In een (Engelstalig) advies dat op 11 maart 2021 werd gepubliceerd, verwelkomt de European Data Protection Supervisor (EDPS) het voorstel voor de NIS 2.0-richtlijn, die tot doel heeft de bestaande richtlijn betreffende de beveiliging van netwerk- en informatiesystemen te vervangen. Het doel van het voorstel is om cyberbeveiligingspraktijken in de hele EU te harmoniseren en te versterken. Het voorstel maakt deel uit van de cyberbeveiligingsstrategie van de EU om te zorgen voor een mondiaal en open internet met sterke waarborgen om de risico's voor de grondrechten van individuen, waaronder het recht op gegevensbescherming, te verkleinen. Het advies van de EDPS bevat opmerkingen en aanbevelingen over zowel de strategie als de voorgestelde richtlijn.
In his Opinion published on 11 March 2021, the EDPS welcomes the Proposal for the NIS 2.0 Directive, which aims to replace the existing Directive on security of network and information systems (NIS). The goal of the Proposal is to harmonise and strengthen cybersecurity practices across the European Union (EU). The Proposal is part of the EU’s Cybersecurity Strategy to ensure a global and open internet with strong safeguards to mitigate the risks for individuals’ fundamental rights, including the right to data protection. The EDPS’ Opinion includes remarks and recommendations on both the Strategy and the proposed Directive.
Wojciech Wiewiórowski, EDPS, said: “It is essential that privacy and data protection are embedded in the proposed Directive and in all future initiatives stemming from the EU’s Cybersecurity Strategy. This will allow a holistic approach when managing cybersecurity risks and protecting individuals’ personal data. In addition, to ensure that the Cybersecurity Strategy, and, by extension, the proposed Directive are effective, it is necessary to fully integrate the EU institutions, offices, bodies and agencies in the overall EU-wide cybersecurity framework to achieve a uniformed level of protection”.
The EDPS appreciates that the proposed Directive envisages systemic and structural changes that will have a positive impact on the security of personal data, electronic communications and the security of the internet. The EDPS also strongly supports the additional initiatives that aim to improve cybersecurity practices in the EU and, more generally, technological sovereignty.
To further enhance the objectives of the proposed Directive, the EDPS reiterates that compliance of all practical measures, such as the use of cybersecurity systems to prevent, detect and respond to cyber threats, with EU data protection laws is imperative.
In his Opinion, the EDPS also stresses that the use of encryption, in particular end-to-end encryption, is crucial. Encryption is an irreplaceable technology to protect individuals’ personal data and right to privacy. Any weakening or circumvention of encryption (e.g. using mandatory backdoors, mandatory key escrow, and hidden communication channels) would completely devoid the mechanism of any effective protection capability and result in a loss of trust. The proposed Directive should therefore be clarified: nothing in the proposal should be construed as an endorsement of weakening end-to-end encryption through “backdoors” or similar solutions.
The EDPS also calls on the EU’s co-legislators to provide for a closer cooperation of cybersecurity actors with the European Data Protection Board, as well as a more comprehensive legal basis for the cooperation and exchange of relevant information with data protection authorities.
Lees de Opinie van de EDPS hier
