Dear Sabine Thank you for your topic suggestion. You recall correctly, and the RIPE82 Cooperation WG agenda is yet to be published next week. Since we already had an informative and a very interactive session on NIS2, followed by a submission on behalf of WG members, we accept that there might be more room needed for discussion of EU Cybersecurity Strategy. Also, for example, the recently passed legislation to remove and block access to "terrorist content". For RIPE82, we currently plan to cover The Digital Service Act legislative initiative, as well as some novel approaches with regards to the eIDs - electronic identification schemes. We welcome and invite all members to suggest any topics of interest or any preference they may have not just for the RIPE82, but also for the ongoing Coop WG meetings, so that we could include them in our annual work-plan and post RIPE 82. Desiree — on behalf of Coop WG Co-chairs
On 7 May 2021, at 15:43, Sabine.Meyer@bnetza.de <Sabine.Meyer@BNetzA.DE> wrote:
Dear all,
first - I personally agree with Marco's assessment of the potential impact which the proposed new recital 54a would have. Second, I would like to ask if maybe an update on the state of play regarding the EU Cybersecurity Strategy could be a topic of general interest for the upcoming RIPE82 meeting. IIRC the Cooperation WG does not have an agenda for this meeting yet.
Kind regards Sabine
Sabine Meyer _________________________ 312 - International Coordination Telecommunications Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen
Tulpenfeld 4, 53113 Bonn Phone: +49 228 14-3128 Mobile: +49 172 7084686 E-Mail: Sabine.Meyer@bnetza.de Internet: www.bundesnetzagentur.de
-----Ursprüngliche Nachricht----- Von: cooperation-wg <cooperation-wg-bounces@ripe.net> Im Auftrag von Marco Hogewoning Gesendet: Freitag, 7. Mai 2021 16:31 An: Nick Hilliard <nick@foobar.org> Cc: cooperation-wg <cooperation-wg@ripe.net>; routing-wg <routing-wg@ripe.net> Betreff: Re: [cooperation-wg] Update on NIS 2: Proposed amendments by the Parliament alter scope on (root) DNS
Dear Nick,
Marco Hogewoning wrote on 07/05/2021 11:12:
We will continue to track the legislative process and keep you informed about the progress.
Hi Marco,
[cc: routing-wg]
Thanks for the work y'all have been doing to sort out some of the DNS scoping issues. This is really worthwhile and it looks like it changes the proposed text from something which was completely unworkable to something which isn't entirely unreasonable.
I had a quick skim through the rest of the document and came across Amendment 13:
(54a) In order to safeguard the security and to prevent abuse and manipulation of electronic communications networks and services, the use of interoperable secure routing standards should be promoted to guarantee the integrity and robustness of routing functions across the ecosystem of internet carriers. Justification Interoperable secure routing standards are for example Resource-PKI.
I'm quite concerned to see this thrown into the proposed directive at this time.
Personally I am not that worried about this particular amendment. IMHO the way it is worded leaves it fairly open as to what technologies to deploy, with RPKI being just flagged as an example.
Important as well is that changing the recital like this, doesn't alter the scope of the directive. In that sense it only stresses the need for entities that fall within the scope to think about routing security and take appropriate measures to prevent the risks in that area. And I think we can all acknowledge that those risks do exist, so would be hard to argue against.
We are not in scope for the current directive, so I have little knowledge on the details, but I have understood that similar requirements are already in place for entities within the scope of the current NIS directive. Where the requirement is to "secure against routing attacks" and deploying RPKI is seen as one, but not the only, way to satisfy that requirement and be compliant. In other words: "I do RPKI" is an acceptable answer, but you can also argue that you have other measures in place that would remove or reduce the risks and be compliant with the directive.
The amendment introduces new text, but I don't think it actually introduces new requirements compared to the proposal as-is or the way the current directive, as it is in force, is implemented by the national authorities.
Would it be possible to see whether there's consensus on this position, and whether we could present some of this to the EUPARL committee in the same way that the DNS proposals were handled?
If you have a consensus position to bring forward, it is always worth reaching out to the people involved and see if there still is a possibility to make changes. But I would recommend to take into consideration that striking the text altogether might be quite a big "ask" at this stage. Probably easier if an alternative text could be found that would remove the community's concerns, whilst still addressing the need to secure routing.
As it mentions RPKI only as an example, would there be others to add or alternatives that would produce the same result? Because it might actually help if you can list several alternatives, as a way to stress that legislation should be agnostic on technologies.
Best,
MarcoH