Mr. Juhan Lepassaar:

I thank the Deputy for his question. I would not dare to pronounce his name, and I am sorry about that. On the issue of where the threshold is, where we say that something is critical or not critical, what the Network Information Security, NIS, directive revision does is that it establishes a common minimum threshold across the European Union which captures entities above a certain size. Given that the negotiations at EU level, among member states and the Parliament, are still ongoing, I do not want to step into this, but the proposal of the directive also foresees an option for member states to include entities which are below this threshold. That is a good provision because member states have very different economic and social frameworks in place. Big entities in some member states might be small entities in others. The country I know best is a very small one. Critical entities in this country also may have an employee count of only 50, which would not even be considered a start up in some other member states. There is flexibility but at the same time the NIS directive foresees certain common thresholds. It is important that we establish this common threshold because if we do not protect critical service providers in a similar fashion across borders, then we establish loopholes. As is common in cybersecurity, the strength of the chain is determined by the weakest link. That is why it is important that we have a certain harmony in establishing what these entities are and where the threshold is.