Documents considered by the Committee on 6 January 2016 - European Scrutiny Contents


5   Network Information Security across the EU

Committee's assessment Legally and politically important
Committee's decisionNot cleared from scrutiny; further information awaited; drawn to the attention of the Business, Innovation and Skills Committee and Culture, Media and Sport Committee
Document detailsDraft Council Directive to ensure a high common level of network and information security across the European Union
Legal baseArticle 114 TFEU; ordinary legislative procedure; QMV
DepartmentCulture, Media and Sport
Document Numbers(34685), 6342/13 + ADDs 1-2; COM(13) 48

Summary and Committee's conclusions

5.1  The proposed Directive, of early 2013, aims to put measures in place in order to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States.

5.2  In essence, it aims to put measures in place in order to avert or minimise the risk of a major attack or technical failure of information and communication infrastructures (ICT) in Member States. It includes:

—  obliging all Member States to produce a national cyber security strategy, including establishment of "competent authority" and a Computer Emergency Response Team (CERT) in each Member State;

—  mandating information sharing between Member States, as well as establishing a pan-EU cooperation plan and coordinated early warnings and procedure for agreement of EU coordinated response for cyber incidents;

—  promoting the adoption of good risk management practices by the private sector through expanding the requirement of obligatory security breach disclosure (currently imposed only upon the telecoms sector) to the finance, energy, transport and health sectors, as well as to "providers of internet society services"; and

—  encouraging the take up of cyber security standards, with possible harmonisation measures being taken by the Commission.[42]

5.3  In the 18 months following the draft Directive's publication, a number of contentious issues were satisfactorily resolved, and have been reported to the House (see the previous Committee's several Reports for details).[43]

5.4  The "Background" below summarises developments during 2015. At the time of our last Report, there were two outstanding issues: scope (much the more important) and operational cooperation.

5.5  The Minister reported last November that a text had been developed that met his "light touch/consistent across the EU" objectives, based on the following principles:

·  exclusion of companies with under 50 employees;

·  the digital service provider would have a relationship with one supervisory Member State only, not with all the countries to which they offer services;

·  a separate Annex for digital service to clarify that they should be treated differently to the "essential" infrastructure operators;

·  companies would be able to identify the security measures that were appropriate and proportionate to manage the risks posed;

·  notification of only the most "substantial" incidents; and

·  light touch supervision only when "evidence" of non-compliance was presented to a Member State.

5.6  Stakeholders (unspecified) had confirmed that this text was "a notable improvement on the previous approach". The Minister was "content" that this would provide "the necessary safeguards to avoid a patchwork of different rules for digital companies across the EU" and "represents a much lighter approach than the original text"; all in all, the Minister believed most companies would be able "to retain the security approach that they already have in place, considerably reducing the regulatory burden on them".

5.7  Looking ahead, the Presidency was "planning to informally test this new text with the European Parliament in late November to take on board their feedback". Nevertheless, "[t]here are still a few outstanding areas that will require further discussion and negotiation, for example the legal definition of the digital service providers". However, "[g]iven the progress secured by the Luxembourg Presidency I expect that Council will be asked to formally endorse a final text of the Directive in the New Year" (see our previous Report for further details).

Our assessment

5.8  The matters uppermost in our mind revolved around two issues. Firstly, the final scope of the proposed Directive, where — as the Minister made clear — still further discussion and negotiation was required, for example the legal definition of the digital service providers.

5.9  Secondly, the negotiating process. As long ago as March 2014, the European Parliament (EP) adopted a First Reading position. Then, a year later, the Minister was anticipating agreement during the prorogation based on a much-changed text. Instead, there had been a number of subsequent "informal" exchanges involving the Presidency, the relevant Council working group, the Commission and the EP, with a further one in prospect, "informally" testing the latest text and with the "feedback" then to be taken into account. Somewhere along this timeline the Minister seemingly expected all the remaining uncertainties to be resolved, such that a formal Council position could be adopted in the New Year — with a view to adoption of the proposal at its second reading.

5.10  The process was thus opaque. In the first instance, the Committee asked the Minister to write again as soon as the informal testing of the new text with the European Parliament had been completed, outlining how matters then stood and what his expectations were on timing and process.

5.11  We also reiterated the need, in due course, to hear from the Minister, via the depositing of a final text under cover of a fresh Explanatory Memorandum, explaining precisely what was now within the scope of the Directive and how it would affect the UK enterprises thus involved, and outlining the general benefits to the UK as well as the EU. Given the lack of clarity at this juncture, it was difficult to say precisely when that should be, other than well before it went to the Council — whether that was for endorsement of its formal first reading position; or if there was to be agreed, at that level, a text for further negotiation (as opposed to "testing") with the European Parliament. This was to enable any questions that might continue to arise to be dealt with prior to that Council meeting.

5.12  We also asked the Minister to look backwards, along the negotiating process in 2015, and explain how it had been conducted; in particular, at which stages decisions were taken in COREPER, and whether and to what extent he himself had been involved in giving COREPER direction or guidance before the process moved to the next stage.

5.13  In the meantime, we continued to retain the draft Council Directive under scrutiny.

5.14  We also again drew these developments to the attention of the Business, Innovation and Skills and Culture, Media and Sport Committees because of the importance of the central issue — protecting critical digital and digitally-dependent infrastructure — and the fact that the "end game" was now clearly in prospect.

5.15  The Minister responded a day before the House rose for the Christmas recess. He agrees that "the process on this negotiation has been particularly opaque, even in the context of the European system".

5.16  He now reports that, after informal trilogues on 17 November and 7 December 2015:

"the Presidency announced that an informal agreement had been reached on the Directive, the text of which was communicated to me yesterday.[44] This will be considered by COREPER on Friday.[45] I will remind COREPER that this Committee is holding the file under scrutiny."

5.17  The Minister also attaches the text; but at the same time, noting that it is marked limité, asks that "the Committee do not publish the document, respecting its limité status".[46] His letter accordingly serves "to relay the Directive's obligations — in addition to an Explanatory Memorandum, which I will deposit once a public text is ready for agreement" — whereby he hopes that "the outline of the informal agreement helps the Committee to prepare their position on this file in advance of the EM issuing and sent to the Committee before formal agreement at a Council meeting in the new year".

5.18  The Minister's "outline of the informal agreement" is set out below (see paragraph 5.44 below for details). In summary:

—  Institutional obligations on Member States:

·  the majority of the proposals are based on the UK approach, with a text that is now flexible enough to ensure minimal disruption to the UK's current approach and structures;

—  Scope:

·  water, health, transport, energy, internet exchange points, domain name services and finance and banking (with an exemption for those financial firms that already comply with similar EU rules related to network protection);

·  the UK authorities will determine during transposition which infrastructure operators should fall within scope, based on their criticality;

·  the criteria will not interfere with how the UK authorities identify critical national infrastructure;

·  specific obligations for firms in terms of risk management and reporting will be outlined in national guidance following EU level discussions;

·  overall:

"the text addresses the real need for infrastructure companies to raise their level of network security whilst providing Member States with the flexibility to make the final decisions on what exactly that security should look like."

—  Impact on Digital Services:

·  an exemption for micro and small businesses;

·  the final text will only apply to search engines, e-commerce platforms and cloud computing companies;

·  E-payment gateways, application stores and social networks have been removed from scope;

·  digital companies will be allowed to select their own approach to risk management based on a list drawn up by the European Network and Information Security Agency (ENISA) in consultation with the affected sectors and codified in implementing acts, which "will avoid a patchwork of different obligations for global companies";

·  incident reporting will apply for only the most "significant" network incidents;

·  the companies in scope will only have to deal with one "home" Member State when reporting incidents, rather than each country where they offer services;

·  taken together, the obligations "are proportionate and effective in delivering the desired security goals", and the sectors themselves "are clearly defined"; while there "will be some challenges in transposition", the Minister is "confident that we have minimised the risk of fragmentation that would have represented a considerable burden on these global firms".

—  Cooperation and information sharing aspects:

·  the revised Directive will establish two new cooperation mechanisms on network security: one to discuss the technical and policy aspects of security (for example sharing best practices and discussing skills issues) and an operational network of Computer Security Incident Response Team (CSIRTs), who will determine their rules of procedure and their priorities;

—  General benefits for the UK and the EU:

·  the final result is balanced and proportionate;

·  the introduction of the first formal discussion group of Member State CSIRTs will "raise the level of cooperation and information sharing on network security without mandating to Member States how this should be done, safeguarding our national security interests in this area";

·  the rules on businesses are much improved: only the most important infrastructure operators will be obliged to follow these rules and the UK will have the flexibility to determine both the final list of operators in scope and the rules these companies will have to follow;

·  the text recognises that digital companies face different challenges and threats to infrastructure operators and so these requirements are lighter-touch and safeguard against a fragmented application;

·  the net result of these obligations will be to raise the level of network security across the economy, minimising the risk of a cyber-attack and safeguarding both essential services and customer information.

5.19  All in all, the Minister is:

"content that the UK has helped ensure the deal on the table strikes a good balance: enabling cooperation between countries across Europe, whilst being flexible, proportionate and minimising the impact on business. It is now broadly in line with the announcements made on cyber security as part of the UK's recent Strategic Defence and Security Review."[47]

5.20  The Minister has continued with his characteristic openness.

5.21  The outcome thus far, as outlined by the Minister, would appear to be satisfactory. But we again draw these developments to the attention of the Business, Innovation and Skills Committee and Culture, Media and Sport Committee, in order to ensure that our inexpert eye has not overlooked anything important.

5.22  We now look forward to hearing further from the Minister, in line with our overall requirements (c.f. paragraphs 5.9 and 5.11 above).

5.23  The Minister sympathises with our views on the opacity of the negotiating process. We remind him that we have also asked him to look backwards, along the negotiating process in 2015, and explain how it was conducted; in particular, at which stages decisions were taken in COREPER, and whether and to what extent he himself had been involved in giving COREPER direction or guidance before the process moved to the next stage [c.f. paragraph 5.12 above] for a full text with a revised Explanatory Memorandum.

5.24  In the meantime, we shall continue to retain the draft Directive under scrutiny.

Full details of the documents: Draft Directive concerning measures to ensure a high common level of network and information security across the Union: (34685), 6342/13 + ADDs 1-2, COM(13) 48.

Background

5.25  The Commission's starting point was that the NIS Directive should cover "key internet enablers, i.e. those players whose services, delivered through the internet, empower key economic and social activities". The Commission thus originally proposed to extend the obligation to report significant cyber incidents to:

—  key internet companies (e.g. large cloud providers, social networks, e-commerce platforms, search engines);

—  the banking sector and stock exchanges;

—  energy generation, transmission and distribution;

—  operators of air, rail and maritime transport and logistics;

—  health; and

—  public administration.

5.26  These sectors are "the ones for which the importance to ensure cybersecurity is widely recognised". Hardware manufacturers and software developers are exempted; ditto specific sectors or sub-sectors (e.g., insurance, water, food supply). Internet Service Providers or the network owners already report incidents under the risk management and incident reporting obligations under the EU Telecom Framework Directive, where the European Network and Information Security Agency plays the central role (see ENISA). News agencies and publishers, even when they provide IT and/or online services, are not covered; they are "not key internet enablers like large eCommerce or cloud platforms, booking engines or social networks. Neither are Web browsers like Mozilla Firefox or websites like Wikipedia or content management systems like Wordpress".

5.27  To ensure that companies do not end up dealing with 27 systems for reporting breaches, common reporting systems would be developed through implementing measures. Specific templates could also be developed by ENISA, which had already brought together national regulators to develop harmonised national measures for risk management and incident reporting as part of the EU telecoms rules.

5.28  The Commission was not a standard-setting body; the proposed Directive aimed to lift the quality and assurance of cybersecurity, not impose any specific technical standards or mandate particular technological solutions.

5.29  The proposed Directive does, however:

"impose the take-up of a minimum level of security by obliging critical infrastructure operators, key internet companies and public administrations to manage risks and report significant incidents. It also details a minimum set of NIS capabilities which Member States are required to put in place (e.g. a well-functioning Computer Emergency Response Team (CERT) which is adequately staffed and resourced). Member States are free to go beyond and adopt or maintain stricter security requirements."

5.30  In the 18 months following the draft Directive's publication in early 2013, a number of contentious issues were satisfactorily resolved, and have been reported to the House (see the previous Committee's several Reports for details).[48]

5.31  In January 2015, the Minister for Culture and the Digital Economy at the Department for Culture, Media and Sport (Mr Edward Vaizey) then said that "some considerable differences" had emerged between the positions of the Council and the EP on which businesses should be included within the Directive's scope. The Council wished to focus on those businesses that provided critical services on whose networks a cyber-incident would cause major disruption to society or the economy; and only Member States were in the position to identify these businesses at a national level — retaining these two principles within the text was of utmost importance to the Government.

5.32  On the other hand, the EP wanted to include all businesses within the sectors identified in the Directive (the original list included energy, transport, health, finance, banking and digital services; see our previous Report for detail) with an exception for micro-enterprises. The Minister firmly believed that such businesses should not be included within the scope of the Directive; this pause in proceedings would "give us sufficient time to properly consider any possible compromise text".

5.33  Come 1 March 2015, the Council confirmed that the Latvian presidency was "ready to resume informal trilogue meetings with the European Parliament with a view to reaching a deal on a draft directive on network and information security", on the basis of a mandate agreed by the Permanent Representatives Committee on 11 March 2015; that the trilogue would be the first one on this proposal under the current presidency and the third one in total; and that the meeting was scheduled to take place in late April, as requested by the European Parliament.[49]

The then Committee's assessment

5.34  The then Committee again commended the Minister for the openness that had characterised his approach to this difficult dossier, which they regarded as worthy of wider study, as "best practice", by the Cabinet Office and scrutiny teams across Whitehall.

5.35  However, there was still much uncertainty about important elements of what remained of the original text. The European Parliament had changed its tune before. By early summer, there would be not only a new Government but also a new Committee. And even if there were one but not the other, the new Committee would be interested in the final outcome.

5.36  The then Committee was therefore unable to accede to the Minister's request for scrutiny clearance. However, they recognised that, in the circumstances, it might well be impossible for the Minister to submit the final text of the draft Directive to its successor for scrutiny prior to a formal vote in Council. That being so, they professed themselves confident that their successors would not object to the Minister agreeing to its adoption, should he (or his successor) decide that it was in the national interest so to do.

5.37  But they expected nonetheless that the Minister, or his successor, would deposit any final text along with a fresh Explanatory Memorandum, outlining its provisions in detail, and explaining why he (or she) voted as he (or she) did at the end of the day.

5.38  In the meantime, they continued to retain the document under scrutiny.[50]

5.39  The Minister then wrote in September 2015: the European Parliament had broadly accepted the Council's fundamental principles — that the decision as to whether a company provided an "essential service" or not should be left up to Member States, and that this list had national security implications and therefore could not be publicly disclosed. The Minister judged that concessions made in exchange on operational cooperation would not "impact on how the UK currently identifies its Critical National Infrastructure", and that this compromise represented "an acceptable outcome for the UK".

5.40  With regards to the "internet enablers",[51] the Presidency's new "principles based" and "much lighter-touch approach" would result in consistent rules for digital companies across the EU and avoid the patchwork approach about which he was previously concerned. The Presidency's paper also included an option for voluntary reporting of network incidents and suggested reducing the number of sectors included in scope. From contact with Parliamentarians, the Minister believed that the paper was close to a position that the EP could accept. Further discussion during September would inform the drafting of a detailed legal text which would "then be submitted to the European Parliament for consideration".

5.41  Though disappointed that the majority of Council was not amenable to removing digital sectors from scope altogether, the Minister judged that the Presidency's paper set out "sensible principles that will significantly reduce the regulatory burden on these types of businesses". His final judgement, however, would depend on the detailed text that emerged from the Council working group discussions; he undertook to write again, "outlining this detail when it has been agreed" (see our previous Report for further details).

The Minister's letter 16 December 2015

5.42  The Minister begins by agreeing with the Committee that the process on this negotiation has been "particularly opaque, even in the context of the European system", and continues thus:

"three subsequent Presidencies have assured Council that agreement has been within their reach and, as the Committee notes, the European Parliament voted on its position over 18 months ago. Informal trilogues have been scheduled and cancelled, or scheduled at the last minute and so it has been hard to provide the Committee with clarity on the process in advance although I hope that my letters of September and November provided sufficient updates on progress.

"Two such informal trilogues took place on 17 November and 7 December. COREPER approved the Presidency's approach in advance of both trilogues. As the proposed text was within the Government's approved position I did not provide any specific instruction other than to remind COREPER that this file remains under UK Parliamentary Scrutiny.

"Following the 7 December information trilogue the Presidency announced that an informal agreement had been reached on the Directive, the text of which was communicated to me yesterday. This will be considered by COREPER on Friday.[52] I will remind COREPER that this Committee is holding the file under scrutiny."

5.43  The Minister then says:

"I have attached this text for the Committee's information. As it is marked limité I am using this letter to relay the Directive's obligations — in addition to an Explanatory Memorandum, which I will deposit once a public text is ready for agreement. I would also ask that the Committee do not publish the document, respecting its limité status. I hope that the outline of the informal agreement helps the Committee to prepare their position on this file in advance of the EM issuing and sent to the Committee before formal agreement at a Council meeting in the new year."

5.44  The Minister then turns to key components of the revised Directive, as follows:

"INSTITUTIONAL OBLIGATIONS ON MS

"The UK will be obliged to meet certain requirements to improve their institutional cyber security functions including maintaining a national Computer Security Incident Response Team (CSIRT), publishing a national network and information security strategy and identifying competent authorities and a single point of contact responsible for network and information security. The majority of these proposals were based on the UK approach.

"During the negotiation, I pushed for maximum flexibility in terms of how these requirements could be implemented; the text is now flexible enough that it will result in minimal disruption to our current approach and structures.

"IMPACT ON INFRASTRUCTURE SECTORS

"The Directive will require Member States to ensure that operators of essential services in certain infrastructure sectors put in place appropriate and proportionate risk management approaches and report network incidents that disrupt the continuity of the services that they provide. The sectors in scope are water, health, transport, energy, internet exchange points, domain name services and finance and banking (although there is an exemption for those financial firms that already comply with similar EU rules related to network protection).

"The main change secured in this section is that it will be up to the UK to determine during transposition which infrastructure operators should fall within scope of the Directive based on their criticality; the criteria set out in the text will not interfere with how we identify our own critical national infrastructure. This change will significantly reduce the burden on the sectors in scope. The specific obligations for firms in terms of risk management and reporting will be outlined in national guidance following EU level discussions, again, a significant improvement from the initial proposal which said that these rules would set by the Commission via implementing acts.

"Overall I believe that the text addresses the real need for infrastructure companies to raise their level of network security whilst providing Member States with the flexibility to make the final decisions on what exactly that security should look like.

"IMPACT ON DIGITAL SERVICES

"In terms of digital services we have secured an exemption for micro and small businesses and the final text will only apply to search engines, e-commerce platforms and cloud computing companies. E-payment gateways, application stores and social networks have been removed from scope.

"The definitions of the three sectors that remain within scope have been significantly improved. My officials worked with industry stakeholders who also advised other Member States, the European Parliament, the Commission and the Presidency to make sure that the final text appropriately reflects the sectors. In particular, there were notable improvements to the definition of the cloud sector which now better reflects current business models. Any reference to these sectors being 'critical' has been rejected and text has been introduced to ensure that these definitions will only apply in the context of the NIS Directive to avoid setting difficult precedents for the wider digital single market.

"There has been agreement on recital text that would allow digital companies to select their own approach to risk management based on a list drawn up by the European Network and Information Security Agency (ENISA) in consultation with the affected sectors and codified in implementing acts, which will avoid a patchwork of different obligations for global companies. Incident reporting will apply for only the most 'significant' network incidents. The supervisory arrangements also provide clarity that the companies in scope will only have to deal with one 'home' Member State when reporting incidents, rather than each country where they offer services. In terms of the supervision itself, the obligations are now much lighter touch and expensive audits have been removed from scope.

"Taken together, these developments mean that the obligations on firms in scope are proportionate and effective in delivering the desired security goals, and that the sectors themselves are clearly defined. There will be some challenges in transposition, but I am confident that we have minimised the risk of fragmentation that would have represented a considerable burden on these global firms.

"COOPERATION AND INFORMATION SHARING ASPECTS

"The Directive will establish two new cooperation mechanisms between Member States on network security: one to discuss the technical and policy aspects of security (for example sharing best practices and discussing skills issues) and an operational network of CSIRTs. The CSIRTs themselves will determine their rules of procedure and their priorities; I felt that it was important that operational aspects were not set out in a legislative text. This will be the first time that all the EU Member States will come together to discuss the operational aspects of network security and I believe that this mechanism has the potential to significantly improve the European relationship on network security.

"In addition, the concerning proposals that would have required a very high level of information sharing and coordination across the EU in response to incidents have been amended so that cooperation and information sharing will take place on a voluntary basis. The one exception to this is when an incident to a UK service would have an impact on another Member State; this is in line with the information we currently share. These changes were driven by the UK and have addressed our concerns that information sharing on this scale could impact on our national security.

"GENERAL BENEFITS FOR THE UK AND THE EU

"This has been a challenging negotiation that has spanned a number of different aspects related to network security. Care and time has been taken to deal with each of these aspects separately to make sure that the final result is balanced and proportionate.

"I believe that the introduction of the first formal discussion group of Member State CSIRTs will raise the level of cooperation and information sharing on network security without mandating to Member States how this should be done, safeguarding our national security interests in this area.

"The rules on businesses are much improved: only the most important infrastructure operators will be obliged to follow these rules and the UK will have the flexibility to determine both the final list of operators in scope and the rules these companies will have to follow. The text recognises that digital companies face different challenges and threats to infrastructure operators and so these requirements are lighter-touch and safeguard against a fragmented application. The net result of these obligations will be to raise the level of network security across the economy, minimising the risk of a cyber-attack and safeguarding both essential services and customer information.

"I am content that the UK has helped ensure the deal on the table strikes a good balance: enabling cooperation between countries across Europe, whilst being flexible, proportionate and minimising the impact on business. It is now broadly in line with the announcements made on cyber security as part of the UK's recent Strategic Defence and Security Review."

5.45  The Minister concludes by again apologising that the "Committee feels that the final stages of this negotiation have been opaque — a sentiment I sympathise with" that he has asked his officials "to remain in close contact with your clerks so that the Committee has all the information necessary to assess the final result of the negotiation".

Previous Committee Reports

Eleventh Report HC 342-xi (2015-16), chapter 3 (2 December 2015); Thirty-seventh Report HC 219-xxxvi (2014-15), chapter 5 (18 March 2015); Sixteenth Report HC 219-xvi (2014-15), chapter 1 (29 October 2014); Fifteenth Report HC 219-xv (2014-15), chapter 1 (22 October 2014); Thirteenth Report HC 219-xiii (2014-15), chapter 6 (15 October 2014); Twelfth Report HC 219-xii (2014-15), chapter 4 (10 September 2014); First Report HC 219-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680), 6225/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013).


42   For the full Commission summary of the draft Directive, see Proposed Directive on Network and Information Security - frequently asked questions of 7 February 2013. Back

43   See Sixteenth Report HC 219-xvi (2014-15), chapter 1 (29 October 2014); Fifteenth Report HC 219-xv (2014-15), chapter 1 (22 October 2014); Thirteenth Report HC 219-xiii (2014-15), chapter 6 (15 October 2014); Twelfth Report HC 219-xii (2014-15), chapter 4 (10 September 2014); First Report HC 219-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680), 6225/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

44   i.e. on 15 December 2015. Back

45   i.e., on 18 December 2015. Back

46   Limité is not a security classification, but a distribution marking. Council Secretariat guidance states that documents marked limité may be given to any member of a national administration of a member state and the Commission; for the purposes of this guidance, national Parliaments are considered as part of national administrations. Limité documents may not, however, be given to any other person, the media, or the general public without specific authorisation, nor may they be published in any way which makes them accessible in the public domain. It is for Member States to decide whether to share limité documents with their national Parliaments. However, the document must retain the limité marking and so must not be used by the Parliamentary Committees in any way which makes public the substance or detail of the document. Back

47   C.f. National Security Strategy and Strategic Defence and Security Review 2015. Back

48   See Sixteenth Report HC 219-xvi (2014-15), chapter 1 (29 October 2014); Fifteenth Report HC 219-xv (2014-15), chapter 1 (22 October 2014); Thirteenth Report HC 219-xiii (2014-15), chapter 6 (15 October 2014); Twelfth Report HC 219-xii (2014-15), chapter 4 (10 September 2014); First Report HC 219-i (2014-15), chapter 2 (4 June 2014); Thirty-fifth Report HC 86-xxxv (2012-13), chapter 6 (13 March 2013); Fortieth Report HC 86-xxxix (2012-13), chapter 4 (24 April 2013); Forty-fifth Report HC 83-xl (2013-14), chapter 2 (2 April 2014); also see (34680), 6225/13: Thirty-fifth Report HC 86-xxxv (2012-13), chapter 3 (13 March 2013). Back

49   The press release also contained a summary of the objectives of the Directive, of the proposed rules being negotiated with the European Parliament and of the purported benefits to consumers and citizens. See Network and information security: presidency re-launches talks with EP for details.  Back

50   See Thirty-seventh Report HC 219-xxxvi (2014-15), chapter 5 (18 March 2015). Back

51   The Commission's starting point was that the NIS Directive should cover "key internet enablers, i.e. those players whose services, delivered through the internet, empower key economic and social activities". Back

52   i.e., 18 December 2015. Back


 
previous page contents next page


© Parliamentary copyright 2016
Prepared 15 January 2016