Summary and Committee's conclusions

5.1 The proposed Directive, of early 2013, aims to put measures in place in order to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States.

5.2 In essence, it aims to put measures in place in order in order to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States. It includes:

—  obliging all Member States to produce a national cyber security strategy, including establishment of "competent authority" and a Computer Emergency Response Team (CERT) in each Member State;

—  mandating information sharing between Member States, as well as establishing a pan-EU cooperation plan and coordinated early warnings and procedure for agreement of EU coordinated response for cyber incidents;

—  promoting the adoption of good risk management practices by the private sector through expanding the requirement of obligatory security breach disclosure (currently imposed only upon the telecoms sector) to the finance, energy, transport and health sectors, as well as to "providers of internet society services"; and

—  encouraging the take up of cyber security standards, with possible harmonisation measures being taken by the Commission.

5.3 In the intervening 18 months, a number of contentious issues were satisfactorily resolved, and have been reported to the House.

5.4 As of last November, on the two outstanding issues of scope (much the more important) and operational cooperation, differences of view still obtained between the UK and some other Member States (with the European Parliament (EP) seemingly in their camp), and the Commission and some other Member States.

5.5 In January 2015, the Minister for Culture and the Digital Economy at the Department for Culture, Media and Sport (Mr Edward Vaizey) said that "some considerable differences" had emerged between the positions of the Council and the EP on which businesses should be included within the Directive's scope. For its part, the Council wished to see the Directive focussing on those businesses that provided critical services on whose networks a cyber-incident would cause major disruption to society or the economy; and only Member States were in the position to identify these businesses at a national level — retaining these two principles within the text was of utmost importance to the UK Government. On the other hand, the European Parliament (EP) wanted to include all businesses within the sectors identified in the Directive (the original list included energy, transport, health, finance, banking and digital services) with an exception for micro-enterprises. He understood that the Latvian Presidency intended to schedule sufficient time at working group level to debate this issue of scope and critical infrastructure and also to reach agreement on the unresolved issue of whether digital services should be included in the text. He firmly believed that such businesses should not be included within scope of the Directive, and warmly welcomed this pause in proceedings, which would "give us sufficient time to properly consider any possible compromise text".

5.6 The Minister now reports that:

—   in order to bridge the gap between the Council and the Parliament the Presidency has "suggested some stronger criteria for Member States to use when determining which companies would fall within scope", which he believes "would be sufficiently flexible for there to be minimal change to the way that the UK currently identifies critical operators";

—  though the UK has pushed extremely strongly to exclude digital services from the scope of the Directive throughout the negotiation and has some support for this position in Council, "we have encountered strong opposition from those countries that want digital services included in the final agreement";

—  in order to reach a compromise, the Presidency has suggested reducing the list of digital sectors so that it would include search engines, e-commerce platforms and cloud computing services but exclude e-payment gateways, application stores and social media;

—  given this reduction in the list and the important concession that it will be up to Member States to identify which companies should be in or out of scope, he considers this to be a considerable narrowing of scope;

—  his officials will also be working closely with their counterparts in the European Parliament to encourage them to stick to their position that digital services should be entirely out of scope during the informal trilogue; and

—  the third informal trilogue will take place "at some point in late March".

5.7 The Minister then:

—  says that, given the upcoming election, it will be impossible to communicate the detail of any informal agreement to the Committee before Parliament is prorogued;

—  lists the changes secured to the original text during the course of the negotiation, which he hopes that the Committee will agree are important; and

—  asks the Committee to release the file from scrutiny in order for the Government to take part in the formal vote on the Directive, which he expects to take place in early summer.

5.8 In a subsequent press release of 11 March 2015, the Council has confirmed that the Latvian presidency is "ready to resume informal trilogue meetings with the European Parliament with a view to reaching a deal on a draft directive on network and information security", on the basis of a mandate agreed by the Permanent Representatives Committee on 11 March 2015; that the trilogue will be the first one on this proposal under the current presidency and the third one in total; and that the meeting is scheduled to take place in late April, as requested by the European Parliament. The press release also contains a summary of the objectives of the Directive, of the proposed rules being negotiated with the European Parliament and of the purported benefits to consumers and citizens (see paragraph 5.38 below for details).

5.9 We are, as always, grateful to the Minister for his openness, which has characterised his approach to this difficult dossier, and which we regard as worthy of wider study by the Cabinet Office and scrutiny teams across Whitehall.

5.10 However, there is still much uncertainty about important elements of what remains of the original text. The EP has changed its tune before. By early summer we hope that there will be not only a new Government but also a new Committee. And even if there is one but not the other, the new Committee will be interested in the final outcome.

5.11 We are therefore unable to accede to the Minister's request for scrutiny clearance. We recognise that, in the circumstances, he may well be unable to submit the final text of the draft Directive to the next Committee for scrutiny prior to a formal vote in Council. That being so, we are confident that our successors will not object to the Minister agreeing to its adoption, should he (or his successor) decide that it is in the national interest so to do.

5.12 But we shall expect nonetheless that the Minister, or his successor, deposit any final text along with a fresh Explanatory Memorandum, outlining its provisions in detail, and explaining why he (or she) voted as he (or she) did at the end of the day.

5.13 In the meantime, we shall continue to retain the document under scrutiny.

Full details of the documents: Draft Directive concerning measures to ensure a high common level of network and information security across the Union: (34685), 6342/13 + ADDs 1-2, COM(13) 48.

Background

5.14 The context to the proposed Directive is set out in the over-arching Joint Communication 6225/13, "Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace", which we also considered at our meeting on 13 March 2013.[6]

The draft Directive

5.15 The draft Directive is fully summarised in our first 2013 Report.[7] In essence, it aims to ensure a high common level of network and information security (NIS): to put in place measures to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States.

5.16 Most recently the Minister wrote on 26 January 2015 to explain that "some considerable differences" had emerged between the positions of the Council and the EP on which businesses should be included within the Directive's scope:

—  "For the Council it is important that the scope of this Directive focuses on those businesses that provide critical services on whose networks a cyber-incident would cause major disruption to society or the economy. Furthermore, it is only Member States that are in the position to identify these businesses at a national level. Retaining these two principles within the text is of utmost importance to the UK Government"; and

—  the European Parliament "would prefer to include all businesses within the sectors identified in the Directive (the original list included energy, transport, health, finance, banking and digital services) with an exception for micro-enterprises".

5.17 The Minister understood that the Latvian Presidency intended to schedule sufficient working group time to debate this issue of scope and critical infrastructure and also to reach agreement on the unresolved issue of whether digital services should be included in the text. The Minister "firmly" believed "that such businesses should not be included within scope of the Directive", and warmly welcomed "this pause in proceedings", which he said would "give us sufficient time to properly consider any possible compromise text".

5.18 In its response, the Committee noted that he had made the Government's position very clear: but that there was now a major gap to be closed. In the first instance, the Committee asked for a further update once the working group process had got under way and there was any sign of a resolution to this impasse.

5.19 The Committee also reminded the Minister that the dossier remained under scrutiny and that it expected him and his officials to have in the forefront of their minds the earlier exchanges on this matter, as set out in detail in our earlier Reports.

The Minister's letter of 4 March 2015

5.20 The Minister now provides a further update on the progress within the Council working group and, "given the timing of the upcoming election", asks the Committee to release the document from scrutiny.

5.21 He does so in the following terms:

"When I last wrote to you I explained that the informal trilogue negotiations with the European Parliament had been paused to give Council the time to discuss the detail of two aspects of the file. First, whether the final decision on which companies should fall in or out of scope of the requirements should rest with Member States and second, whether digital services should fall within scope of the Directive.

"On the first point, the Council has been extremely clear: given that it is only Member States that can determine which companies provide an 'essential service', it must be left up to Member States to draw up the final list of operators that fall within scope of the Directive's requirements. The European Parliament would prefer for all but the smallest operators in a sector to automatically fall within scope of the Directive. In order to bridge the gap between the Council and the Parliament the Presidency has suggested some stronger criteria for Member States to use when determining which companies would fall within scope. I am content that the criteria would be sufficiently flexible for there to be minimal change to the way that the UK currently identifies critical operators.

"On the second point, there has not yet been an agreement on the Council position but we have made considerable progress. As I have outlined in my previous letters the UK has pushed extremely strongly to exclude digital services from the scope of the Directive throughout the negotiation. Whilst we do have some support for this position in Council, we have encountered strong opposition from those countries that want digital services included in the final agreement.

"In order to reach a compromise the Presidency has suggested reducing the list of digital sectors so that it would include search engines, e-commerce platforms and cloud computing services but exclude e-payment gateways, application stores and social media. Given this reduction in the list and the important concession that it will be up to Member States to identify which companies should be in or out of scope, I consider this to be a considerable narrowing of scope. My officials will also be working closely with their counterparts in the European Parliament to encourage them to stick to their position that digital services should be entirely out of scope during the informal trilogue.

"Following two working groups to iron out the final details, on 11 March the Latvian Presidency will ask COREPER to agree to a mandate for the third informal trilogue, the meeting with the European Parliament will then take place at some point in late March. This presents an issue with the timing given the upcoming election as it will be impossible to communicate the detail of any informal agreement to the Committee before Parliament is prorogued. I am therefore asking you to release the file from scrutiny in order for the Government to take part in the formal vote on the Directive which I expect will take place in early summer.

"Whilst it is obviously disappointing that I am not able to provide the Committee with the final detail of the text, I hope that you will agree that considerable progress has been made on this file:

·  "With regards to the institutional architecture that Member States are required to have in place we have secured considerable flexibility in comparison with the original proposal. Instead of one single 'competent authority' on network and information society, we will be able to have a number of sector-specific competent authorities which will more closely mirror the structures that we already have in place. Likewise requirements related to developing a national cyber security strategy and the national Computer Emergency Response Team (CERT) have been made more flexible and I anticipate minimal disruption to the current UK system.

·  "The changes to pan-EU cooperation and information sharing have been the widest reaching as this section of the Commission's original proposal has been entirely rewritten. The UK was the driving force behind these changes and much of the new language comes directly from UK suggestions. The mandatory operational cooperation aspects have been entirely deleted and the Directive now includes an extremely limited compulsory information sharing requirement: we will only have to share limited information about incidents when they have a significant impact in another country. There will be cooperation on a political and strategic level between Member State officials and also on a technical level between our CERTs which I hope will be helpful in developing trust between Europe on network and information security.

·  "I have outlined above the changes that we have secured with regard to the scope of the Directive. The original proposal anticipated that all but the very smallest companies in a wide range of sectors would fall within scope of the requirements. During the negotiation we have successfully changed the approach so that it is now up to the Member States to decide which operators provide essential services to their economy and society and should therefore fall within scope of the Directive. In addition I am confident that the number of digital services sectors will be significantly reduced — either to three or (ideally) to none. In practice this will considerably reduce the number of companies that fall that have to meet these new regulatory requirements.

·  "As anticipated from the start of negotiations, mandatory reporting of security breaches has remained within the text of the agreement: the Commission, the European Parliament and most other Member States view this as the backbone of the legislation. We have made important changes to this text though which will provide far more flexibility around reporting, for example the sort of incident that would need to be reported, which will make it easier to implement the legislation in a light touch fashion.

·  "All delegated acts have been removed from the text and only one implementing act remains which will require the Commission to define the logistics of how the cooperation group will work. As this will be not be politically contentious I judge this to be an appropriate use of an implementing act."

5.22 The Minister concludes by hoping that the Committee will agree that he has secured important changes to this text during the course of the negotiation and, "mindful of the dates of the upcoming election", reiterates his request that the Committee release the Directive from scrutiny.

5.23 On 11 March 2015, the Council issued the following statement:

"The Latvian presidency of the Council is ready to resume informal trilogue meetings with the European Parliament with a view to reaching a deal on a draft directive on network and information security (NIS). This reflects the priority given to this issue by heads of state and government at their 12 February informal meeting. The mandate was agreed by the Permanent Representatives Committee on 11 March 2015. The trilogue will be the first one on this proposal under the current presidency and the third one in total. The meeting is scheduled to take place in late April as requested by the European Parliament.

"WHAT IS THE NETWORK AND INFORMATION SECURITY PROPOSAL ABOUT?

"The objective of the network and information security proposal is to ensure a secure and trustworthy digital environment throughout the EU.

"The proposed rules being negotiated with the European Parliament would require designated operators that provide essential services (in areas such as energy, transport, banking and healthcare) and key Internet enablers (such as e-commerce platforms and search engines) to take measures to manage risks to their networks and notify their incidents to authorities. All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.

"WHAT BENEFITS IS IT EXPECTED TO BRING?

"Citizens and consumers will have more trust in the technologies, services and systems they rely on day-to-day. This increased confidence will mean a more inclusive cyberspace, and a digital economy that grows even faster, supporting economic recovery. Governments and businesses will be able to rely more on digital networks and infrastructure to provide their essential services at home and across borders. More secure e-commerce platforms could bring more customers online and create new opportunities. Providers of ICT security products and services would also benefit, as demand for their products and services is bound to increase, leading to innovative products and economies of scale. The EU economy will benefit as sectors that rely heavily on NIS will be better supported to offer a more reliable service.

"HOW WILL IT BECOME A LAW?

The presidency negotiates the terms of the directive with the European Parliament on behalf of the Council. In order to be adopted, the legal act must be approved by both institutions. The Parliament adopted its position (first-reading amendments) in March 2014."[8]

Previous Committee Reports

Sixteenth Report HC 219-xvi (2014-15), chapter 1 (29 October 2014); Fifteenth Report HC 219-xv (2014-15), chapter 1 (22 October 2014); Thirteenth Report HC 219-xiii (2014-15), chapter 6 (15 October 2014); Twelfth Report HC 219-xii (2014-15), chapter 4 (10 September 2014); First Report HC 219-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680), 6225/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013).

7   See (34685), 6342/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013). Back

8   Press Release. Back