On 17 February 2022, the Information Technology Industry Council (“ITIC”) published a set of recommendations on what the final NIS2 Directive should include in order to ensure that it “uplifts cybersecurity and resiliency across the European Union”.
Perhaps the most important amendment proposed is a 72-hour reporting window, as opposed to the timeline currently set out in the Proposal for the NIS2 Directive, which is 24 hours after having become aware of the incident. The reasoning behind the recommendation lies in the fact that the companies facing an attack should be primarily focused on rectifying the problem, and not on ensuring the notification to the competent authorities or the CSIRT. Also, it is stated that a longer timescale decreases the risk of reporting inaccurate information or further attacks due to exposing an incident before applying the necessary response measures.
ITIC also advocates that the final Directive should add an article that highlights processing data for security as a legitimate interest under the GDPR and that it should avoid prescriptive rules that govern elements of threat information-sharing arrangements.