BRUSSELS – Today, global tech trade association ITI issued the following statement from Guido Lobrano, ITI’s Vice-President and Director General for Europe, in reaction to the adoption of the General Approach on the new Network and Information Security Directive (NIS II) by the Council of the EU.

“The General Approach on the NIS II Directive agreed upon by the Telecommunications Council today will pave the way to a higher and more harmonised degree of cybersecurity in the EU. We particularly commend the Council for recognizing cybersecurity as a legitimate interest for processing personal data, as this enables security researchers to conduct analysis of the cyber threat landscape.

“We also appreciate the changes made to the reporting obligations for near misses, which allow for a voluntary approach to reporting such information. This will allow companies to focus primarily on the response to confirmed cybersecurity incidentsand competent authorities to prioritize responding to legitimate, actual incidents. In the same vein, throughout the next steps of the legislative process, we encourage legislators to reconsider the 24-hour incident reporting timeline, which is inconsistent with international best practices. A 72-hour reporting timeline will allow impacted entities to direct their attention to investigating and responding to the incident and will ensure that competent authorities receive more appropriately contextualized information about the incident.

“We also believe that for the NIS II Directive to limit fragmentation in the EU cybersecurity landscape, Member States should avoid the deployment of their own cybersecurity scheme, as this would duplicate and potentially conflict with ENISA’s initiatives pursuant to the Cybersecurity Act, which directs it to launch EU-wide cybersecurity schemes.”

Related [Cybersecurity]