02 December 2021

CLECAT Urgently Calls on EU TeleCom Ministers not to unnecessarily burden transport and logistics companies with the NIS 2 Directive

In view of the upcoming Telecommunications Council meeting on 3 December, which will aim to reach a general agreement on the proposed measures for a high common level of cybersecurity across the EU (NIS2 Directive), CLECAT, the European association for forwarding, transport, logistics and customs services, has expressed its serious concerns regarding the scope of the proposed Directive and strongly urges Ministers to re-consider its scope.

The current proposal notes that all entities which employ in excess of 50 employees and whose annual turnover and/or annual balance sheet total exceeds €10 million will be covered by the Directive’s obligations.  As a result, an enormous number of entities will fall under the NIS2 Directive, covering the majority of entities active in the EU, which will thus have to implement the Directive’s extensive cybersecurity requirements.

CLECAT believes that such a generic size-cap is not an appropriate mechanism to identify essential entities. Introducing it would virtually cover almost the entire industry in many sectors and impose undue burdens on companies which are, in their own right, in no way essential for a Member State’s economy and supply. If an expansion of scope is pursued, it should always follow a risk-based approach and only be introduced after thorough assessment of the actual risk posed and impact expected by entities in the respective sector.

CLECAT has therefore urged Ministers to replace the size-cap through a qualitative criterion assessing the actual level of criticality of the entity for the Member State’s economy. These criteria would have to be sector-specific and based on thorough research and consultation amongst the co-legislators and industry stakeholders on what exactly represents a level of criticality in the respective sector. When applying such robust criteria to the identification of essential entities, their size will be irrelevant, meaning that it could also cover micro-entities, provided they are of essential importance for the Member State’s economy and supply.

CLECAT also highlighted that the protection of networks and systems against any form of disruption, be it physical or digital, is in the innermost interest of private entities, whose profitability depends on uninterrupted and secure operations. Therefore, all entities apply appropriate cybersecurity mechanisms internally. However, CLECAT believes that imposing the cybersecurity requirements within the NIS2 Directive on all entities falling under the proposed scope would result in undue burdens for many entities, that are neither appropriate nor justified.

The full Position Paper on the scope of the NIS2 Directive can be accessed on the CLECAT Website.