2 Network Information Security across
the EU
(34685)
6342/13
+ ADDs 1-2
COM(13) 48
| Draft Council Directive to ensure a high common level of network and information security across the European Union
|
Legal base | Article 114 TFEU; ordinary legislative procedure; QMV
|
Department | Business, Innovation and Skills
|
Basis of consideration | Minister's letters of 20 February and 20 March 2014
|
Previous Committee Reports | HC 86-xxxix (2012-13), chapter 4 (24 April 2013) and HC 86-xxxv (2012-13), chapter 6 (13 March 2013)
|
Discussion in Council | To be determined
|
Committee's assessment | Legally and politically important
|
Committee's decision | Not cleared; further information requested; relevant to the debate on Joint Communication on an EU Cybersecurity Strategy (reported to the House on 24 April 2013); further information now provided and requested
|
Background
2.1 The context to the proposed Directive is set
out in the over-arching Joint Communication 6225/13, "Cybersecurity
Strategy of the European Union: An Open, Safe and Secure Cyberspace",
which we also considered at our meeting on 13 March 2013.[4]
The draft Directive
2.2 The draft Directive is fully summarised in our
previous Report. In essence, it aims to ensure a high common
level of network and information security (NIS): to put in place
measures to avert or minimise the risk of a major attack or technical
failure of information and communication infrastructures (ICT)
in Member States. It includes:
ensuring that Member States all reach
a certain level of network and information security through obliging
all Member States to produce a national cyber security strategy
and to establish points of contact in each Member State for information
sharing and cyber incident handling;
mandating the establishment of "competent
authority" and a Computer Emergency Response Team (CERT)
in each Member State;
mandating information sharing between
Member States, as well as establishing a pan-EU cooperation plan
and coordinated early warnings and procedure for agreement of
EU coordinated response for cyber incidents;
promoting the adoption of good risk management
practices by the private sector through expanding the requirement
currently applying only upon the telecoms sector of obligatory
security breach disclosure to the finance, energy, transport and
health sectors, as well as to "providers of internet society
services"; and
encouraging the take up of cyber security
standards, with possible harmonisation measures being taken by
the Commission.
2.3 The Commission argues that: the proposed Directive
satisfies the requirements of both subsidiarity and proportionality;
it should be empowered to adopt delegated acts in accordance with
Article 290 TFEU, in order to supplement or amend certain non-essential
elements of the basic act; and in order to ensure uniform conditions
for the implementation of the basic act, it should be empowered
to adopt implementing acts in accordance with Article 291 TFEU.[5]
The Commission also seeks to demonstrate that the second of the
three options examined via its impact assessment would have the
strongest positive impacts.
2.4 The Minister for Universities and Science at
the Department for Business, Innovation and Skills (Mr David Willetts)
commented in detail in his Explanatory Memorandum of 27 February
2013 and, following our Report in March 2013, updated us on 16
April 2013.
The Minister's letter of 16 April 2013
2.5 The Minister set out what he described as the
strategy and activities the Government was leading, as part of
the UK National Cyber Security Strategy, to improve cyber security
in the UK and sought to indicate how the Commission "could
adopt an alternative approach to the Directive yet still play
a role in building on some of these ambitions". Much of
this detail, "and more", was (the Minister said) set
out in the Government's response to the Commission's consultation
on improving network and information security in the EU.[6]
2.6 The Minister said that the Government considered
cyber security to be a Tier 1 National Security threat. The 2011
National Cyber Security Strategy, supported by a £650 million
programme, was primarily delivered through supporting and incentivising
businesses and consumers to take action, rather than imposing
regulation an approach he characterised as "far-reaching
cooperation and collaboration between government and the private
sector". The key measures in this programme included:
"Partnerships with business to raise
awareness of threats and mitigation;
"Ensuring cyber security is part
of corporate governance best practice;
"Awareness raising with small businesses
and individuals;
"Encouraging the industry-led development
of standards and guidance to enhance and inform
relative levels of cyber security; and
"Creation of a National CERT (Computer
Emergency Response Team)".
2.7 The Minister said that he would continue to seek
to pursue voluntary and cooperative arrangements where possible,
and to ensure alignment between the Directive and the UK national
approach on relevant issues, in particular with regard to any
new structures (such as the national CERT and Competent Authority).
He continued to remain concerned that the Commission's proposed
breach disclosure requirements would not incentivise good practice
in terms of businesses monitoring their networks for unauthorised
intrusions and taking steps to prevent and mitigate them.
2.8 He had promoted his approach through many discussions
with the Commission over the last year; however it was clear that
their preferred option was to take a legislative approach. Nonetheless,
the case for legislation had not yet been justified. The Commission
needed to recognise those areas where Member States have competence
and where action was best achieved on a national level, as well
as ensuring that non regulatory options are considered before
any legislation is adopted.
2.9 The Minister then outlined the areas in which
he believed the EU had competence and could play a useful role;
and recalled his negotiating position, as set out in his 27 March
2013 Explanatory Memorandum:
"to ensure that the final Directive does not
cut across the current UK approach to cyber security, and to encourage
the Commission to take positive action in the areas set out above."
2.10 The Minister concluded by undertaking to update
the Committee on any further developments on the negotiations
on this dossier.
Our assessment
2.11 When we considered the related Joint Communication
on an EU Cybersecurity Strategy,[7]
we noted that the Commission's approach appeared to be essentially
collaborative after all, we also noted, it was in all
Member States' interests to devise and adopt appropriate strategies,
policies and programmes to tackle a transnational, existential
threat to the basis of modern life.
2.12 Moreover, as the Commission itself said, any
successful approach had to recognise the leading role of the private
sector. The question thus immediately arose as to the need for
EU legislative compulsion embodied in this proposed Directive.
2.13 But the Minister seemed to regard this as unavoidable,
notwithstanding competence issues being already of concern. The
Government's approach was highlighted by words such as "support",
"encourage" and "partnership". This approach
was easily open to the Commission: in ENISA, it had an established
agency whose function is precisely to facilitate such cooperation
between Member States, their own stakeholders and the Commission.
Other non-legislative options were also open to the Commission.
Yet the Commission appeared to be deaf to anything other than
legislation.
2.14 The Minister, on the other hand with
an eye no doubt on the QMV basis of the proposal was apparently
resigned to damage limitation. It would have been helpful to
have known if other Member States shared his concerns, or whether
the Government was alone in preferring a collaborative approach.
The debate that we recommended on the EU Cybersecurity Strategy
Joint Communication would, we hoped, provide an opportunity to
clarify this.
2.15 With regard to the proposed Directive itself,
we concluded that, as it was possible that the concerns that had
immediately arisen over the first piece of proposed legislation
arising from this Strategy could be removed during negotiation,
it would have been premature to recommend it for debate. We therefore
retained it under scrutiny. But we also considered our Report
relevant to the debate on the Joint Communication, so that interested
Members could question Ministers at the outset about the wider
policy issues involved in the proposed Directive.
2.16 We also drew it to the attention of the Joint
Committee on the National Security Strategy, which was taking
evidence on national security and the EU; and to the Business,
Innovation and Skills Committee.[8]
2.17 The debate on the Joint Communication took place
in European Committee B on 8 July 2013. Though a member of the
Scrutiny Committee explained the rationale for "tagging"
the Directive to the debate that the Minister's response
to the Committee's queries made it more plain than ever that the
Commission's proposals are highly prescriptive, will require significant
changes to UK law and have not been properly costed the
debate itself (which was led by the Minister for Europe) focused
only on the Joint Communication.[9]
The Minister's letter of 20 February 2014
2.18 The Minister makes it clear that his and our
concerns notwithstanding, there is to be a Directive of some sort.
2.19 The Minister says that progress in the Council
under both the Irish and Lithuanian Presidencies has been slow,
which he explains thus:
"The Network and Information Security proposal
was discussed within the Telecoms Working Group and time was scarce.
Both Presidencies elected to devote the majority of the group's
time to negotiating more mature or time critical dossiers, notably
the proposed regulations on Electronic Identification and Other
Trust Services and Guidelines for trans-European Telecommunications
Networks.
"Council concluded the first article-by-article
read through of the Network and Information Security Directive
in December. The comments from all Member States were preliminary
and, given the complexity and sensitive nature of the topic, all
delegations made it clear that a lot more discussion would be
required before a final position could be reached."
2.20 The Minister then says that, in preparation
for the December 2013 Telecoms Council, the Lithuanian Presidency
progress report highlighted specific areas that would require
further debate. The Minister summarises the main conclusions as
follows:
"There was a broad desire amongst
Council members to reduce the scope of the Directive. A number
of Member States would prefer more flexibility to determine which
operators would fall under the scope of the reporting requirements
and concerns were expressed regarding the inclusion of public
administrations and information society services.
"Many Member States also wanted more flexibility
around establishing a competent authority and Computer Emergency
Response Team (CERT). A number of delegations said they would
like clarity that Member States could set up more than one CERT
and also that it should be made clear that it would be possible
for existing bodies to perform the functions and tasks of the
competent authority.
"More discussion will be required on the
proposed cooperation network and the tasks that this network would
perform as well regarding the mandatory nature of the security
breach reporting proposed in Article 14. Some Member States feel
that this should be left up to Member States to determine whilst
others see the value of mandatory reporting. There was a consensus
in Council opposing the Commission's proposed use of delegated
acts throughout the Directive.
"The Greek Presidency has said that given
the paucity of discussion to date within Council, they will not
aim to achieve a first reading deal before the European Parliament
elections. Rather, they have stated their ambition is to secure
a Council General Approach at the June Telecoms Council. I therefore
expect the discussions on this file to intensify during the spring.
"The European Parliament has made much swifter
progress on the file and the lead committee, IMCO (Internal Market
Committee) agreed their position on the proposal at the end of
January. My officials worked very closely with Parliamentary contacts
in the run-up to this vote and the UK's influence can be seen
in the Committee's decision to exclude public administrations
and information society services from the scope of the Directive.
The Committee also agreed to text that would give greater flexibility
to Member States to determine the institutional structures for
reporting breaches and coordinating with other EU Member States
which we broadly support.
"Nonetheless, we do have strong concerns
about IMCO's decision to extend the proposal and include the food
chain, water and internet exchange points within scope of the
reporting requirements. In addition we will have to carefully
consider whether the Committee's changes to strengthen the cooperation
network between EU Member States are necessary and proportionate.
The IMCO decision will be voted on by the wider European Parliament
at the March plenary session. We do not expect the Plenary to
make any significant changes to it."
2.21 Because it was mis-routed by the Minister's
office we did not receive the Minister's letter until mid-March.
Our officials therefore indicated to the Minister's that the
Committee would appreciate a further letter that, as well as covering
the Impact Assessment and its implications for the government's
approach, explains why a legislative approach has been necessary
at all and brings the Committee up to date on what has happened
since 20 February on the issues raised above.
The Minister's letter of 20 March 2014
2.22 The Minister begins by apologising for the delay
in our receiving his previous letter, which he says was due to
an administrative error within his Department's correspondence
team, of which the team in question has been made aware.
2.23 On the proposed Directive, the Minister says:
"My officials have conducted a call for
evidence and initial assessment of the potential impact of the
Commission's proposal. Our estimates indicate that this proposal
could impact up to 22,935 businesses in the UK. The required potential
additional spending for these businesses would be £992.1
million a year in the medium case scenario and £1,984.2 million
a year in the high scenario. More precise indications of the cost
to businesses of the proposal are difficult to establish at this
stage due to the lack of detail in the proposals. My officials
therefore also compiled a summary of qualitative responses to
our consultation. I have provided hard copies with this letter.
"These documents should be considered as
initial appraisals of the potential impact of the Commission's
proposal developed to help inform the UK position on the Directive,
rather than formal impact assessments. My officials deemed the
Commission's impact assessment to be of very limited value so
they conducted their own informal analysis of the proposal. My
Department will be undertaking a formal assessment of the impact
on the UK if and when the file is agreed. We will send this to
you when it is completed.
"I replied to your report of April 2013
on the proposal on 16 April 2013 and I have attached this reply
to this letter for ease. The UK strongly questioned whether legislation
in this area was warranted during working groups in the summer
and autumn of last year. Our argumentation was based upon the
poor quality of the Commission's Impact Assessment and we successfully
persuaded the Irish Presidency to schedule two discussions of
this document to carefully examine whether the Commission had
provided a strong enough case to justify legislation. Whilst other
Member States also expressed doubts over the details of the proposal
and the evidence presented by the Commission, most delegations
supported the aim of the proposal to increase the level of network
and information security across the EU and, ultimately, there
was insufficient appetite within Council to reject the Directive
outright. Despite this, we have been working very closely to address
our concerns on the detail of the proposal with a number of like-minded
other Member States.
"The Greek Presidency has set a fast timetable
for the second half of their Presidency and they are aiming for
a general or partial general approach on the file at the 6 June
Telecoms Council. Whilst this goal is ambitious without some very
fundamental changes to the text, my officials will continue to
work closely with our allies, along with the Presidency and Commission,
to ensure that the proposal moves in the right direction during
the discussions under the Greek Presidency."
2.24 The Minister undertakes to keep the Committee
updated on the progress of Council discussions.
Conclusion
2.25 We thank the Minister for his apology. No
doubt he has not only made his department's communication team
aware of the error but also taken appropriate action to ensure
that it does not recur.
2.26 It is regrettable, to say the least, that
insufficient Member States were prepared to reject such a poorly
prepared and inadequately justified Commission proposal. Even
now only a little over two months before the Presidency
is aiming for agreement of a General Approach the lack
of detail is such that the Minister can only produce a "best
estimate" of the potential impact on UK business. As matters
stand, it is likely to be significant: in round figures, up to
23,000 UK businesses would have to find additional annual expenditure
of £1-2 billion per annum. And the benefits are not yet
clear.
2.27 His letter of 20 February contains some positive
elements: a broad desire on the part of Member States to reduce
the scope of the Directive and for more flexibility to determine
which operators would fall under the scope of the reporting requirements;
concerns regarding the inclusion of public administrations and
information society service; many Member States wanting more flexibility
around establishing a Computer Emergency Response Team (CERT),
and clarity that that it would be possible for existing bodies
to perform the functions and tasks of the competent authority.
The Minister also reports some helpful elements in the European
Parliament's text though that is to some extent offset
by the proposal to broaden the scope of the reporting requirements,
and thus presumably to increase both the number of UK businesses
that would be affected and the overall cost.
2.28 On the upside, we note in particular the
consensus in Council opposing the Commission's proposed use of
delegated acts throughout the Directive.
2.29 In sum, the Minister says that "some
very fundamental changes to the text" will be necessary between
now and the 6 June Telecoms Council for agreement on a General
Approach. Given the story so far, it may well be that we will
wish to have the outcome of the negotiating process debated prior
to this Council. In that case, we would like the Ministers' promised
update no later than Thursday 8 May (so that, if necessary, a
debate could be arranged prior to the Whitsun recess).
2.30 As well as dealing with the various uncertainties
still surrounding the scope, costs and benefits of the proposed
Directive, we would wish to know precisely which aspects, if any,
would be subject to implementation via delegated acts and, if
so, why the Minister regards them as consistent with the proper
application of Article 290 TFEU.
2.31 In the meantime, we shall retain the draft
Directive under scrutiny.
2.32 We are also drawing this chapter of our Report
to the attention of the Business, Innovation and Skills Committee.
4 See (34680): 6225/13: HC 86-xxxv (2012-13), chapter
3 (13 March 2013). Back
5
On its website, the Commission notes (its emphasis) that:
The Treaty of Lisbon makes several
changes to the types of European Union legal acts. "For
the sake of clarification and simplification, it firstly reduces
the number of legal instruments available to the European institutions.
In addition, it enables the Commission to adopt a new category
of act: delegated acts. It also strengthens the competence of
the Commission to adopt implementing acts. These two changes
aim at improving the efficiency of European decision-making
and the implementation of these decisions." See http://europa.eu/legislation_summaries/institutional_affairs/treaties/lisbon_treaty/ai0032_en.htm
for full information. Back
6
Can be found at: http://www.bis.gov.uk/assets/BISCore/business-sectors/docs/u/12-1222-uk-response-ec-consultation-network-information-security.pdf. Back
7
(34680) 6225/13: HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back
8
See headnote: HC 86-xxxix (2012-13), chapter 4 (24 April 2014). Back
9
The record of the debate is available at http://www.publications.parliament.uk/pa/cm201314/cmgeneral/euro/130708/130708s01.htm
(Gen Co Deb, European Committee B, 8 July 2013, cols. 3-12). Back
|