5 Network Information Security across
the EU
Committee's assessment
| Legally and politically important |
Committee's decision | Not cleared from scrutiny; further information requested
|
Document details | Draft Council Directive to ensure a high common level of network and information security across the European Union
|
Legal base | Article 114 TFEU; ordinary legislative procedure; QMV
|
Department | Business, Innovation and Skills
|
Document numbers | (34685), 6342/13 + ADDs 1-2; COM(13) 48
|
Summary and Committee's conclusions
5.1 The proposed Directive, of early 2013, aims to put measures
in place in order to avert or minimise the risk of a major attack
or technical failure of information and communication infrastructures
(ICT) in Member States.
5.2 In essence, it aims to put measures in place
in order in order to avert or minimise the risk of a major attack
or technical failure of information and communication infrastructures
(ICT) in Member States. It includes:
obliging
all Member States to produce a national cyber security strategy,
including establishment of "competent authority" and
a Computer Emergency Response Team (CERT) in each Member State;
mandating
information sharing between Member States, as well as establishing
a pan-EU cooperation plan and coordinated early warnings and procedure
for agreement of EU coordinated response for cyber incidents;
promoting the adoption of good risk management
practices by the private sector through expanding the requirement
of obligatory security breach disclosure (currently imposed only
upon the telecoms sector) to the finance, energy, transport and
health sectors, as well as to "providers of internet society
services"; and
encouraging the take up of cyber security
standards, with possible harmonisation measures being taken by
the Commission.
5.3 In the intervening 18 months, a number of contentious
issues were satisfactorily resolved, and have been reported to
the House.
5.4 As of last November, on the two outstanding issues
of scope (much the more important) and operational cooperation,
differences of view still obtained between the UK and some other
Member States (with the European Parliament (EP) seemingly in
their camp), and the Commission and some other Member States.
5.5 In January 2015, the Minister for Culture and
the Digital Economy at the Department for Culture, Media and Sport
(Mr Edward Vaizey) said that "some considerable differences"
had emerged between the positions of the Council and the EP on
which businesses should be included within the Directive's scope.
For its part, the Council wished to see the Directive focussing
on those businesses that provided critical services on whose networks
a cyber-incident would cause major disruption to society or the
economy; and only Member States were in the position to identify
these businesses at a national level retaining these two
principles within the text was of utmost importance to the UK
Government. On the other hand, the European Parliament (EP) wanted
to include all businesses within the sectors identified in the
Directive (the original list included energy, transport, health,
finance, banking and digital services) with an exception for micro-enterprises.
He understood that the Latvian Presidency intended to schedule
sufficient time at working group level to debate this issue of
scope and critical infrastructure and also to reach agreement
on the unresolved issue of whether digital services should be
included in the text. He firmly believed that such businesses
should not be included within scope of the Directive, and warmly
welcomed this pause in proceedings, which would "give us
sufficient time to properly consider any possible compromise text".
5.6 The Minister now reports that:
in order to bridge the gap between the Council and the Parliament
the Presidency has "suggested some stronger criteria for
Member States to use when determining which companies would fall
within scope", which he believes "would be sufficiently
flexible for there to be minimal change to the way that the UK
currently identifies critical operators";
though the UK has pushed extremely strongly
to exclude digital services from the scope of the Directive throughout
the negotiation and has some support for this position in Council,
"we have encountered strong opposition from those countries
that want digital services included in the final agreement";
in order to reach a compromise, the Presidency
has suggested reducing the list of digital sectors so that it
would include search engines, e-commerce platforms and cloud computing
services but exclude e-payment gateways, application stores and
social media;
given this reduction in the list and
the important concession that it will be up to Member States to
identify which companies should be in or out of scope, he considers
this to be a considerable narrowing of scope;
his officials will also be working closely
with their counterparts in the European Parliament to encourage
them to stick to their position that digital services should be
entirely out of scope during the informal trilogue; and
the third informal trilogue will take
place "at some point in late March".
5.7 The Minister then:
says
that, given the upcoming election, it will be impossible to communicate
the detail of any informal agreement to the Committee before Parliament
is prorogued;
lists the changes secured to the original
text during the course of the negotiation, which he hopes that
the Committee will agree are important; and
asks the Committee to release the file
from scrutiny in order for the Government to take part in the
formal vote on the Directive, which he expects to take place in
early summer.
5.8 In a subsequent press release of 11 March 2015,
the Council has confirmed that the Latvian presidency is "ready
to resume informal trilogue meetings with the European Parliament
with a view to reaching a deal on a draft directive on network
and information security", on the basis of a mandate agreed
by the Permanent Representatives Committee on 11 March 2015; that
the trilogue will be the first one on this proposal under the
current presidency and the third one in total; and that the meeting
is scheduled to take place in late April, as requested by the
European Parliament. The press release also contains a summary
of the objectives of the Directive, of the proposed rules being
negotiated with the European Parliament and of the purported benefits
to consumers and citizens (see paragraph 5.38 below for details).
5.9 We are, as always, grateful to the Minister
for his openness, which has characterised his approach to this
difficult dossier, and which we regard as worthy of wider study
by the Cabinet Office and scrutiny teams across Whitehall.
5.10 However, there is still much uncertainty
about important elements of what remains of the original text.
The EP has changed its tune before. By early summer we hope that
there will be not only a new Government but also a new Committee.
And even if there is one but not the other, the new Committee
will be interested in the final outcome.
5.11 We are therefore unable to accede to the
Minister's request for scrutiny clearance. We recognise that,
in the circumstances, he may well be unable to submit the final
text of the draft Directive to the next Committee for scrutiny
prior to a formal vote in Council. That being so, we are confident
that our successors will not object to the Minister agreeing to
its adoption, should he (or his successor) decide that it is in
the national interest so to do.
5.12 But we shall expect nonetheless that the
Minister, or his successor, deposit any final text along with
a fresh Explanatory Memorandum, outlining its provisions in detail,
and explaining why he (or she) voted as he (or she) did at the
end of the day.
5.13 In the meantime, we shall continue to retain
the document under scrutiny.
Full details of
the documents: Draft Directive concerning
measures to ensure a high common level of network and information
security across the Union: (34685), 6342/13 + ADDs 1-2, COM(13)
48.
Background
5.14 The context to the proposed Directive is set
out in the over-arching Joint Communication 6225/13, "Cybersecurity
Strategy of the European Union: An Open, Safe and Secure Cyberspace",
which we also considered at our meeting on 13 March 2013.[6]
The draft Directive
5.15 The draft Directive is fully summarised in our
first 2013 Report.[7] In
essence, it aims to ensure a high common level of network and
information security (NIS): to put in place measures to avert
or minimise the risk of a major attack or technical failure of
information and communication infrastructures (ICT) in Member
States.
5.16 Most recently the Minister wrote on 26 January
2015 to explain that "some considerable differences"
had emerged between the positions of the Council and the EP on
which businesses should be included within the Directive's scope:
"For
the Council it is important that the scope of this Directive focuses
on those businesses that provide critical services on whose networks
a cyber-incident would cause major disruption to society or the
economy. Furthermore, it is only Member States that are in the
position to identify these businesses at a national level. Retaining
these two principles within the text is of utmost importance to
the UK Government"; and
the European Parliament "would prefer
to include all businesses within the sectors identified in the
Directive (the original list included energy, transport, health,
finance, banking and digital services) with an exception for micro-enterprises".
5.17 The Minister understood that the Latvian Presidency
intended to schedule sufficient working group time to debate this
issue of scope and critical infrastructure and also to reach agreement
on the unresolved issue of whether digital services should be
included in the text. The Minister "firmly" believed
"that such businesses should not be included within scope
of the Directive", and warmly welcomed "this pause in
proceedings", which he said would "give us sufficient
time to properly consider any possible compromise text".
5.18 In its response, the Committee noted that he
had made the Government's position very clear: but that there
was now a major gap to be closed. In the first instance, the Committee
asked for a further update once the working group process had
got under way and there was any sign of a resolution to this impasse.
5.19 The Committee also reminded the Minister that
the dossier remained under scrutiny and that it expected him and
his officials to have in the forefront of their minds the earlier
exchanges on this matter, as set out in detail in our earlier
Reports.
The Minister's letter of 4 March 2015
5.20 The Minister now provides a further update on
the progress within the Council working group and, "given
the timing of the upcoming election", asks the Committee
to release the document from scrutiny.
5.21 He does so in the following terms:
"When I last wrote to you I explained that the
informal trilogue negotiations with the European Parliament had
been paused to give Council the time to discuss the detail of
two aspects of the file. First, whether the final decision on
which companies should fall in or out of scope of the requirements
should rest with Member States and second, whether digital services
should fall within scope of the Directive.
"On the first point, the Council has been extremely
clear: given that it is only Member States that can determine
which companies provide an 'essential service', it must be left
up to Member States to draw up the final list of operators that
fall within scope of the Directive's requirements. The European
Parliament would prefer for all but the smallest operators in
a sector to automatically fall within scope of the Directive.
In order to bridge the gap between the Council and the Parliament
the Presidency has suggested some stronger criteria for Member
States to use when determining which companies would fall within
scope. I am content that the criteria would be sufficiently flexible
for there to be minimal change to the way that the UK currently
identifies critical operators.
"On the second point, there has not yet been
an agreement on the Council position but we have made considerable
progress. As I have outlined in my previous letters the UK has
pushed extremely strongly to exclude digital services from the
scope of the Directive throughout the negotiation. Whilst we do
have some support for this position in Council, we have encountered
strong opposition from those countries that want digital services
included in the final agreement.
"In order to reach a compromise the Presidency
has suggested reducing the list of digital sectors so that it
would include search engines, e-commerce platforms and cloud computing
services but exclude e-payment gateways, application stores and
social media. Given this reduction in the list and the important
concession that it will be up to Member States to identify which
companies should be in or out of scope, I consider this to be
a considerable narrowing of scope. My officials will also be working
closely with their counterparts in the European Parliament to
encourage them to stick to their position that digital services
should be entirely out of scope during the informal trilogue.
"Following two working groups to iron out the
final details, on 11 March the Latvian Presidency will ask COREPER
to agree to a mandate for the third informal trilogue, the meeting
with the European Parliament will then take place at some point
in late March. This presents an issue with the timing given the
upcoming election as it will be impossible to communicate the
detail of any informal agreement to the Committee before Parliament
is prorogued. I am therefore asking you to release the file from
scrutiny in order for the Government to take part in the formal
vote on the Directive which I expect will take place in early
summer.
"Whilst it is obviously disappointing that I
am not able to provide the Committee with the final detail of
the text, I hope that you will agree that considerable progress
has been made on this file:
· "With
regards to the institutional architecture that Member States are
required to have in place we have secured considerable flexibility
in comparison with the original proposal. Instead of one single
'competent authority' on network and information society, we will
be able to have a number of sector-specific competent authorities
which will more closely mirror the structures that we already
have in place. Likewise requirements related to developing a national
cyber security strategy and the national Computer Emergency Response
Team (CERT) have been made more flexible and I anticipate minimal
disruption to the current UK system.
· "The
changes to pan-EU cooperation and information sharing have been
the widest reaching as this section of the Commission's original
proposal has been entirely rewritten. The UK was the driving force
behind these changes and much of the new language comes directly
from UK suggestions. The mandatory operational cooperation aspects
have been entirely deleted and the Directive now includes an extremely
limited compulsory information sharing requirement: we will only
have to share limited information about incidents when they have
a significant impact in another country. There will be cooperation
on a political and strategic level between Member State officials
and also on a technical level between our CERTs which I hope will
be helpful in developing trust between Europe on network and information
security.
· "I
have outlined above the changes that we have secured with regard
to the scope of the Directive. The original proposal anticipated
that all but the very smallest companies in a wide range of sectors
would fall within scope of the requirements. During the negotiation
we have successfully changed the approach so that it is now up
to the Member States to decide which operators provide essential
services to their economy and society and should therefore fall
within scope of the Directive. In addition I am confident that
the number of digital services sectors will be significantly reduced
either to three or (ideally) to none. In practice this
will considerably reduce the number of companies that fall that
have to meet these new regulatory requirements.
· "As
anticipated from the start of negotiations, mandatory reporting
of security breaches has remained within the text of the agreement:
the Commission, the European Parliament and most other Member
States view this as the backbone of the legislation. We have made
important changes to this text though which will provide far more
flexibility around reporting, for example the sort of incident
that would need to be reported, which will make it easier to implement
the legislation in a light touch fashion.
· "All
delegated acts have been removed from the text and only one implementing
act remains which will require the Commission to define the logistics
of how the cooperation group will work. As this will be not be
politically contentious I judge this to be an appropriate use
of an implementing act."
5.22 The Minister concludes by hoping that the Committee
will agree that he has secured important changes to this text
during the course of the negotiation and, "mindful of the
dates of the upcoming election", reiterates his request that
the Committee release the Directive from scrutiny.
5.23 On 11 March 2015, the Council issued the following
statement:
"The Latvian presidency of the Council is ready
to resume informal trilogue meetings with the European Parliament
with a view to reaching a deal on a draft directive on network
and information security (NIS). This reflects the priority
given to this issue by heads of state and government at their
12 February informal meeting. The mandate was agreed by the Permanent
Representatives Committee on 11 March 2015. The trilogue will
be the first one on this proposal under the current presidency
and the third one in total. The meeting is scheduled to take place
in late April as requested by the European Parliament.
"WHAT IS THE NETWORK AND INFORMATION SECURITY
PROPOSAL ABOUT?
"The objective of the network and information
security proposal is to ensure a secure and trustworthy digital
environment throughout the EU.
"The proposed rules being negotiated with the
European Parliament would require designated operators that provide
essential services (in areas such as energy, transport, banking
and healthcare) and key Internet enablers (such as e-commerce
platforms and search engines) to take measures to manage risks
to their networks and notify their incidents to authorities. All
member states would be required to adopt network and information
security strategies and set up teams to respond to incidents.
Cooperation networks would be created at EU level.
"WHAT BENEFITS IS IT EXPECTED TO BRING?
"Citizens and consumers will have more
trust in the technologies, services and systems they rely on day-to-day.
This increased confidence will mean a more inclusive cyberspace,
and a digital economy that grows even faster, supporting economic
recovery. Governments and businesses will be able to rely
more on digital networks and infrastructure to provide their essential
services at home and across borders. More secure e-commerce platforms
could bring more customers online and create new opportunities.
Providers of ICT security products and services would also
benefit, as demand for their products and services is bound to
increase, leading to innovative products and economies of scale.
The EU economy will benefit as sectors that rely heavily
on NIS will be better supported to offer a more reliable service.
"HOW WILL IT BECOME A LAW?
The presidency negotiates the terms of the directive
with the European Parliament on behalf of the Council. In order
to be adopted, the legal act must be approved by both institutions.
The Parliament adopted its position (first-reading amendments)
in March 2014."[8]
Previous Committee Reports
Sixteenth Report HC 219-xvi (2014-15), chapter 1
(29 October 2014); Fifteenth Report HC 219-xv (2014-15), chapter
1 (22 October 2014); Thirteenth Report HC 219-xiii (2014-15),
chapter 6 (15 October 2014); Twelfth Report HC 219-xii (2014-15),
chapter 4 (10 September 2014); First Report HC 219-i (2014-15),
chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13),
chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13),
chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14),
chapter 2 (2 April 2014); also see (34680), 6225/13: Thirty-fifth
Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013).
6 See (34680), 6225/13: Thirty-fifth Report HC 86-xxxv
(2012-13), chapter 3 (13 March 2013). Back
7
See (34685), 6342/13: Thirty-fifth Report HC 86-xxxv (2012-13),
chapter 6 (13 March 2013). Back
8
Press Release. Back
|