Danish Ports association supports that the efforts against cybercrime should be aligned and strengthened to ensure important infrastructure. However, we have some general comments on the proposal:
It is important that the obligations that entities (in this case ports) get from the directive are proportional with the threat from cybercrime. This is both according to cost and administrative burden to the ports. It is important, that a cybersecurity assessment is carried out before a port is subject to all the measures in the directive. Often it is not the port as such that operates all the critical infrastructure in the port, eg container terminals and ferry terminals and therefore not the port that should be the subject of the measures .
Danish Ports can see that the proposal will entail large extra costs to implement and maintain. Against this background, we propose that there is an opportunity for financial support for the companies / ports that are covered by the requirements.
The proposal states that smaller companies (less than 50 employees) are not covered by the requirements for cyber security. However, it is uncertain whether this also applies to ports. The directive refers to ports as defined in the security directive, which covers virtually all Danish commercial ports – also very small ones. Danish Ports therefore wants to ensure that the size of the ports is also taken into account.
Danish Ports proposes that the evaluation of whether a port should be subject to the rules in the directive is done on an individual basis and by the competent national authority. The national authority should make a specific risk assessment of each port and on this basis decide whether it should be covered by the cyber security requirements for critical infrastructure in the
directive. It must also be specified which parts of the port (systems, etc.) are in that case considered critical infrastructure.
Kasper Ullum, Danish Ports