The second iteration of the European Union’s Network and Information Security Directive, NIS 2, was written with good intentions. But many worry the cybersecurity rules could splinter the Internet and undermine security. Among those concerned are Internet Society chapters and members in Europe.
While the directive’s goal is to improve security online, a newly-published Internet impact brief highlights how it could undermine the key qualities of the Internet. By regulating providers of Internet architecture, NIS 2 could impose a rigid top-down governance approach on existing community-led initiatives, stifling their long-proven effectiveness in innovating and adapting to new cybersecurity challenges.
Internet Architecture Providers Are The Backbone of the Global Internet
Internet Architecture Providers and other Internet infrastructure providers contribute to the Internet as an open, globally connected, secure and trustworthy resource. Internet Society chapters and other Internet architecture experts have voiced the dangers of overriding existing Internet governance processes to regulate them.
These Internet infrastructure providers tend to be global in nature, operating across national boundaries. As a result:
- Regulations under NIS 2 could block non-compliant providers from the European market.
- Other global providers may preemptively stop offering their services in Europe to escape regulation and fines.
With NIS 2, Internet infrastructure providers could exit the European market voluntarily and involuntarily—leaving Europeans with catastrophic consequences at very little notice. They could experience an Internet that is less reliable, less trustworthy, and potentially even less secure than the one enjoyed elsewhere in the world. Outdated or inaccurate links to websites could be exploited by criminals for abusive behavior. Europeans would also find portions of the Internet difficult to access, depriving them of shared resources and the ability to collaborate globally.
Market exit could also hurt European businesses. Their supply chains could be altered as market consolidation occurs and operating costs increase. Foreign competitors who still enjoy access to a wider selection of cheaper or even free alternatives in their supply chain will enjoy a competitive advantage, hurting European innovation at a critical moment of needed growth.
Internet infrastructure is global in nature. Regulating it in one region with a top-down approach will have ramifications elsewhere, creating issues of extraterritoriality. With NIS 2, the European Union will embolden other countries to dismantle the multistakeholder model that makes the Internet work.
By setting a precedent, the European Union opens the door for further Internet fragmentation, replacing the single global Internet—the Internet that has worked for more than fifty years—with a series of disconnected Intranets.
How You Can Help
European experts are calling on the Council of the European Union to renew its fight for an open and un-fragmented Internet. Here are a few reasons why European experts care about an open and un-fragmented Internet:
CENTR (Council of European National Top-Level Domain Registries)
NIS 2 will undermine EU progress on protecting end-users’ personal information in the digital era, while there is no clear evidence that placing disproportionate burdens on technical operators increases security, stability, and resilience for the Internet’s underlying architecture. Therefore, any data accuracy obligations imposed on TLD registries and registrars under NIS 2 must be fully aligned with the EU data protection framework.
ISPA (Internet Service Providers Austria)
From the perspective of the Austrian Internet industry, where dealing with cyber resilience is part of daily business, the inflexible top-down cybersecurity corset of the current draft of the NIS 2 Directive will not contribute to a higher level of cybersecurity, but endangers well-working internal security procedures and will potentially push small companies from the market.
Frederic Taes, President of the Internet Society Belgium Chapter
Internet Security is for everyone. This implies a full impact report on the Internet Community and the endorsement of Community-led actions for Internet security.
The best way to help the European Commission understand the dangers of top-down regulation of Internet architecture is to make some noise about why it’s important. Please share our Internet Impact Brief widely and help others understand the impact this directive will have. Europeans Internet users and businesses should continue to enjoy the full Internet and all the benefits it provides. Regulation of Internet infrastructure providers under NIS 2 will accomplish exactly the opposite.
P.S. An Update on Recent Changes
While some progress had been made in negotiating NIS 2 over the past year, a recent compromise proposal by the Council of the EU [Document No. 12019/21] threatens to undo a lot of this work. Root name servers, Domain Name System (DNS) services, top-level domains, trust service providers, and certificate authorities are all named by the proposal, which could threaten these services that underpin the Internet. Even more troubling, a further compromise proposal [Document No. 12019/1/21 REV 1] released on 12 October 2021, after the publication of the Internet Society’s Internet Impact Brief, retains the same scope as the earlier rendition and fails to protect against the associated harms.