Netnod's Consultation Response on NIS2 Implementation
Netnod's response primarily focuses on questioning the appropriateness and resource efficiency of the methods advocated by NIS2 (and NIS1), noting that the directive's implementation is still characterized by ambiguities.
A key concern is the mandatory requirement to report and update IP addresses/ranges, the purpose of which is unclear:
- If the goal is security scanning, the process would need to be automated due to frequent IP space updates, and scanning the vast IPv6 address space is deemed impractical and non-resource-efficient.
- If the goal is tracking which actor uses a specific address range, Netnod argues this is redundant since this is already being handled, primarily by RIPE NCC in a European context.
Consequently, there is no clear purpose for reporting IP address ranges in the proposed manner.
Furthermore, there is a broader concern about the central aggregation of data. The impact assessment does not sufficiently clarify the threats and risks associated with increased data collection. Netnod also questions the legal basis for the processing and sharing of individuals’ operational circumstances, including IP address usage, among national and EU authorities.
Tags
