that didn’t come with any fig leaves. We’re looking forward to hearing your views, Robert in the proposal.
The three speakers have one thing in common, they have a passion – two – they have a passion for security and they have a proven track record of listening to stakeholders. We’re very happy that they could join us.
With that, Benjamin, the floor is yours.
>> BENJAMIN BOGEL: Thank you very much, Peter.
I’m Benjamin, working with DG CONNECT in the cybersecurity policy unit. Let me just briefly share my screen with you.
I just noticed that my intervention is supposed to be only 6 to 8 minutes. The slide deck that I have put together is way too thick. Apologies, I will skip ahead on some slides that are maybe less relevant. I assume you will be sharing the slides with the audience afterwards and then you can read up on the details maybes.
>> PETER VAN ROSTE: If you make it 8 or 10, that’s okay too.
>> BENJAMIN BOGEL: Okay. Thank you.
I will talk about the revision of the NIS Directive. I assume that most people in the audience know what the directive is. Just for those that don’t know it, I will just give a very brief introduction. The legislative proposal for that first directive came in 2013 which in cybersecurity is a millennium ago I would say, things are evolving so quickly, and that’s also I suppose one of the main reasons why we’re proposing the revision of the directive. The first directive in a nutshell requires Member States to require so-called operators of essential services – these are important companies for society – to put in place cybersecurity measures and to report incidents and what’s particular about this piece of legislation for a single market legislation, it is that although we do define the sectors that are under the scope of this directive, it is up to the Member States to actually select the companies that will put in place the measures. That’s something that you should keep in mind because it is particular.
I think the rest is not so relevant for you. The deadline, it was in 2018, it only has been three years since Member States are actually implementing the rules and we have gathered a lot of information since then and visited all Member States, we have held a public consultation, we have written a report on particular elements of the directive. In December last year, we proposed a revision of the directive together with an impact assessment and evaluation.
What were the main challenges with the existing NIS Directive? Well, the main problem looking back, it is that we simply didn’t cover all the sectors that are now considered as critical and should be in the scope. This is the main thing we want to fix with the revision.
Another issue, it is that we have noticed quite a lot of inconsistencies in how Member States have implemented the directive. The first, major inconsistency, it is that as I mentioned earlier Member States are allowed to select by themselves which companies they bring out of the scope. This has led to quite a lot of divergencies which companies are in the scope and many companies that are similar in size or comparable in size or importance are maybe identified in one country but not identified in the other country. This, of course, causes problems in the market.
We have also seen this divergency when it comes to the cybersecurity requirements that companies are supposed to implement and also the incident notification requirements and finally also the supervision that Member States undertake, it is often ineffective and the enforcement is limited. For example, we have noticed that there have been to our knowledge so far no fines ever handed to companies. Of course the directive is not about dishing out fines over time but if no one is fined, this is a sign that the enforcement is not working so as well.
The final point, the directive tries to enhance the cooperation. But our observation is that this cooperation between Member States is not a systematic, structured as it could be.
Here, this is just one graph highlighting the discrepancies we have noticed when it comes to the scope of the current directive. You can see here five big Member States and you can see the companies that have been identified by each of those Member States per 100,000 inhabitants, you compare it with capita and you see, for example, Italy has much more companies in the scope of its national implementation than France. I would say it is fivefold.
We’re not here to tell you that either of these two approaches is right or wrong. It just highlights that the approaches are extremely different and that this is, of course, an issue for the internal market and we need to fix it.
Yeah. This we covered.
These are the three pillars of the current proposal. These are also the three pillars of the existing NIS Directive. First, we have the Member State capabilities and it requires Member States to create certain national authorities there.
Is the competent authority that’s overall in charge of implementing the directive, international law, then there is the CSIRT, incident response team at national level dealing with incidents, finally there is the single point of contact that also exists in many other legislations that facilitates the information exchange between Member States.
Member States will also be required to put in place so-called national strategies and this is to ensure that Member States actually have certain minimum policies on cybersecurity in place. We are now as a new element proposing coordinated vulnerability disclosure frameworks so Member States will – we’ll require Member States to facilitate the disclosure of vulnerabilities that researchers identify and that they support researchers and companies engaging with one another on the vulnerabilities.
Finally, we’re requiring Member States to put in place so-called crisis management frameworks.
The second pillar, it is the risk management pillar. This is the most important pillar for the audience here. This is the pillar that I will focus on during the rest of the presentation.
In this pillar we are requiring companies as already mentioned to put in place certain cybersecurity measures and to notify significant incidents, not all incidents, just ones that are considered a significant, and we’re also introducing now for the first time accountability rules for the top management in the event of non-compliance.
Finally, in the third pillar, the cooperation and information exchange pillar, we’re maintaining the cooperation group which has been introduced by the first directive and which has proven to be extremely useful and effective. This is a forum that gathers the competent authorities of cybersecurity authorities of the Member States at E.U. level. We have the CSIRT network which gathers those CSIRTs, the incident response teams at European level. We’re creating a new forum which is called CyCLONe, helping to manage large-scale crisis or incidents.
As a fourth element, under the Member States capabilities pillar, we’ll introduce coordinated vulnerability disclosure frameworks at national level but also at European level we’ll be introducing a European vulnerability registry. We also are proposing to have peer reviews between the Member States, the Member States that would visit one another, maybe virtually in the future, and evaluate each other’s cybersecurity policies.
Finally we are proposing to have a biannual ENISA cybersecurity report with an index evaluating the performance of Member States and providing policy recommendations.
As I said, I will focus on the risk management actually. In the future, there will be two regulatory regimes applied to the companies under the scope of the directive. There will be first of all the essential entities, so these are the entities that we consider the most critical, then there will be important entities which are mostly new entities that have been covered by the directive which we consider to be important, but not as essential as the essential entities.
In terms of scope, which I will show to you later, there will be a slide showing which sectors will be under the scope. In terms of scope, as I mentioned, the essential entities will mostly replicate those sectors that are already under the scope and also new ones, the important entities, they will be mostly in the new sectors that we’re now adding to the scope.
The cybersecurity requirements will continue to be risk-based, just like under the first directive and risk-based, it means that it will be largely up to the entities that are regulated to decide by themselves which measures are necessary and appropriate for the risk that these companies are facing.
There will be also reporting obligations, so companies will be required to report significant incidents and also – this is a new edition – they’re required to report significant cyber threats. How will we supervise the two types of companies? The essential entities, they will face two types of supervision, ante supervision, competent authorities, without any reason, for example, on an annual basis, whatever they deem fit, they can evaluate the measures taken by essential entities. They can also do ex-post supervision, doing another evaluation with a closer look at the companies once an event, once an incident has occurred, or they have been informed one way or the other that companies are not fulfilling the rules the way they should.
In the event of important entities, we propose to only apply exposed supervision and we’re doing this to lighten the regulatory burden for the competent authorities but also for the entities themselves.
In terms of sanctions, we’re proposing a minimum list of administrative sanctions including fines and it also includes minimum fines, and this is just for the essential entity, there is a possibility to suspend authorization or enforce a temporary ban on the managerial duties in the company.
>> PETER VAN ROSTE: Benjamin, apologies to interrupt, if you can start sharing your final messages so we can wrap up the introduction topic.
>> BENJAMIN BOGEL: No problem.
Maybe just a very brief look at the sectors we’re proposing to add because I think it is important for you as well.
What’s in blue, sectors we already had in the scope. In red color, we’re adding the new sectors. You can see that we also are adding sectors that are interesting for this audience here. We already had covered the Internet exchange points, top-level domain registry, Cloud, now we’re also adding data centers, content delivery networks and electronic communications and trust service providers, although one is being transferred from the existing legislation and we’re adding next to search engines and marketplaces digital providers the social networks who will be under the scope, just briefly, as said before, we have an identification process and we’re now proposing to replace this by a very clear-cut simple size threshold so every company that falls under the sectors that is medium or large in size will be under the scope of the new legal instrument. There are some exceptions such as the ISPs, the trust service provider, top level domain registries, but also the DNS providers not mentioned here, that will be in the scope irrespective of size and Member States that will be allowed to add additional entities.
There will be a list of cybersecurity requirements that company also have to put in place. These are extremely high-level and not constraining in anyway on the entities. Finally, maybe still interesting for you, there would be a three-stage identification process with an initial notification of incidents of the notification process for incidents with an initial notification of incidents within 24 hours.
That’s in a nutshell, I’m wrapping up! These are the most important requirements for companies.
>> PETER VAN ROSTE: Thank you, Benjamin. It is a challenge to cover all of this ground in only a couple of minutes. I do realize that.
Thank you for doing a great job.
>> BENJAMIN BOGEL: I apologize going beyond the time limit.
>> PETER VAN ROSTE: I think the information was good for this debate. Thank you for this.
Bart Groothuis, you have the floor.
>> BART GROOTHUIS: Thank you, Peter. Thank you, Benjamin. A great introduction. Live from Brussels.
I would say indeed what you said, Peter, I always say in cybersecurity three months is as much as a year because things are traveling four times faster than in the real world. Things go so fast, you can’t even look at things as change. That’s why we’re trying to make legislation which is also somewhat future proof and I think that Benjamin is greatly putting that forward.
Let me start by saying if Brussels wants something, what’s that mean for the people who you represent? The commission may want something, the commission will put forward a piece of legislation, in this case, cybersecurity legislation of the NIS2 and then they have the council, the council as well, and all Member States look at the same piece of legislation, formulate their opinions and the parliament, the third party, will also do that. Parliament has appointed me as their Rapporteur so it means that I will try to get a critical majority for the points that we think are important to amend to the proposal, and then when we all agree as parliament then I will go into the negotiations with the commission and with the council to make this legislation work.
This is the process.
Brussels wants something. It is always who is actually Brussels? It is always three institutions, making it work together. I’m in the process of drafting those compromised amendments that can have a political majority of the main groups in parliament and I’m hoping to finish that after summer so that we can vote on that somewhere in October, let’s get it to the plenary vote before the end of this year so that we can start as soon as possible, there is a huge disaster going forward with the cybercrime incidents, cybercrime incidents, with police, intelligence, other cybersecurity services, they have all along, we have seen a doubling somewhat in 2019, a tripling for 2020 and this year, that we have not seen a peak yet, we may speak of ransomware pandemic and that’s why also we need to strengthen capabilities and make sure that there are police forces that can cope with the number of incidents. That’s also why we’re working on this NIS. I find it a great pleasure, it was my previous assignment in the Dutch Ministry of Defense and now we see what we do in a legislative way to make sure that the cybersecurity community works.
There are three things I would like to say on my priorities, very short, the first, on capabilities of Member States. Right. It is Member States competence, but they are writing strategies and we want them to write strategies not on just sharing passive data, cyber threat intelligence, information, incident reporting, I also want them to think about what is actively a good posture? How do we prevent cyber attacks if we know they’re come snag what capabilities do we want inside or outside of the networks? This is where the cybersecurity strategy of the commission, which we touched upon, Peter, it will also come in quite handy. The European Commission is thinking about a DNS for E.U. and I encourage it. The DNS system that can actually help us block – not resolve mall aligned traffic, for example, the attacks here in Europe, I was very much engaged with that and I was frustrated that we didn’t have the capabilities across Europe to actually make sure that the call back from the infected systems malware was blocked and I’m really looking forward to such capabilities in Europe.
The second thing I would like to propose, it is on data sharing. I worked in the cybersecurity community since the GDPR, maybe thought there were liabilities and I want to share the right data in the right amount in the right context but also that we feel comfortable in sharing it without liability being around the corner, looming around the corner, I want data sharing to be the core of how cybersecurity community functions.
Second thing to make sure, we have heard about the Austrian CSIRT, they share other information, also outside of Europe if it is in our interest, but also with the private sector and the private sector amongst each other. I want to make perfectly clear what the legal basis is and that you feel comfortable with it to share, and what you should not feel comfortable in sharing also.
The third thing, I would like to stress that I want it to be manageable, on ratable, I’m a practitioner of cybersecurity for myself, so for example if the commission would say we need to share – member toes say voluntary sharing of cybersecurity incidents, I would encourage it. If we were to say it is mandatory sharing of cyber threats, I’m reluctant because threats, we have seen thousands of threats each day. There is a huge risk of over reporting and I want to make sure we have a good sense of reporting, that we have the quality high.
The other thing, it is about how soon you should report. Is it within 24 hours? Can you manage that? I always thought it was very hard. I’m trying to see what we can put forward there and to make it manageable.
Two last things, Peter, then I give the floor back to you, the first on who is, many of your viewers here is interested and I very much encourage what the European Commission has put forward on who is. We want to make sure that this is functioning again. We were all looking at each other, why is it stop snag it is an essential part in the cybersecurity community to look for threat actors and new infrastructure and to make sure that the prevention and detection systems are loaded with the right amount of indicators of compromise and who actually – this helped a lot with that. It was a huge loss it was shut down. I’m glad this legislation will help to get that boost again.
What I do not agree on, and explicitly I say this to this community, it is that with the including in the scope the root level DNS units. First of all, we know there are 13 and if 12 fall, the Internet will still function. Secondly, they cannot be monetized. The third thing, do we want to regulate NASA, Pentagon, University of Tokyo, those operators, the sort of things we want to regulate in Europe? The fourth thing, sure, there is – they’re in scope but not in scope because of the root level DNS, but because of the DNS activities. The most important, the geopolitical argument, should we or should we not interfere with the call of the Internet. I come from the Netherlands, my country is very adamant on making sure that we not interfere with the core of the Internet, it is kept safe. I ensure that China, Russia will not get to that point as well.
Now, there is a joint cyber unit, and there are so many things in space, I want to make sure optic fibers are running through the oceans and are better safeguarded but my time is up! Peter, I give the floor back to you to see if there are any questions and I would like to hear your concerns as well to see – I’m in the process of making the legislation from a parliament point of view like explained and see what is in your minds and let’s see what we can learn from you.
Thank you. Back to you. Thank you very much..
>> PETER VAN ROSTE: Thank you so much.
I’m sure likewise for Benjamin, your interventions triggered some questions. I see the acronym EDPS, that’s coming up in the private chat messages here.
Before that we go to Robert Rshischka.
The floor is yours.
>> ROBERT SCHISCHKA: I was muted, sometimes there are more intelligent headsets that are only a headache.
Thank you for having me here. To make it clear, the points are strictly from the perspective from a national cert and we’re heavily involved in the laws in Austria and how to get it working and the good relationship of our government and competent authorities here. (Technical issue).
A thing we have learned from the NIS1.0 to call it that way, it is that we have two secretary – separate areas. The essential service provider, where there was an identification process beforehand, that the government really has identified, I understand that the common market, there are some challenges and it also has proven that it requires a lot of effort on the competent authority side to make this in different ways, there is a clear advantage. It issues pre – assures predictability and gives legal certainty whether they are under the obligations or not, and for some companies that may be quite clear, but for some other companies, there is room of debate.
It also is very important, it was – what was happy to hear, the importance of information sharing, trust building, they were mentioned in the topic before, I completely agree. I think that the most powerful weapon against any cyberattacks, cybercrime is to get the whole information sharing and trust building up. This requires who to reach out to and to build the relationships before something happens, it is incredibly hard to talk to somebody who has not been identified, who may be is agnostic, don’t underestimate the awareness building capabilities of a legal act. A lot of companies, they’re now dealing or have high-level management detention because they have – the official letter from the government that they’re subject to this regulations and this really opens up the door for a lot of very fruitful conversations, building up trust, raising awareness, improving the overall cybersecurity. As mentioned, I’m not so much into how many fines have been executed there. It is really how much information is shared. Can we reach out to companies and does the number of reports, does it go on and go higher over the time. That’s something which is really important. In the sector of the digital service provider, it has proven in our country at least much harder to address and, therefore, I’m not so enthusiastic to see the whole NIS 2.0 moving more in the area of not identifying service provider, having more room for errors to this process of self-identification and it is a little bit more of punishing after the fact instead of trying to enable and facilitate to gain resilience in this area.
I also think that the changing terminology is probably not the most smartest move. We all have lived for centuries for the term of critical infrastructure which still lives again in some other regulations. We have learned essential service provider, essential services, digital services, now we’re going to essential and important entities and also the idea that we’re now going away from focusing on certain services to the whole entity being in scope, it is not necessarily a good idea. We see a lot of company where is they’re having hundreds of services but maybe only 1, 2, a handful of them are really essential and all of the rest is basically if they fail it may not be a very good thing for some of their customers and maybe not for the company itself but from the overall governmental view does it have a big impact on the whole company – the whole country or even at the European Union that may not be important, and I may not forget that raising the bar here also means a lot of additional costs, a lot of additional bureaucracy. So limiting the scope is usually a good idea.
I also think that it is a little bit unclear why for certain kinds of services, for instance, there should be a register for businesses like network service provider, TLDs, other, and everything else is kind of left to self-identification.
There are big issues there. I think one of them which has been addressed in a long way, for instance, the way DNS services has covered this weight comprehensive, it may be bad wording and I hope that they’ll be working on this.
The way the directive proposal is now, it is actually everything running whether it is my personal resolve on my desktop system or some DNS server operator for my personal domain, it is in the same bucket as a big DNS serving 10 million mobile customers. I’m sure that’s not the intended purpose, and it would either put a very high burden on those running those servers or it would at the end of the day foster market consolidation and also in other services like small ISPs who are not offering services for hospitals or critical information, maybe they could look at projects like private use only and I’m not sure if we really want to have this game of you have to be this tall to ride this train and we were fostering market consolidation limiting consumer choice at the end of the debuts some small business will simply give up because of the limits and constraints putting on them very high.
What I think is a good move, is that data center service providers, explicitly named here, we have been one of the first companies in our country that have had the pleasure to go under this whole audit NIS directive and it was interesting to see that the auditors asked us whether our data centers, service providers had fulfilled all of the NIS directive requirements and it doesn’t scale either, more and more companies are moving – (technical issue).
>> PETER VAN ROSTE: Robert, your – we can’t hear you at the moment.
>> ROBERT SCHISCHKA: All of those verifications over and over again.
Finally, some thoughts on the point of correctors and completeness of the domain name registration data. Absolutely in favor of having correct data, there is nothing wrong with that. From the CERT, I agree that this is a good thing. Some of the recitals on the area, I think they’re a bit stretching the value of this a bit too far. Cybercrime is not mainly driven by incorrect registration data, it is, of course, correct data again, it is good, helpful, helps to correlate things, helps to identify patterns, that everything is correct. The majority of cases where domain holder data, it is critical, they’re more talking about trademark infringement it’s, the defamation, hate speech, those kinds of things and not really cybercrime in a more strict definition. Don’t forget that DMS abuse mainly happens in the DNS space not so much in the who is space.
Those attack, domain checking, also a lot of cases they’re completely legitimate domain holder data that’s used, data of real persons, counterfeit I Ts, and fraud signatures, so on, so on, by fixing the domain holder data that we will fight cybercrime is too optimistic, let’s put it that way. We really should think somewhere else.
Maybe as a food for thought, maybe it would make a lot of sense to differentiate more between private use and commercial use instead of this definition of personal data of a private person and not a legal entity.
For instance, more thinking like in the aligned to the website, where there is a very strict regulations if you want to do business on your website and not so strict requirements if it is just your personal website where you post your photo from last weekend or the latest dish you cook with your family. We have to be careful not to over reach and just the process of asking millions of domains to be strongly validated, what’s it exactly mean, do I need to require an ID for my Chinese domain holder? Do I have to validate everyone here for this in a strong way? It may be over reaching.
My feeling is that when it was written, nobody really thought about who is, but I’m not necessarily convinced that the NIS is the perfect place to fix this problem.
>> PETER VAN ROSTE: Right. Thank you, Robert.
I think we have time for one question and we’ll start with Bart and Benjamin and Robert.
You touched upon it, all of you, to some degree, the impact of the interpretation of the existing data protection rules, that there seems to be diverging ranges of views not just among the speakers and when we listen to industry, people think this is the Holy Grail solving the problem of the data access. The EDPS has a relevant opinion on it, and they shared their expectation that they – quoting here – the proposal does not seek to affect the application of existing E.U. laws governing the process of personal data which is the diplomatic way of saying this will not undermine GDPR. What are the views from the panelists on this?
>> BART GROOTHUIS: Thank you.
Listen, I very much respect all views. I would like to say something on practice.
In practice it is first of all – let me start with the Dutch police who together with the French police and the FBI seized a huge amount of a hacker gang, they seized file server, other things. They found tens of millions of victims and found the private keys there, they found data, encrypted data, they found keys to decrypt it, everything. Should the police identify victims and notify them? I don’t think so. I think that the police should go after a new gang. They give it to CSERT who should feel comfortable sharing that. With the Austrian, we have identified this amount and we’ll give it to you, it is personal data in there, sensitive keys in there, they should be able to feel the comfort to share that. Currently, they don’t. It is not just that they don’t, it is also that they say we don’t feel any confidence sharing it with Japan, Canada, Australia. There are victims and it may be good to share that information there.
If the hacker gangs are lazy, if they’re bigger, they have standard operating procedure. The way that you are registering a domain, the registrar you use, the bitcoin, et cetera, you correlate data and tracking certain ransomware gangs or even mission state actors, that’s not the Holy Grail. It will feed into the ideas that we have, it will feed into the ecosystems. This is a great, great concern to the cybersecurity community. Anyone that thinks differently, okay.
A remark on the DNS: Listen, I very much agree, we shouldn’t allow people with their own DNS servers to – if you have something at home, facilitating yourself, is it should not be in scope. I have filed a domain on n because of the domain name agreement, authorities, if domain name resolution services as a service procured by third-party entity, that’s the amendment, making sure that we do not have the people who have DNS servers at home or integrated in the scope. That’s my 50 cents a last remark, the last 10 seconds, the GDPR is a clear article stating cybersecurity and data is not part of the GDPR, it should be shared, people should feel comfort and you should not restrain yourself if it will be there for the greater benefit to share.
The other thing I’m doing in the NIS, not making sure that I repair that. I don’t – my proposal, it is not nothing new. I only emphasize what’s already in the legislation, and I make sure that this is the interpretation of the legislation we have. That you feel comfort, that you start sharing again like it was in the old days, and what was that, it was great, we’re going back to the old days, make making sure we use the freedom, legislation we already have, nothing new. The ENS, yes, it is the place to regulate it. Let’s make sure that it starts working again now. That’s my 50 cents on this one. Back to you.
>> PETER VAN ROSTE: Thank you so much.
I understood that your agenda may prevent you from staying much longer with us, in that case, thank you so much. If you can still hang around, you’re welcome, of course. Thank you.
>> BENJAMIN BOGEL: Actually I don’t have a lot to add on this one. Just to remind everyone that it is two directives, it is not modifying, adding to the GDPR and that our proposal is in line with the rules under the GDPR.
>> PETER VAN ROSTE: Thank you. Understood. Robert.
>> ROBERT SCHISCHKA: Actually we already are sharing because the GDPR and the NIS directive states already that sharing for the purpose of protecting others is an acceptable reason to do so. It is true that there has been uncertainty at some moments but it has been sorted out. For the CERTs, I don’t see issues here. The interesting point, it is I don’t have the phrasing at hand, but it is a little bit weak on entities who have a legitimate interest to get this kind of data. The problem is, everybody looking at this kind of legal text has a different picture in mind. (technical issue).
>> How should we see this regulation and NIS regulation, in a time context? Is GDPR the older one and now it is evolving? Is it the GDPR still considered as something totally apart as we heard before apparently with cybersecurity which is not quite true I think. How are – are they parallel now or are the new regulations something that evolves out of the GDPR? Thank you.
>> PETER VAN ROSTE: Benjamin, I think you’re the perfect person to answer that one.
>> BENJAMIN BOGEL: No. I wouldn’t say that this is something new being added to the regulatory environment, first of all, because this has been around for a long time now. It just is a different scope. GDPR is about personal data and this list is about general cybersecurity incidents and we do, in fact, encourage Member States to find ways to streamline the reporting for both, maybe having a common entity to which you can report both types of incidents. Yeah.
>> PETER VAN ROSTE: All right. Thank you.
>> Matthias: Thank you k hear me okay? The Internet is not stable.
First of all, thank you for the great conversation, very interesting. I have a question related to the who is and probably Robert could give his opinion on that. I mean, we’re now in the expedited policy process and within ICANN, it is interesting that Robert was mentioning the differences between maybe checking it is a private person, a company like the legal entity.
In the policy development process, they are trying to ask these two questions wrinkles they just say, should for example, should registrars and registries in the area be required – is the legal person, the main owners, like corporations, network persons, who is the main owner? There is a lot of burden on the registrar to registries to check this, not all of them have legal department who is can do that.
The second one was related to – it is again pointing to another domain, to other domain holders that could be identified and not uniquely any more. My question to Robert would be, like, this space, you’re using this with the forum I think, either the differences between the domain owners and if so, how is the procedure.
>> ROBERT SCHISCHKA: That’s a tricky question.
We have the solution we have been – I help running this in Austria, but several years ago, 15 years ago, without GDPR being on the horizon, we introduced this kind of commercial entity, a legal entity, a national person and with a lot of shortcomings because sometimes it is not easy to judge, of course, if somebody says we’re IBM, another company, saying limited, that’s easy, but there is – if it opens up to associations, what about commercial companies which are not strictly speaking companies – there are some gray area I agree. Nevertheless, it has been proven for us very useful to have this kind of self-declaration, a lot of – we introduced the rules in Austria, we found some domain holders didn’t want to have the data show up and even large amount of domain holders, they really insisted that they want to have the data, the same, we’re acting as a commercial company, we want to establish trust, we want to have validated certificates, we want to be as open and transparent to our consumers to establish trust as possible, especially with the fake web shops and things are opening up, shutting down, being transparent with our data, it is a key value for us. It has been very, very useful to us to have this kind of legal entity, if you’re a private person, is it 100% rule, probably not.
As I mentioned I personally would find it more fruitful to differentiate between is this a site for commercial use or a political party or maybe some other BBC, press, something like this, there is a special requirement for knowing what I’m talking to, for instance, if you are offering credit card transactions for instance, any kind of payment services on the website, I think it would make a lot of sense to require as much transparency about the holder and there is people responsible for this site as possible. If it is a private use site wry communicate with my friends I’m not so sure whether we have to stretch this to a please show me your passport in order to have Robert celebrating his birthday website for this. I have considered this far over reaching. Limiting to what’s going on in this space.
>> PETER VAN ROSTE: Thank you so much. Thank you for the questions.
This particular topic on the distinction between legal entities and private individuals and how to deal with it in the complex context of who is and who is publications, it is also the subject of some studies by both ICANN and CENTER. One of the main issues there seems to be the chain of authority within organizations. If Coke-Cola registers the name who should sign that piece of paper? There is simply no database available that gives the change of authorizations. It is a complex matter indeed and probably one of the things that we’ll discuss in the future.
Thank you so much for joining us for the first part of the session. We’re now going into the second part, which is the breakout session.
We ate our lunch while having this interesting exchange. What I suggest, it is that once we move into the breakout rooms, the moderators of the breakout rooms will be sharing with you whether we can spend – 2 minutes grabbing coffee, and then get started with the work in the breakout rooms.
If I can ask the host to share the slides so I have the overview of the breakout rooms?
People can make their decisions on where they’re going.
Thank you. Thank you.
We have planned four breakout rooms. You will be able to choose which one you want to join.
The first is on scope and impact, Marco is moderator of that room.
The second one, data accuracy, it will be moderated by Polina.
The third one, on encryption, moderated by Tatiana and on cyber strategy and is hosted and moderated by Andrea.
We have the luxury of having knowledgeable moderators for these sessions but as they are taking this role in a neutral capacity, they will just help and get the participants from this room to come to some short, clear statements, constructive statements and then later it will be shared in the plenary and that will be the final stage of the session in the plenary we’re going to take a quick poll to see which of the statements have consensus from the room and then we can wrap up and send these statements to the EuroDIG secretariat to become part of the overall messages of EuroDIG 2021. We’re really shaping modestly but we’re shaping I think part of the regulatory future of the proposals so please bear with us.
I’m going to open – okay. Thank you.
Thank you for joining us, Robert.
We will – probably safer if I let you open the breakout rooms. They’re open now. If you scroll down through the lists below your name, you will see the rooms with their subject, the moderators have already been assigned to their room. Feel free to pick yours from the list below, and after 40 minutes of debate, maximum I would say in the rooms, we’ll get back to plenary.
>> PETER VAN ROSTE: Can you confirm you heard me? Welcome back, everyone.
I seem to have lost contact with the studio hosts. If anybody can confirm they’re hearing me?
>> NADIA TJAHJA: We can hear you.
>> PETER VAN ROSTE: Thank you.
I hope that was a useful way to break the discussion up in sizable chunks and the groups were able to come to some conclusion, whether consensus or even electing a statement from any of the rooms. Unfortunately we saw that the topics of encryption and the potential conflict between national regional regulation and is only led to a few interested, short discussions, we have closed the rooms and those people have joined rooms one and two. We’ll have statements from rooms one and two to make sure that the statements are representative.
Can I ask Marco to take us through the statements of room 1 on the scope and ask the host to switch to the next – to actually slides 12 from the deck which has already these statements on the screen.
>> Marco: Happy to do that while we wait for the slides, we had quite a good turnout and lucky enough we have had a couple of clarification questions being asked before we delve into the actual discussion.
From that, it is worth repeating here, people asked questions regarding scope and for a subset, alternative, companies, companies outside of the E.U. that provide services into the E.U. need to pick a representative. That sounds similar to what happened with GDPR. There is only reach of NIS outside of the U.N. that’s probably worth mentioning here.
Further to the discussion, there were three takeaways. We had a bit of a discussion regarding the benefits of vertical approaches, also in relation to how to align with some other instruments that exist and effect the sectors that are currently in annex 2 and the example there given, the EECC.
Further, and that’s definitely I think also worth repeating here, that some people felt that, yeah, , rely on multilateralism for the support and, yeah, everybody should be encouraged to seek solutions before the multilateral solutions in legislation.
Finally, and then it was a word worth mentioning, we had a clear call from the people in the industry, we also need to take care of educating the companies and to helping them understand what it means to be compliant because more and more of the instruments are coming and it really is hard to see what’s applicable and often the focus is on legislation and national legislation, it is not always the full picture. There is a clear note to not only present the proposal but really to put an effort in helping the people who are impacted, to understand them, to help them guide into the compliance – help them be guided in compliance.
Those are the main takeaways. Benjamin, thank you for answering the clarification questions and for everybody who joined and input.
>> PETER VAN ROSTE: Thank you so much, Marco.
Before going to the download from room 2 on data accuracy, can I sense the temperature in the room about the statements? Anyone objects to anything that is currently reflected on the screen as an outcome of the discussions.
No. Proper consensus statements, Marco.
Thank you, well done.
Polina, the floor is yours to report back from the second room on data accuracy. I believe we’re ready to go to the next slide wherein the meantime Polina managed to summarize these key messages.
>> POLINA MALAJA: Thank you.
So actually I have to be honest with all of you, we have had very engaging, interesting discussion in our breakout group. I have to be honest, it was a bit difficult for me to make sure we have some type of message as an outcome from the breakout group. I would actually just be really happy if my fellow breakout participants would help define these messages to get more precise. That’s what I came up with.
We discussed a lot – first of all I’ll clarify, we have heard some clarifications on the interrelation between NIS2 and the GDPR. We heard that the instruments, they’re complementary and should exist – should coexist with each other so that none of them is to replace another. They are also both based on principles that are applicable to data controllers, so under the G DPR and they should be followed under the scope when it comes to Article 23 but the exact procedures and policies are for the entities to define themselves.
I probably need to clarify the first message, but, yes, that’s with regards to the first message.
Second message, we heard about different existing policies within European ccTLDs on ensuring when it comes to data accuracy. We heard that these are already in place at least within Europe long before the GDPR came into force. They seem to be working well. At least the ones we heard about. So in this way I tried to capture the second point by saying that there are already existing policies within to make sure with the registration accuracy.
The third point we discussed, some of the peer points within the Article 23 and there was a point made that there should be more clarity with regards to the accountability under Article 23 and the proposals specifically with regards to the different roles of the entities mentioned in the article. At the moment it is not clear how they interrelate. I hope I captured accurately the messages and, yeah, I would like to invite my fellow breakout participants to object if I did not capture the messages correctly.
>> PETER VAN ROSTE: All right. Thank you, Polina.
First, so given – I understand that the messages had not been discussed in the group yet. Maybe first to the participants from the breakout room 2, is there anything you would like to add? Any objections to the statements as they stand.
I see a comment in the chat, maybe to the second point, dependent on the national laws and availability of the solutions.
Thank you for that.
You made the change directly on the slide? I see you’re doing that.
Anything else? Any other comments to any of the principles, statements.
I see there is a hand from Olivier Bringer.
>> PETER VAN ROSTE: Please. Please. The floor is yours.
>> OLIVIER BRINGER: Thank you. Thank you, from the European Commission.
Yes, maybe we should slightly adapt the first bullet because it reads like this too is defining the data management principles. Few remove and GDPR you have a sentence that define principles that data controllers should follow which is not what it does and the GDPR, it defines the principles of data processing and what the controllers should do.
I don’t have on a spot way to change that. One way may be to say that concerning the registration data, GDPR complementary instruments, I’m not sure it is the best way to capture that. This is not a data protection instrument, that’s what I mean. We cannot make as if it is a cybersecurity instrument and it is complimentary to other rules, including the GDPR rules and the discussion we have had, it is about Article 23 and I tried to explain that Article 23 sets out in principles and then the way that the principles are applied will have to be defined by the concerned entities.
>> PETER VAN ROSTE: May be a solution to actually switch it around and just make a statement that is understood that – and before Polina looks at the text, it is non-discriminatory that GDPR defines the principles data control should follow and relies on those principles.
Summarizing, repeating, it is understanding that GDPR defines the principles that data controllers should follow.
NIS 2 is compliance with the principles. Okay. Thank you.
Thank you for this important clarification.
Seeing no objections, hearing no objections, I think we can assume that this is consensus from the room.
Now broadening to other participants in this session, which were not part of the specific discussions, anybody has any objection to these three statements from room 2? No. Hearing none.
Okay! Thank you! Then we’re done! 45 minutes earlier than planned! Granted, we did skip the break, so I hope that you’re all hanging in there. Thank you so much for the active participation, thank you for the keynote speakers and especially the one hanging in there until the very end, thank you, Benjamin, it is really appreciated.
I think it was a really good session. We have some statements that we can share with the secretariat. With that, I hand it back over to the fabulous studio host and secretariat team. You are doing a marvelous job. Bringing your magic to making that work flawlessly. Thank you so much, Nadia and Juuso.
Over to you.
>> NADIA TJAHJA: Thank you for moderating this session and taking on this structure that we’re trying out for EuroDIG.
Any feedback that you had about the new way of approaching the EuroDIG online sessions, please do let us know. We’re very happy for your feedback. We hope that you will stay with us for the rest of the day. Also join many of the other interesting sessions that EuroDIG community has planned.
Now we will go for lunch until 2:15 and there will be the keynote from UNESCO, you’re welcome to join us back in Gather.Town and you can walk around and have discussions. Until then, we wish you a lovely lunch, thank you for preparing the EuroDIG messages.