Cybersecurity and Resilience of Critical Entities

EESC opinion: Cybersecurity and Resilience of Critical Entities

Key points:

  • The EESC welcomes the Commission's efforts to make public and private entities more resilient to threats from cyber and physical attacks and incidents. It notes that some of the provisions in the two proposals overlap as they are closely linked and complementary: one proposal focuses primarily on aspects of cybersecurity and the other on physical security. The Committee therefore calls for the possibility of combining the two proposals to form a single text to be considered in the interests of simplification, thus avoiding a sometimes complicated interpretation and implementation process. Furthermore, given the relevance and sensitivity of the objectives pursued by the two proposals, a regulation would have been preferable to a directive.
  • With regard to the Network and Information Security (NIS) directive's scope of application, the Committee points out that specific, clearer guidelines are needed to identify those bound by it. In particular, the criteria for distinguishing between "essential" and "important" and the respective requirements to be met should be more precisely defined, so as to ensure that differing approaches at national level do not result in barriers to trade or free movement of goods and services, which could jeopardise businesses and undermine trade.
  • Finally, the EESC agrees that the ENISA, the EU Agency for Cybersecurity, plays a key role in the overall European institutional and operational cybersecurity system. It considers, in this regard, that, in addition to the two-yearly report on the state of cybersecurity in the Union, this body should publish regular, up-to-date information on cybersecurity incidents and sector-specific warnings online.