COCIR welcomes the opportunity to provide feedback to the European Commission’s proposal for a Directive on measures for a high common level of cybersecurity (hereafter the NIS 2 Directive proposal).

COCIR appreciates that the NIS 2 Directive approval builds upon the strengths of the original framework and introduces additional measures to enhance the cybersecurity capacity and capabilities of Member States. Stronger built-in cooperation mechanisms will help improve the EU’s resilience and reinforce its regional power.

From a market perspective however, things look quite different as the NIS 2 Directive proposal still leaves several flaws unaddressed, that might perpetuate or aggravate the existing legal fragmentation and overlaps with other regulatory frameworks.

The healthcare sector is already heavily regulated, especially when it comes to medical devices and medical software which will in the near future be covered by even more stringent requirements introduced by the Medical Device Regulation.

The digital transformation of health and care has been ramping up in the past years, and certainly under influence of the COVID-19 pandemic crisis, this development has strongly accelerated. The importance and growth of digitalisation in the sector hasn’t gone unnoticed and clearly there is a critical need for appropriate cybersecurity and resilience measures.

Cybersecurity in healthcare is however a shared responsibility between industry, healthcare providers, healthcare professionals and other stakeholders. COCIR fully supports and contributes to continuing efforts that raise the level of awareness and security within the sector, recognizing the importance of a secure supply chain.

Having said that, COCIR would like to urge the European Commission to provide the necessary tools, guidance and possible templates – developed in cooperation with stakeholders, including industry – to ensure a smooth and harmonised exchange of information with authorities and within value chains.

In general, COCIR would like to reiterate its call

- To reduce legal fragmentation and create a level playing field

- To provide legal certainty in more clearly articulating the scope, definitions and requirements

- To ensure consistency with existing frameworks and avoid overlaps and administrative burden

- To recognise the value of sector-specific approaches in order to define proportionate and risk-based measures

- To take account of international and European developments in standardisation to define state of the art

More detailed feedback can be found in attached document