Documents Considered by the Committee on 22 October 2014 - European Scrutiny Committee Contents


1 Network Information Security across the EU

Committee's assessment Legally and politically important
Committee's decisionNot cleared from scrutiny; further information requested
Document detailsDraft Council Directive to ensure a high common level of network and information security across the European Union
Legal baseArticle 114 TFEU; ordinary legislative procedure; QMV
DepartmentBusiness, Innovation and Skills
Document number(34685), 6342/13 + ADDs 1-2, COM(13) 48

Summary and Committee's conclusions

1.1 The proposed Directive, of early 2013, aims to put measures in place in order to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States.

1.2 In late August 2014, the acting Minister (Lord Livingston) reported that, as the result of working group level-work over the summer — and, in the Government's case, close consultation with Ofcom and CERT (Computer Emergency Response Team) officials —the text now reflected the UK Government's position in a number of key areas; in particular:

—  allowing Member States flexibility to determine which operators were within scope and would allow the Directive to be implemented in the UK in the least disruptive manner possible, taking account of the size and maturity of businesses; and

—  improvements on the definition of what would constitute a "reportable incident", with the criteria at a high enough level of definition to provide the necessary flexibility for the UK to implement the Directive without difficulty or excessive disruption to industry.

1.3 But views remain divided on voluntary versus mandatory reporting schemes — where a large majority, the Commission and the European Parliament continued to favour the latter, to ensure a minimum level of harmonisation — and on how to deal with the question of information sharing and operational cooperation, where a number of Member States and the Commission continued to argue for a basic level of mandatory information sharing and operational cooperation, but where an acceptable compromise was under discussion.

1.4 Discussion was also continuing on whether a single (internal market) or dual (internal market and civil protection) legal base was appropriate: whilst some elements of the proposal, when viewed in isolation, might be regarded as less directly linked to the functioning of the internal market, his own view was that this proposal was intended to be read in the round, not as individual or separate elements; that viewed in this way it was clearly linked to the functioning of the internal market; and that a single internal market (Article 114) legal base was therefore appropriate.

1.5 The Minister for Culture and the Digital Economy at the Department of Business, Innovation and Skills (Mr Edward Vaizey) now reports that the UK position has been adopted on the legal base; i.e., that the proposal should continue to use Article 114 as its sole legal base.

1.6 However, on the two outstanding issues of scope and operational cooperation, the Minister says that:

—  no Council position has yet been agreed and no new formal Council text has been issued on the proposal;

—  while the UK and a number of other Member States have been arguing that including information society services/digital companies would represent an unjustifiable regulatory burden, and have therefore been strongly pushing for this legislation to focus on critical infrastructure sectors, other Member States agree with the Commission that these companies should be included in scope;

—  the European Parliament (EP) has removed these operators from the scope of the proposal, so his officials are working closely with their Parliamentary counterparts to try to mitigate any move from Council to include them; and

—  with regards to operational cooperation, again there are two divergent views in Council: the UK position is to continue to oppose mandatory information sharing and operational cooperation but to consider whether to task the group of EU CERTs to develop a "roadmap" that plots the path to operational cooperation in the future; as the EP also favours some form of operational cooperation, it would be far preferable for a group of CERT experts to develop plans for future cooperation, rather than setting this out in EU legislation.

1.7 With regard to the future timeline, the Minister says:

—  the Italian Presidency still intends to secure agreement with the Parliament this year;

—  last week it held an informal, initial, principles-based discussion with the EP, broadly based on the principles agreed under the Greek Presidency, during which no detail of the Council position was disclosed;

—  the result of this discussion "will feed into the Council decision making process and will hopefully provide some direction for our own discussion, for example on scope";

—  the Presidency has tentatively scheduled discussions with the Parliament to exchange views on the detail later this month and next month, subject to reaching an agreement in Council on the outstanding points; and

—  he will update the Committee when a new text issues from the Presidency.

1.8 We understand that:

—   the next Working Group meeting is on 30 October;

—  the Presidency's aim is for a text to be agreed at that meeting, which would then be adopted by COREPER and taken forward into discussion with the European Parliament;

—  this process would begin prior to endorsement by the 27 November Telecoms Council.

1.9 We further understand that the Minister has insisted that the Presidency circulates a revised formal text prior to the 30 October Working Group meeting.

1.10 We have pointed out to the Minister on several occasions that we expect any revised text to be submitted for prior scrutiny, before any agreement is reached in Council. It therefore follows that — in the somewhat unusual circumstances outlined above — we now expect him to do so as soon as possible, and in any event before it is agreed at COREPER, together with his views on that text (a letter rather than an Explanatory Memorandum would suffice). We would also expect him to explain what role he then envisages being played by the November Telecoms Council.

1.11 In the meantime, this dossier remains under scrutiny.

Full details of the documents: Draft Directive concerning measures to ensure a high common level of network and information security across the Union: (34685), 6342/13 + ADDs 1-2, COM(13) 48.

Background

1.12 The context to the proposed Directive is set out in the over-arching Joint Communication 6225/13, "Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace", which we also considered at our meeting on 13 March 2013.[1]

The draft Directive

1.13 The draft Directive is fully summarised in our first 2013 Report.[2] In essence, it aims to ensure a high common level of network and information security (NIS): to put in place measures to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States. It includes:

—  obliging all Member States to produce a national cyber security strategy and establish contact points for information sharing and cyber incident handling;

—  mandating the establishment of "competent authority" and a CERT in each Member State;

—  mandating information sharing between Member States, as well as establishing a pan-EU cooperation plan for handling for cyber incidents;

—  promoting good risk management practices by the private sector through expanding the requirement currently applying only upon the telecoms sector of obligatory security breach disclosure to the finance, energy, transport and health sectors, as well as to "providers of internet society services"; and

—  encouraging the take up of cyber security standards, with possible harmonisation measures being taken by the Commission.

1.14 The Committee was concerned from the outset about the need for a legislative approach at all and, thus, about the scope and prescriptive approach of the proposed Directive, as well as the Commission's proposed use of delegated acts.[3] However, come mid-2014, updates from the then Minister (Mr David Willetts) outlined a much more acceptable direction of travel, with the then-Presidency having produced a set of principles that: offered a marked improvement on the Commission's original proposal; represented the UK's preferred position to a broad degree; and around which the Council was in broad agreement that a final compromise position could emerge. The principles proposed by the Presidency also did not envisage the use of any delegated acts.

1.15 Subsequent developments are set out in our earlier Reports.[4]

1.16 In late August 2014, the Minister (Lord Livingston, acting for the Minister for Culture and the Digital Economy) reported that, as the result of working group level-work over the summer — and, in the Government's case, close consultation with Ofcom and CERT officials — the text now reflected the UK Government's position in a number of key areas, which he illustrated in a number of ways; in particular:

—  allowing Member States flexibility to determine which operators were within scope would allow the Directive to be implemented in the UK in the least disruptive manner possible, taking account of the size and maturity of businesses; and

—  improvements on the definition of what would constitute a "reportable incident", with the criteria at a high enough level of definition to provide the necessary flexibility for the UK to implement the Directive without difficulty or excessive disruption to industry (see our 10 September 2014 Report for full details).[5]

1.17 But views remain divided on voluntary versus mandatory reporting schemes — where a large majority, the Commission and the European Parliament continued to favour the latter, to ensure a minimum level of harmonisation — and on how to deal with the question of information sharing and operational cooperation, where a number of Member States and the Commission continued to argue for a basic level of mandatory information sharing and operational cooperation, but where an acceptable compromise is under discussion.[6]

1.18 Discussion was also continuing on whether a single (internal market) or dual (internal market and civil protection) legal base was appropriate: whilst some elements of the proposal, when viewed in isolation, might be regarded as less directly linked to the functioning of the internal market, his own view was that this proposal was intended to be read in the round, not as individual or separate elements; that viewed in this way it was clearly linked to the functioning of the internal market; and that a single internal market (Article 114) legal base was therefore appropriate.

1.19 Most recently, the Minister reported that discussion on the Directive's legal base would take place after the Council has reached a final agreement on the policy content of the proposal "as this will necessarily inform any decision on the legal base".

1.20 In other respects, the new Italian Presidency text continued "the good work completed under the Greek Presidency": the main changes related to the scope of the proposal and the new chapter on cooperation, and were "broadly in line with the UK's priorities for this file":

—  Member States would now determine which operators fell within scope of the reporting requirements whilst still providing a minimum level of harmonisation and avoiding a patchwork implementation across the EU;

—  splitting cooperation into strategic cooperation involving the Member State administrations and voluntary operational cooperation involving national CERTs has been broadly welcomed by the majority of Member States. Development of a roadmap for future operational cooperation by the CERT group could still be a concession to the minority who continued to call for mandatory cooperation to be retained in the text;

—  the concept of "early warnings" had been reintroduced, to deal with a situation when an incident on a network in one Member State could impact on users in another Member State: though helpful, the text failed to provide adequate clarity to Member States, and would be further discussed in working group meetings during September.[7]

1.21 We asked the Minister to provide his next update no later than 30 October, and sooner if appropriate, and to outline the:

—  timetable between then and the end of the year — our assumption being that the Council would need to agree a general approach on a revised text before the trilogue process began;

—  latest situation on "scope" and "cooperation", and on the appropriate legal base.[8]

The Minister's letter of 16 October 2014

1.22 The Minister for Culture and the Digital Economy at the Department of Business, Innovation and Skills (Mr Edward Vaizey) now writes to say that it has been agreed with the UK position that the proposal should continue to use Article 114 as its sole legal base.

1.23 The Minister then continues as follows:

"Since I last wrote to you there has not yet been a Council position agreed on the two outstanding issues of scope and operational cooperation and no new formal Council text has issued on the proposal.

"Whilst there has been a general agreement that it should be up to Member States to decide which individual operators should fall within scope of the reporting requirements, there is not yet an agreement on which sectors should be included in scope of the Directive.

"The UK and a number of other Member States have been strongly pushing to exclude information society services from scope of the Directive's requirements. We believe that this legislation should focus on critical infrastructure sectors only and that including these sorts of digital companies would represent an unjustifiable regulatory burden. However, a group of Member States oppose this position and agree with the Commission that these companies should be included in scope. Whilst it is possible that a compromise could emerge that focuses on the infrastructure that underpins the internet which we could support, this issue remains unresolved.

"The European Parliament has removed these operators from scope of the proposal so my officials are working closely with their Parliamentary counterparts to try to mitigate any move from Council to include them in our approach.

"With regards to operational cooperation, again there are two divergent views in Council: whether to include operational cooperation or not. The UK position is to continue to oppose mandatory information sharing and operational cooperation but to consider whether to task the group of EU Computer Emergency Response Teams (CERTs) to develop a 'roadmap' that plots the path to operational cooperation in the future. As the European Parliament is also in favour of some form of operational cooperation I believe it would be far preferable for a group of CERT experts to develop plans for future cooperation, rather than setting this out in EU legislation.

"Despite this failure to secure agreement on two fundamental aspects of this negotiation the Italian Presidency still intends to secure agreement with the Parliament this year. This week the Presidency held an informal, initial, principles-based discussion, broadly based on the principles agreed under the Greek Presidency, during which no detail of the Council position was disclosed. The result of this discussion will feed into the Council decision making process and will hopefully provide some direction for our own discussion, for example on scope.

"The Presidency has tentatively scheduled discussions with the Parliament to exchange views on the detail later this month and next month, subject to reaching an agreement in Council on the outstanding points. I will write to update the Committee when a new text issues from the Presidency".

Previous Committee Reports

Thirteenth Report HC 291-xiii (2014-15), chapter 6 (15 October 2014); Twelfth Report HC 291-xii (2014-15), chapter 4 (10 September 2014); First Report HC 291-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680) 6225/13 Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013).


1   See (34680), 6225/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

2   See Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013). Back

3   Under the TFEU the EU can authorise two forms of subordinate legislation in the "parent" legislation. Delegated legislation may be adopted by the Commission to amend or supplement non-essential elements of the parent legislation. The power can be revoked by either the European Parliament or the Council and proposals for delegated legislation may be blocked by either. Parent legislation may authorise the Commission or, in exceptional cases, the Council to adopt implementing legislation where uniform conditions for implementing binding Union acts are needed. Implementing legislation is subject to scrutiny by Member States under the "comitology" system. Back

4   First Report HC 219-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680) 6225/13 Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

5   See Twelfth Report HC 219-xii (2014-15), chapter 4 (10 September 2014). Back

6   DittoBack

7   See our most recent Report for full details: HC 219-xiii (2014-15), chapter 6 Back

8   DittoBack


 
previous page contents next page


© Parliamentary copyright 2014
Prepared 3 November 2014