Documents considered by the Committee on 29 October 2014 - European Scrutiny Committee Contents


1 Network Information Security across the EU

Committee's assessment Legally and politically important
Committee's decisionNot cleared from scrutiny; further information requested
Document detailsDraft Council Directive to ensure a high common level of network and information security across the European Union
Legal baseArticle 114 TFEU; ordinary legislative procedure; QMV
DepartmentBusiness, Innovation and Skills
Document numbers(34685), 6342/13 + ADDs 1-2; COM(13) 48

Summary and Committee's conclusions

1.1 The proposed Directive, of early 2013, aims to put measures in place in order to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States. In the intervening 18 months, a number of contentious issues have been satisfactorily resolved (see paragraphs 1.17-1.20 below for details).

1.2 However, on the two outstanding issues of scope and operational cooperation, differences of view still remain between the UK and some other Member States (with the European Parliament (EP) in their camp) and the Commission and other Member States.

1.3 Most recently, the Minister for Culture and the Digital Economy at the Department for Culture, Media and Sport (Mr Edward Vaizey) reported that the Italian Presidency still intended to secure agreement with the European Parliament (EP) this year; had held an informal, initial, principles-based discussion, broadly based on the principles agreed under the Greek Presidency, but during which no detail of the Council position was disclosed; would feed the result of this discussion into the Council decision making process; had scheduled further discussions with the Parliament to exchange views on the detail later in October and then in November, subject to reaching an agreement in Council on the outstanding points; and said he would update the Committee when a new text issued from the Presidency (see paragraphs 1.21-1.24 below for details).

1.4 The Committee noted its understanding was that:

—   the next Working Group meeting would be on 30 October;

—  the Presidency's aim was for a text to be agreed at that meeting that would then be adopted by COREPER[1] and taken forward into discussion with the European Parliament;

—  this process would begin prior to endorsement by the 27 November Telecoms Council; and

—  the Minister had insisted that the Presidency circulate a revised formal text prior to the 30 October Working Group meeting.

1.5 We reminded the Minister that on several occasions we had indicated that we expected any revised text to be submitted for prior scrutiny, before any agreement was reached in Council. It therefore followed that — in the somewhat unusual circumstances outlined above — we now expected him to do so as soon as possible, and in any event before it was agreed at COREPER, together with his views on that text. We also expected him to explain what role he then envisaged being played by the November Telecoms Council.

1.6 We also continued to retain this dossier under scrutiny. [2]

1.7 The Minister now provides a further update in advance of the Presidency's second informal trilogue with the EP — "the first time that any detail of the Council's position is shared with the European Parliament". He attaches a copy of this text to this letter, but notes that it is to be treated in confidence given its limité classification.

1.8 The Minister describes the text as moving "the Council's position in broadly the right direction". On scope, he says that: the Presidency has proposed a new, more restrictive criterion for Member States to judge whether digital services are in or out of scope, and removing internet payment gateways, social networks and application stores from scope entirely; as a majority of Council and the Commission want to include them within scope in some form, the Presidency's proposed position is far more preferable than the Commission's original text; and it makes sense to agree that this position is put forward to the European Parliament, as one of the rapporteur's top priorities is to exclude digital services from scope (which means his officials are continuing to work closely with counterparts in the EP to try to ensure this position is maintained).

1.9 Regarding operational cooperation, the Minister says the text includes new requirements for the group of CSIRT[3] experts to discuss future further operational cooperation and the possibility of issuing guidelines, which he regards as acceptable.

1.10 On timing, the Minister expects that:

—  COREPER will be asked to approve this position at a meeting on 7 November in advance of an informal trilogue with the EP on 11 November; and

—  based on the outcome of this meeting, the Council working group and COREPER will further consider a position for a third informal trilogue later in November.

1.11 Following any informal agreement between the Council and the Parliament, the Minister would then submit the final text along with an updated Explanatory Memorandum "well in advance of any formal adoption at Council level".

1.12 Given these timings, the Minister does not expect the 27 November Telecoms Council "to play any formal role in this negotiation", and notes that the current draft agenda for that Council meeting "anticipates 'information from the Presidency'".

1.13 We are content to leave the Minister to play the hand he outlines over the next two informal trilogue meetings.

1.14 Beyond that, we accept his assurance that he will submit any final text and a fresh Explanatory Memorandum "well in advance of any formal adoption at Council level". However, although the 27 November Telecoms Council is, it seems, only to receive a progress report, we presume that formal adoption of a text that has been agreed, even if only informally, with the EP is not expected to be delayed until the subsequent Telecoms Council — in which case we make it clear that we continue to expect there to be sufficient time for any questions that might arise from the revised text to be answered before it is adopted by any other Council.

1.15 In the meantime, this dossier continues to remain under scrutiny.

Full details of the document: Draft Directive concerning measures to ensure a high common level of network and information security across the Union: (34685), 6342/13 + ADDs 1-2, COM(13) 48.

Background

1.16 The context to the proposed Directive is set out in the over-arching Joint Communication 6225/13, "Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace", which we also considered at our meeting on 13 March 2013.[4]

The draft Directive

1.17 The draft Directive is fully summarised in our first 2013 Report.[5] In essence, it aims to ensure a high common level of network and information security (NIS): to put in place measures to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States. It includes:

—  obliging all Member States to produce a national cyber security strategy and establish contact points for information sharing and cyber incident handling;

—  mandating the establishment of "competent authority" and a CERT in each Member State;

—  mandating information sharing between Member States, as well as establishing a pan-EU cooperation plan for handling for cyber incidents;

—  promoting good risk management practices by the private sector through expanding the requirement currently applying only upon the telecoms sector of obligatory security breach disclosure to the finance, energy, transport and health sectors, as well as to "providers of internet society services"; and

—  encouraging the take up of cyber security standards, with possible harmonisation measures being taken by the Commission.

1.18 The Committee was concerned from the outset about the need for a legislative approach at all and, thus, about the scope and prescriptive approach of the proposed Directive, as well as the Commission's proposed use of delegated acts.[6] However, come mid-2014, the then-Presidency produced a marked improvement on the Commission's original proposal, which represented the UK's preferred position to a broad degree, around which the Council was in broad agreement and which did not envisage the use of any delegated acts.

1.19 Subsequent developments are set out in our earlier Reports.[7]

1.20 In late August 2014, the acting Minister (Lord Livingston) reported that the text now reflected the UK Government's position in a number of key areas; in particular:

—  allowing Member States flexibility to determine which operators were within scope and would allow the Directive to be implemented in the UK in the least disruptive manner possible, taking account of the size and maturity of businesses; and

—  improvements on the definition of what would constitute a "reportable incident", with the criteria at a high enough level of definition to provide the necessary flexibility for the UK to implement the Directive without difficulty or excessive disruption to industry.

1.21 But views remain divided on:

—  voluntary versus mandatory reporting schemes, where a large majority, the Commission and the European Parliament continued to favour the latter, to ensure a minimum level of harmonisation; and

—  information sharing and operational cooperation, where a number of Member States and the Commission continued to argue for a basic level of mandatory information sharing and operational cooperation, but where an acceptable compromise was under discussion.[8]

1.22 Then, in October, the Minister for Culture and the Digital Economy at the Department of Business, Innovation and Skills (Mr Edward Vaizey) reported that the UK position had been adopted on the legal base; i.e., Article 114 TFEU as its sole legal base.

1.23 However, on scope and operational cooperation:

—  no Council position had yet been agreed and no new formal Council text had been issued on the proposal;

—  the UK and a number of other Member States had been strongly pushing for this legislation to focus on critical infrastructure sectors, and arguing that including information society services/digital companies would represent an unjustifiable regulatory burden: but other Member States agreed with the Commission that these companies should be included in scope;

—  the European Parliament (EP) had removed these operators from the scope of the proposal, so his officials were working closely with their Parliamentary counterparts to try to mitigate any move from Council to include them; and

—  the UK continued to oppose mandatory information sharing and operational cooperation but was willing to consider a compromise whereby EU CERTs would develop a "roadmap" that plotted the path to operational cooperation in the future (the EP also favoured some form of operational cooperation), as this would be far preferable to setting this out in EU legislation.

1.24 With regard to the future timeline, the Minister said:

—  the Italian Presidency still intended to secure agreement with the Parliament this year;

—  it had held an informal, initial, principles-based discussion with the EP, broadly based on the principles agreed under the Greek Presidency, during which no detail of the Council position was disclosed;

—  the result of this discussion would "feed into the Council decision making process" and "hopefully provide some direction for our own discussion, for example on scope";

—  the Presidency had tentatively scheduled discussions with the Parliament to exchange views on the detail later in October and in November, subject to reaching an agreement in Council on the outstanding points; and

—  he would update the Committee when the Presidency issues a new text.

1.25 We noted our understanding that:

—   the next Working Group meeting would be on 30 October;

—  the Presidency's aim was for a text to be agreed at that meeting that would then be adopted by COREPER and taken forward into discussion with the European Parliament;

—  this process would begin prior to endorsement by the 27 November Telecoms Council; and

—  the Minister had insisted that the Presidency circulate a revised formal text prior to the 30 October Working Group meeting .[9]

The Minister's letter of 28 October 2014

1.26 The Minister (Mr Edward Vaizey) now provides a further update in advance of the Presidency's second informal trilogue with the EP — "the first time that any detail of the Council's position is shared with the European Parliament". He attaches a copy of this text to this letter, but notes that it is to be treated in confidence given its limité classification.

1.27 He continues as follows:

    "I believe that the text moves the Council's position in broadly the right direction. On scope, the Presidency has proposed a new, more restrictive criterion for Member States to judge whether digital services are in or out of scope; the Presidency has also proposed removing internet payment gateways, social networks and application stores from scope entirely.

    "Throughout this negotiation the UK position has been to reject any inclusion of digital services from within scope of the directive; however, a majority of Council and the Commission want to include them within scope in some form. As the Presidency's proposed position is far more preferable than the Commission's original text I believe that it makes sense to agree that this position is put forward to the European Parliament. One of the rapporteur's top priorities for this negotiation is to exclude digital services from scope and my officials are working closely with counterparts in the European Parliament to try to ensure this position is maintained.

    "Regarding operational cooperation, the text includes new requirements for the group of CSIRT[10] experts to discuss future further operational cooperation and the possibility to issue guidelines. Whilst my officials will continue to push for more flexible language on this and on the requirements around information sharing considering the decision to issue guidelines rests with the group itself, I am content that this is an acceptable approach.

    "Finally, in terms of timing we expect that COREPER will be asked to approve this position at a meeting on 7 November in advance of an informal trilogue with the European Parliament on 11 November. Based on the outcome of this meeting I would expect the working group and COREPER to further consider a position for a third informal trilogue later in November. Following any informal agreement between the Council and the Parliament I will submit the final text to the Committees along with an updated Explanatory Memorandum well in advance of any formal adoption at Council level. Given these timings I do not expect the Telecoms Council on 27 November to play any formal role in this negotiation: the current draft agenda for that Council meeting anticipates 'information from the Presidency'."

Previous Committee Reports

Fifteenth Report HC 291-xv (2014-15), chapter 1 (22 October 2014); Thirteenth Report HC 291-xiii (2014-15), chapter 6 (15 October 2014); Twelfth Report HC 291-xii (2014-15), chapter 4 (10 September 2014); First Report HC 291-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680) 6225/13 Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013).


1   COREPER, from French Comité des représentants permanents, is the Committee of Permanent Representatives in the European Union, made up of the head or deputy head of mission from the EU member states in Brussels. Its job is to prepare the agenda for the ministerial Council meetings; it may also take some procedural decisions. It oversees and coordinates the work of some 250 committees and working parties made up of civil servants from the member states who work on issues at the technical level to be discussed later by COREPER and the Council. It is chaired by the Presidency of the Council of the European Union. There are in fact two committees: COREPER I consists of deputy heads of mission and deals largely with social and economic issues; COREPER II consists of heads of mission (Ambassador Extraordinary and Plenipotentiary) and deals largely with political, financial and foreign policy issues. Back

2   See Fifteenth Report HC 219-xv (2014-15), chapter 1 (22 October 2014) and Thirteenth Report HC 219-xiii (2014-15), chapter 6 (15 October 2014) for the full details. Back

3   Computer Security Incident Response Team (hitherto referred to as CERT, or Computer Emergency Response Team).  Back

4   See (34680), 6225/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

5   See (34685), 6342/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013). Back

6   Under the TFEU the EU can authorise two forms of subordinate legislation in the "parent" legislation. Delegated legislation may be adopted by the Commission to amend or supplement non-essential elements of the parent legislation. The power can be revoked by either the European Parliament or the Council and proposals for delegated legislation may be blocked by either. Parent legislation may authorise the Commission or, in exceptional cases, the Council to adopt implementing legislation where uniform conditions for implementing binding Union acts are needed. Implementing legislation is subject to scrutiny by Member States under the "comitology" system. Back

7   First Report HC 219-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680) 6225/13 Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

8   See Twelfth Report HC 219-xii (2014-15), chapter 4 (10 September 2014). Back

9   See Fifteenth Report HC 219-xv (2014-15), chapter 1 (22 October 2014) and Thirteenth Report HC 219-xiii (2014-15), chapter 6 (15 October 2014) for the full details. Back

10   Computer Security Incident Response Team (hitherto referred to as CERT, or Computer Emergency Response Team). Back


 
previous page contents next page


© Parliamentary copyright 2014
Prepared 7 November 2014