Background

2.1 The context to the proposed Directive is set out in the over-arching Joint Communication 6225/13, "Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace", which we also considered at our meeting on 13 March 2013.[4]

The draft Directive

2.2 The draft Directive is fully summarised in our previous Report. In essence, it aims to ensure a high common level of network and information security (NIS): to put in place measures to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States. It includes:

—  ensuring that Member States all reach a certain level of network and information security through obliging all Member States to produce a national cyber security strategy and to establish points of contact in each Member State for information sharing and cyber incident handling;

—  mandating the establishment of "competent authority" and a Computer Emergency Response Team (CERT) in each Member State;

—  mandating information sharing between Member States, as well as establishing a pan-EU cooperation plan and coordinated early warnings and procedure for agreement of EU coordinated response for cyber incidents;

—  promoting the adoption of good risk management practices by the private sector through expanding the requirement currently applying only upon the telecoms sector of obligatory security breach disclosure to the finance, energy, transport and health sectors, as well as to "providers of internet society services"; and

—  encouraging the take up of cyber security standards, with possible harmonisation measures being taken by the Commission.

2.3 The Commission argues that: the proposed Directive satisfies the requirements of both subsidiarity and proportionality; it should be empowered to adopt delegated acts in accordance with Article 290 TFEU, in order to supplement or amend certain non-essential elements of the basic act; and in order to ensure uniform conditions for the implementation of the basic act, it should be empowered to adopt implementing acts in accordance with Article 291 TFEU.[5] The Commission also seeks to demonstrate that the second of the three options examined via its impact assessment would have the strongest positive impacts.

2.4 The Minister for Universities and Science at the Department for Business, Innovation and Skills (Mr David Willetts) commented in detail in his Explanatory Memorandum of 27 February 2013 and, following our Report in March 2013, updated us on 16 April 2013.

The Minister's letter of 16 April 2013

2.5 The Minister set out what he described as the strategy and activities the Government was leading, as part of the UK National Cyber Security Strategy, to improve cyber security in the UK and sought to indicate how the Commission "could adopt an alternative approach to the Directive yet still play a role in building on some of these ambitions". Much of this detail, "and more", was (the Minister said) set out in the Government's response to the Commission's consultation on improving network and information security in the EU.[6]

2.6 The Minister said that the Government considered cyber security to be a Tier 1 National Security threat. The 2011 National Cyber Security Strategy, supported by a £650 million programme, was primarily delivered through supporting and incentivising businesses and consumers to take action, rather than imposing regulation — an approach he characterised as "far-reaching cooperation and collaboration between government and the private sector". The key measures in this programme included:

—  "Partnerships with business to raise awareness of threats and mitigation;

—   "Ensuring cyber security is part of corporate governance best practice;

—  "Awareness raising with small businesses and individuals;

—   "Encouraging the industry-led development of standards and guidance to enhance —and inform — relative levels of cyber security; and

—   "Creation of a National CERT (Computer Emergency Response Team)".

2.7 The Minister said that he would continue to seek to pursue voluntary and cooperative arrangements where possible, and to ensure alignment between the Directive and the UK national approach on relevant issues, in particular with regard to any new structures (such as the national CERT and Competent Authority). He continued to remain concerned that the Commission's proposed breach disclosure requirements would not incentivise good practice in terms of businesses monitoring their networks for unauthorised intrusions and taking steps to prevent and mitigate them.

2.8 He had promoted his approach through many discussions with the Commission over the last year; however it was clear that their preferred option was to take a legislative approach. Nonetheless, the case for legislation had not yet been justified. The Commission needed to recognise those areas where Member States have competence and where action was best achieved on a national level, as well as ensuring that non regulatory options are considered before any legislation is adopted.

2.9 The Minister then outlined the areas in which he believed the EU had competence and could play a useful role; and recalled his negotiating position, as set out in his 27 March 2013 Explanatory Memorandum:

"to ensure that the final Directive does not cut across the current UK approach to cyber security, and to encourage the Commission to take positive action in the areas set out above."

2.10 The Minister concluded by undertaking to update the Committee on any further developments on the negotiations on this dossier.

Our assessment

2.11 When we considered the related Joint Communication on an EU Cybersecurity Strategy,[7] we noted that the Commission's approach appeared to be essentially collaborative — after all, we also noted, it was in all Member States' interests to devise and adopt appropriate strategies, policies and programmes to tackle a transnational, existential threat to the basis of modern life.

2.12 Moreover, as the Commission itself said, any successful approach had to recognise the leading role of the private sector. The question thus immediately arose as to the need for EU legislative compulsion embodied in this proposed Directive.

2.13 But the Minister seemed to regard this as unavoidable, notwithstanding competence issues being already of concern. The Government's approach was highlighted by words such as "support", "encourage" and "partnership". This approach was easily open to the Commission: in ENISA, it had an established agency whose function is precisely to facilitate such cooperation between Member States, their own stakeholders and the Commission. Other non-legislative options were also open to the Commission. Yet the Commission appeared to be deaf to anything other than legislation.

2.14 The Minister, on the other hand — with an eye no doubt on the QMV basis of the proposal — was apparently resigned to damage limitation. It would have been helpful to have known if other Member States shared his concerns, or whether the Government was alone in preferring a collaborative approach. The debate that we recommended on the EU Cybersecurity Strategy Joint Communication would, we hoped, provide an opportunity to clarify this.

2.15 With regard to the proposed Directive itself, we concluded that, as it was possible that the concerns that had immediately arisen over the first piece of proposed legislation arising from this Strategy could be removed during negotiation, it would have been premature to recommend it for debate. We therefore retained it under scrutiny. But we also considered our Report relevant to the debate on the Joint Communication, so that interested Members could question Ministers at the outset about the wider policy issues involved in the proposed Directive.

2.16 We also drew it to the attention of the Joint Committee on the National Security Strategy, which was taking evidence on national security and the EU; and to the Business, Innovation and Skills Committee.[8]

2.17 The debate on the Joint Communication took place in European Committee B on 8 July 2013. Though a member of the Scrutiny Committee explained the rationale for "tagging" the Directive to the debate — that the Minister's response to the Committee's queries made it more plain than ever that the Commission's proposals are highly prescriptive, will require significant changes to UK law and have not been properly costed — the debate itself (which was led by the Minister for Europe) focused only on the Joint Communication.[9]

The Minister's letter of 20 February 2014

2.18 The Minister makes it clear that his and our concerns notwithstanding, there is to be a Directive of some sort. 

2.19 The Minister says that progress in the Council under both the Irish and Lithuanian Presidencies has been slow, which he explains thus:

"The Network and Information Security proposal was discussed within the Telecoms Working Group and time was scarce. Both Presidencies elected to devote the majority of the group's time to negotiating more mature or time critical dossiers, notably the proposed regulations on Electronic Identification and Other Trust Services and Guidelines for trans-European Telecommunications Networks.

"Council concluded the first article-by-article read through of the Network and Information Security Directive in December. The comments from all Member States were preliminary and, given the complexity and sensitive nature of the topic, all delegations made it clear that a lot more discussion would be required before a final position could be reached."

2.20 The Minister then says that, in preparation for the December 2013 Telecoms Council, the Lithuanian Presidency progress report highlighted specific areas that would require further debate. The Minister summarises the main conclusions as follows:

"There was a broad desire amongst Council members to reduce the scope of the Directive. A number of Member States would prefer more flexibility to determine which operators would fall under the scope of the reporting requirements and concerns were expressed regarding the inclusion of public administrations and information society services.

"Many Member States also wanted more flexibility around establishing a competent authority and Computer Emergency Response Team (CERT). A number of delegations said they would like clarity that Member States could set up more than one CERT and also that it should be made clear that it would be possible for existing bodies to perform the functions and tasks of the competent authority.

"More discussion will be required on the proposed cooperation network and the tasks that this network would perform as well regarding the mandatory nature of the security breach reporting proposed in Article 14. Some Member States feel that this should be left up to Member States to determine whilst others see the value of mandatory reporting. There was a consensus in Council opposing the Commission's proposed use of delegated acts throughout the Directive.

"The Greek Presidency has said that given the paucity of discussion to date within Council, they will not aim to achieve a first reading deal before the European Parliament elections. Rather, they have stated their ambition is to secure a Council General Approach at the June Telecoms Council. I therefore expect the discussions on this file to intensify during the spring.

"The European Parliament has made much swifter progress on the file and the lead committee, IMCO (Internal Market Committee) agreed their position on the proposal at the end of January. My officials worked very closely with Parliamentary contacts in the run-up to this vote and the UK's influence can be seen in the Committee's decision to exclude public administrations and information society services from the scope of the Directive. The Committee also agreed to text that would give greater flexibility to Member States to determine the institutional structures for reporting breaches and coordinating with other EU Member States which we broadly support.

"Nonetheless, we do have strong concerns about IMCO's decision to extend the proposal and include the food chain, water and internet exchange points within scope of the reporting requirements. In addition we will have to carefully consider whether the Committee's changes to strengthen the cooperation network between EU Member States are necessary and proportionate. The IMCO decision will be voted on by the wider European Parliament at the March plenary session. We do not expect the Plenary to make any significant changes to it."

2.21 Because it was mis-routed by the Minister's office we did not receive the Minister's letter until mid-March. Our officials therefore indicated to the Minister's that the Committee would appreciate a further letter that, as well as covering the Impact Assessment and its implications for the government's approach, explains why a legislative approach has been necessary at all and brings the Committee up to date on what has happened since 20 February on the issues raised above. 

The Minister's letter of 20 March 2014

2.22 The Minister begins by apologising for the delay in our receiving his previous letter, which he says was due to an administrative error within his Department's correspondence team, of which the team in question has been made aware.

2.23 On the proposed Directive, the Minister says:

"My officials have conducted a call for evidence and initial assessment of the potential impact of the Commission's proposal. Our estimates indicate that this proposal could impact up to 22,935 businesses in the UK. The required potential additional spending for these businesses would be £992.1 million a year in the medium case scenario and £1,984.2 million a year in the high scenario. More precise indications of the cost to businesses of the proposal are difficult to establish at this stage due to the lack of detail in the proposals. My officials therefore also compiled a summary of qualitative responses to our consultation. I have provided hard copies with this letter.

"These documents should be considered as initial appraisals of the potential impact of the Commission's proposal developed to help inform the UK position on the Directive, rather than formal impact assessments. My officials deemed the Commission's impact assessment to be of very limited value so they conducted their own informal analysis of the proposal. My Department will be undertaking a formal assessment of the impact on the UK if and when the file is agreed. We will send this to you when it is completed.

"I replied to your report of April 2013 on the proposal on 16 April 2013 and I have attached this reply to this letter for ease. The UK strongly questioned whether legislation in this area was warranted during working groups in the summer and autumn of last year. Our argumentation was based upon the poor quality of the Commission's Impact Assessment and we successfully persuaded the Irish Presidency to schedule two discussions of this document to carefully examine whether the Commission had provided a strong enough case to justify legislation. Whilst other Member States also expressed doubts over the details of the proposal and the evidence presented by the Commission, most delegations supported the aim of the proposal to increase the level of network and information security across the EU and, ultimately, there was insufficient appetite within Council to reject the Directive outright. Despite this, we have been working very closely to address our concerns on the detail of the proposal with a number of like-minded other Member States.

"The Greek Presidency has set a fast timetable for the second half of their Presidency and they are aiming for a general or partial general approach on the file at the 6 June Telecoms Council. Whilst this goal is ambitious without some very fundamental changes to the text, my officials will continue to work closely with our allies, along with the Presidency and Commission, to ensure that the proposal moves in the right direction during the discussions under the Greek Presidency."

2.24 The Minister undertakes to keep the Committee updated on the progress of Council discussions.

Conclusion

2.25 We thank the Minister for his apology. No doubt he has not only made his department's communication team aware of the error but also taken appropriate action to ensure that it does not recur.

2.26 It is regrettable, to say the least, that insufficient Member States were prepared to reject such a poorly prepared and inadequately justified Commission proposal. Even now — only a little over two months before the Presidency is aiming for agreement of a General Approach — the lack of detail is such that the Minister can only produce a "best estimate" of the potential impact on UK business. As matters stand, it is likely to be significant: in round figures, up to 23,000 UK businesses would have to find additional annual expenditure of £1-2 billion per annum. And the benefits are not yet clear.

2.27 His letter of 20 February contains some positive elements: a broad desire on the part of Member States to reduce the scope of the Directive and for more flexibility to determine which operators would fall under the scope of the reporting requirements; concerns regarding the inclusion of public administrations and information society service; many Member States wanting more flexibility around establishing a Computer Emergency Response Team (CERT), and clarity that that it would be possible for existing bodies to perform the functions and tasks of the competent authority. The Minister also reports some helpful elements in the European Parliament's text — though that is to some extent offset by the proposal to broaden the scope of the reporting requirements, and thus presumably to increase both the number of UK businesses that would be affected and the overall cost.

2.28 On the upside, we note in particular the consensus in Council opposing the Commission's proposed use of delegated acts throughout the Directive.

2.29 In sum, the Minister says that "some very fundamental changes to the text" will be necessary between now and the 6 June Telecoms Council for agreement on a General Approach. Given the story so far, it may well be that we will wish to have the outcome of the negotiating process debated prior to this Council. In that case, we would like the Ministers' promised update no later than Thursday 8 May (so that, if necessary, a debate could be arranged prior to the Whitsun recess).

2.30 As well as dealing with the various uncertainties still surrounding the scope, costs and benefits of the proposed Directive, we would wish to know precisely which aspects, if any, would be subject to implementation via delegated acts and, if so, why the Minister regards them as consistent with the proper application of Article 290 TFEU.

2.31 In the meantime, we shall retain the draft Directive under scrutiny.

2.32 We are also drawing this chapter of our Report to the attention of the Business, Innovation and Skills Committee.

5   On its website, the Commission notes (its emphasis) that:

The Treaty of Lisbon makes several changes to the types of European Union legal acts. "For the sake of clarification and simplification, it firstly reduces the number of legal instruments available to the European institutions. In addition, it enables the Commission to adopt a new category of act: delegated acts. It also strengthens the competence of the Commission to adopt implementing acts. These two changes aim at improving the efficiency of European decision-making and the implementation of these decisions." See http://europa.eu/legislation_summaries/institutional_affairs/treaties/lisbon_treaty/ai0032_en.htm for full information. Back

6   Can be found at: http://www.bis.gov.uk/assets/BISCore/business-sectors/docs/u/12-1222-uk-response-ec-consultation-network-information-security.pdf. Back

7   (34680) 6225/13: HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

8   See headnote: HC 86-xxxix (2012-13), chapter 4 (24 April 2014). Back

9   The record of the debate is available at http://www.publications.parliament.uk/pa/cm201314/cmgeneral/euro/130708/130708s01.htm (Gen Co Deb, European Committee B, 8 July 2013, cols. 3-12). Back