Network and Information Security (Directive)
The Directive aims to ensure a minimum level of network and information security. The Commission wants to impose technical requirements and reporting obligations on certain market operators and public authorities. The Member States are to adopt strategies for network and information security.
It is appropriate for Member States to take measures to increase the resilience of networks and information systems at international level because the effect of cyber-attacks is becoming increasingly cross-border in nature.
The security measures and reporting obligations are appropriate. The report should provide information about the gap in security which led to the incident. However the Directive fails to specify minimum criteria for the content of the reports. SMUs should be exempt from the reporting obligation. The establishment of a central national authority is not compatible with the federal structure of the German state.