Audible response

Danish Ports' consultation response to the Commission's proposal for NIS2 (Directive on measures to ensure a high common level of cybersecurity across the Union) and repealing Directive (EU) 2016/1148.

Danish Ports supports that efforts against cybercrime must be adapted and strengthened to secure critical infrastructure. However, we have some general comments on the proposal:

It is important that the obligations imposed by the directive on companies (in this case ports) that are considered critical infrastructure are proportionate to the threat of cybercrime. This applies to both the cost and the administrative burden on ports.

The proposal states that smaller companies (less than 50 employees) are not covered by cybersecurity requirements. However, it is unclear whether this also applies to ports. The directive refers to ports as defined in the Security Directive, which covers virtually all Danish commercial ports - even the very small ones. Danish ports therefore want to ensure that the size of the ports is also taken into account, as this could lead to large additional costs for small ports.

It is important that a cybersecurity assessment is carried out before a port is subject to all the measures in the directive. Often it is not the port as such that operates all critical infrastructure in the port, such as container terminals and ferry terminals, and therefore not the port that should be subject to the measures.

Danske Havne therefore proposes that the evaluation of whether a port should be subject to the rules of the directive is made individually and by the

www.danskehavne.dk

03-02-2021

competent national authority. The national authority should carry out a specific risk assessment of each port and on this basis decide whether it should be covered by the critical infrastructure requirements of the Directive. It should also specify which parts of the port (systems, etc.) are considered critical infrastructure in that case.

Danish Ports can see that the proposal will entail large additional costs for implementation and maintenance. Against this background, we propose that there is the possibility of financial support for the companies/ports covered by the requirements.

Kind regards

Danish Ports Kasper Ullum ku@danskehavne.dk +4542449161

Danish-Havens-Hoeringssvarvar-regarding-the-Commission's-proposal-for-a-directive-on-measures-to-ensure-a-high-common-level-of-cybersecurity-across-the-UnionDownload the document