Legally and politically important
Not cleared from scrutiny; further information requested
(a) Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’); (b) Communication from the Commission to the European Parliament and the Council: Making the most of NIS—towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union; (c) Report from the Commission to the European Parliament and the Council on the evaluation of the European Union Agency for Network and Information Security (ENISA); (d) External Action Service Joint Communication to the European Parliament and to the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU
Article 114 TFEU; ordinary legislative procedure; QMV
Digital, Culture, Media and Sport; Foreign and Commonwealth Office
(a) (39045), 12183/17, COM(2017) 477; (b) (39021), 12205/17 + ADD 1, COM(17) 476; (c) (39022), 12208/17, COM(17) 478; (d) (39050) 12211/17, COM(17) 450
3.1As part of its Digital Single Market Strategy, the Commission has brought forward a ‘Cybersecurity package’ which proposes to make the European Union Agency for Network and Information Security (ENISA) permanent and to update its mandate to reflect current and future needs in the field of cybersecurity.
3.2The principal changes proposed involve granting ENISA enhanced roles in EU-level cybersecurity policy development and implementation, entrusting it with coordinating responses to large-scale cross-border cybersecurity emergencies, and asking it to implement a new “cybersecurity certification framework” which seeks to minimise market fragmentation. This would avoid (for example) smart meter providers having to pay standards organisations in different Member States large sums in order to have their products accredited in different jurisdictions.
3.3The main elements of the package were trialed in a December 2016 communication on “strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry”. The Commission received support in its approach from the European Council’s conclusions in June 2017. The Council of Ministers had also previously called upon the Commission to take further steps to specifically address the issue of cybersecurity certification at the European level. The package of proposed changes is also informed by a report evaluating the effectiveness of ENISA’s performance, which concludes that ENISA remains relevant, but has been inhibited by its lack of a permanent mandate as well as its limited resources relative to its broad mandate.
3.4The legislative component of the package is the proposed revision of the existing ENISA Regulation (hereafter “the Regulation”). In addition to making ENISA’s mandate permanent, the Regulation proposes to shift the emphasis of ENISA’s activity somewhat in the direction of the wider stakeholder community, particularly market-based operators.
3.5Specific changes that are proposed include:
3.6The Regulation emphasises that EU cybersecurity certification schemes for ICT products would make use of existing standards and would not develop the technical standards themselves, and also that participation in European certification schemes will remain voluntary (unless legislation laying down security requirements for ICT products were to require otherwise).
3.7Despite these changes there is a high degree of continuity with ENISA’s former mandate and activities, which retains a strong focus on supporting the Member States by facilitating cybersecurity cooperation between them, sharing best practice and assisting in capacity building.
3.8The Minister (Matt Hancock) does not provide a detailed analysis of the policy implications of the proposal, and states that officials will assess policy implications, including the Government’s position on subsidiarity, during negotiations. The Minister states that a certain degree of EU coordination is beneficial to manage cross-border cyber risks, and that “the current flexibility in the text means that the Government is content that the proposed measures remain proportionate to the need”. Despite the Commission’s use of the word “operational” to describe the role envisaged for ENISA in cybersecurity crisis management, the Minister suggests that this does not actually amount to a traditional operational role.
3.9On Brexit, the Minister acknowledges that the UK will need to enter into negotiations to agree its future relationship with ENISA after the UK leaves the European Union. He states that negotiations on the proposed regulation will commence at the end of October, and are unlikely to conclude before the UK leaves the EU in 2019. The Minister adds, in a separate memorandum on a Communication on the implementation of the Network and Information Services (NIS) Directive, that the Government is looking at how it can limit disruption should the UK assume third country-status.
3.10Our initial assessment is that the proposed Regulation does not fall within the scope of the UK’s JHA Opt-In Protocol, because, like the existing ENISA Regulation, the proposal has a Single Market legal base (Article 114 TFEU), the Court of Justice has rejected a previous UK challenge of this base. The increased focus on market actors envisaged in the Regulation would appear to bring ENISA’s activities further into the ambit of its current Single Market legal base.
3.11In parallel to the Commission’s proposed reforms to ENISA, the European External Action Service has issued a Communication regarding the external dimension of cybersecurity. Recommended actions include factoring cyber security into trade and investment policy, encouraging the uptake of IPv6, and intensifying EU-NATO cooperation on cybersecurity. The Minister for Europe and the Americas (Sir Alan Duncan) at the Foreign and Commonwealth Office (FCO) indicates that the Government supports the Communication’s overarching goal of making the EU proactive instead of reactive on cybersecurity issues, but outlines a number of areas of possible concern, including the impact of the EU certification framework on trade and investment, as well as possible conflicts between the operational role that is envisaged for ENISA and national processes.
3.12We thank the Government for its Explanatory Memoranda in relation to these cybersecurity-related documents. We note that the Government has not yet provided a detailed analysis of the policy implications of the proposed Regulation (12183/17), and states that it will develop its position during negotiations. We therefore request further clarification on the following points:
3.13Regarding the implications of the UK’s impending withdrawal from the EU, we note the Government’s assessment that membership of ENISA itself is less valuable to the UK than it is for smaller Member States, and that the UK will need to enter into negotiations to agree its future relationship with ENISA after the UK leaves the European Union.
3.14In relation to the provisions of the NIS Directive, we note the Government’s assessment that the main impacts of withdrawal, if there is a transition to third country status, will be on the UK’s membership of the Cooperation Group and CSIRT network; mandatory annual incident reporting requirements on Member States; and the potential impact on UK digital service providers. We note that the Government is looking at ways in which it can maintain membership of the Cooperation Group and CSIRT network, amending incident reporting to make it either voluntary or remove the requirement to report to EU institutions, as well as minimize any negative impacts on digital service providers.
3.15Regarding the Brexit implications of the proposal, we ask the Government to provide:
3.16We ask the Government to respond to these questions, and to provide an update of any progress that has been made in the Council, by 20 January 2018 (or earlier, if progress in Council requires it), with DCMS coordinating input from the FCO where necessary. In the meantime we retain this proposal under scrutiny.
(a) Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’): (39045), 12183/17, COM(2017) 477; (b) Communication from the Commission to the European Parliament and the Council: Making the most of NIS—towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union: (39021), 12205/17 + ADD 1, COM(17) 476; (c) Report from the Commission to the European Parliament and the Council on the evaluation of the European Union Agency for Network and Information Security (ENISA): (39022), 12208/17, COM(17) 478; (d) External Action Service Joint Communication to the European Parliament and to the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU: (39050) 12211/17, COM(17) 450.
3.17The European Union Agency for Network and Information Security (ENISA) was established by Regulation (EC) No 460/2004 to contribute to the overall goal of ensuring a high level of network and information security within the EU. The Agency has its administrative seat in Heraklion (Crete) and its core operations in Athens. ENISA is a small agency with a low budget (€11.25m) and number of staff (84) compared to other EU agencies. It is headed by an Executive Director and governed by a Management Board and Executive Board made up of EU Member States and Permanent Stakeholders. An informal Network of National Liaison Officers facilitates outreach with EU Member States.
3.18The ENISA Regulation sets out the ENISA’s current mandate, which is due to expire on 19 June 2020. ENISA’s main task is to enhance capability to prevent and respond to network and information security problems within the EU by building on national and Union efforts. It does so through a series of activities across five areas, which are:
3.19ENISA has also taken on specific additional roles and responsibilities in support of the implementation of Directive (EU) 2016/1148 on the security of network and information systems (the NIS Directive). It now provides the secretariat to the Computer Security Incident Response Teams (CSIRTs) Network and assists the NIS Cooperation Group in the execution of its tasks and is intended to assist Member States and the Commission by providing expertise and advice and by the facilitation of best practice.
3.20In December 2016, the Commission published a Digital Single Market Strategy communication on “strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry”, which proposed that the EU develop a series of initiatives concerning cybersecurity certification and labelling, and bring forward the Commission’s evaluation of ENISA, which would address the need to modify or extend the mandate of ENISA. The Committee judged the file to be not legally or politically important and immediately released it from scrutiny.
3.21Article 32 of the ENISA Regulation requires the Commission to undertake an evaluation of ENISA by June 2018 to assess the impact, effectiveness and efficiency of the agency and to consider whether the current mandate should be extended. The Commission has now carried out that evaluation, which included a public consultation alongside various studies and workshops, and this report outlines the findings.
3.22The report concludes that ENISA plays a valuable role but that its current mandate does not equip it to meet the increasing cybersecurity challenges faced within the EU. Specific conclusions are that:
3.23The Commission’s proposed Regulation (12183/17), which provides a new mandate for ENISA, proposes the following basic changes:
3.24The proposed Regulation also modifies the scope of ENISA’s mandate in multiple respects, to better align it with experience of what has demonstrated clear added value (as reflected in the Report) as well as recent additions to its role, including those which are proposed in this Regulation.
3.25The following are the main changes that are proposed to ENISA’s mandate:
3.26The Commission argues that cybersecurity certification frameworks are important for developing trust in ICT products and services, but that the current certification framework landscape is patchy and as a result companies are often required to undergo multiple processes in order to offer products across EU Member States. This fragmentation increases costs for businesses. The Commission adduces various examples to illustrate this point—for example, the cost of smart meter cybersecurity certification in the UK is almost €150,000, and costs a similar amount in France. Ultimately, consumers incur a proportion of these increased costs.
3.27In response, the Commission proposes to introduce a framework which will govern the introduction of EU-wide cybersecurity certification schemes. The Regulation itself does not introduce certification schemes, but seeks to create a system which will allow such schemes to be established and recognised across the EU. The proposal outlines the minimal content of what would be required under such schemes. Specific cybersecurity certification schemes would be adopted by the Commission in the form of implementing acts, with ENISA playing a central role in their development.
3.28Where the Commission adopts a specific certification scheme, national schemes or procedures will immediately cease to apply. Manufacturers of ICT products or providers of ICT services would then be able to submit an application for certification of to an accredited conformity assessment body of their choice.
3.29The proposal establishes the European Cybersecurity Certification Group (the ‘Group’), consisting of national certification supervisory authorities of all Member States, with ENISA and Commission officials providing the secretariat of the group. The main task of the Group is to advise the Commission on issues concerning cybersecurity certification policy and to work with ENISA on the development of draft European cybersecurity certification schemes. ENISA would also liaise with standardisation bodies to ensure the appropriateness of standards used in approved schemes and to identify areas in need of cybersecurity standards.
3.30Member States will be responsible for monitoring, supervisory and enforcement tasks, and to this end they will appoint a certification supervisory authority.
3.31Important limitations to the scope of the proposed framework include that:
3.32The Commission has also issued a Communication on Member States’ progress in implementing the NIS Directive, some background information on which is provided below.
3.33The Security of Network and Information Systems Directive (2016/1148), commonly known as the “NIS” Directive, was adopted by the European Parliament on 6 July 2016, and is the first substantive EU legislation on cyber security. Member States have until 9 May 2018 to transpose the Directive into domestic legislation.
3.34The NIS Directive provides legal measures to boost the overall level of network and information system security in the EU by ensuring that Member States have in place a national framework to support and promote the security of network and information systems. It establishes a Cooperation Group, to support and facilitate strategic cooperation and the exchange of information among Member States and a Computer Security Incident Response Team (“CSIRT”) network to promote swift and effective operational cooperation on specific network and information system security incidents and as well as the sharing of information about risks.
3.35Under the NIS Directive, Member States are required to identify “Operators of Essential Services”—including operators in the energy, transport, water, financial services, banking, healthcare and digital infrastructure sectors. Certain digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and incident notification requirements established under the Directive.
3.36The Commission’s brief communication:
3.37The Annex which accompanies the main communication provides detailed guidance on how the Commission believes that elements of the Directive should be interpreted.
3.38In parallel to the Commission’s proposed changes to the ENISA Regulation and the associated cybercommunications documents described above, the External Action Service (EAS) has published a Communication setting out its proposed approach to the external dimension of cybersecurity. This is a non-legislative document.
3.39The EAS provides a series of proposals on which the EU (Member States, EU Agencies and Institutions) might focus on across a wide range of cyber policy areas. The principal intentions set out by the Commission in the Communication are:
3.40On 28 September 2017 the Minister of State for Digital at the Department for Digital, Culture, Media and Sport (DCMS) provided the Committee with two explanatory memoranda: one in relation to the report evaluating ENISA and another regarding the proposed ENISA Regulation.
3.41In the Government’s memorandum on the ENISA evaluation report, the Minister states that DCMS “would largely agree with the findings of the report”. He suggests that because the UK is has significant resources and capability in this field, the direct value it receives from ENISA is not substantial; the support ENISA provides smaller, less advanced Member States is nonetheless helpful in building capability and expertise across the EU. ENISA has also played a useful role in the implementation of the NIS Directive.
3.42In the Government’s memorandum on the proposed replacement of the ENISA Regulation, the Minister explains that a detailed analysis of the policy implications of the proposal has not been provided, and that:
“Officials will assess the policy implications during the negotiations, which the UK will take part in while it remains a member of the EU.”
3.43On Brexit, in addition to the usual paragraph of legal boilerplate about the implications of exiting the European Union, the Minister states that negotiations on the proposed regulation will commence at the end of October, and are unlikely to conclude before the UK leaves the EU in 2019. He adds that the UK will therefore need to enter into negotiations to agree its future relationship with ENISA after the UK leaves the European Union.
3.44The Minister does not express any clear subsidiarity concerns in relation to the proposed Regulation, stating that the Government believes that a certain degree of voluntary EU coordination is beneficial to manage the cross-border context of cyber risks. He states that “the current flexibility in the text means that the Government is content that the proposed measures remain proportionate to the need” and adds that the Government will further consider its position on subsidiarity during the negotiation process.
3.45The Government’s summary of the proposal notes that the role for ENISA in the context of crisis management, including the delivery of an EU cybersecurity blueprint for the delivery of cooperation in emergency cybersecurity incidents, is described as operational by the Commission and that this reference is likely to concern a number of Member States. However, the Minister notes that the detail of the text suggests that this is unlikely to constitute what the UK defines as a traditional operational role.
3.46In a previous Explanatory Memorandum regarding the Commission’s communication on cybersecurity, which trailed this initiative, the Government had expressed a strong preference for global standards developed in international fora:
“With regards to the certification and labelling proposals, the UK has a long-standing position of support for open, global standards developed in international fora. We take this view because global standards enable UK industry to reach a global market, not just an EU market, and specifically in this instance because an EU standard will undermine an existing global standard. We would challenge any proposals that seek to create EU-only standards, or standards where the associated conformity checking can only be performed by/under the control of European bodies.”
3.47It may therefore be appropriate to seek further information from the Government’s views regarding the proposal, including its thinking about future UK-EU cooperation in the area of cybersecurity, as well as a clearer assessment of any tensions with global approaches to standardisation as well as the “operational” role that is envisaged for ENISA.
3.48In a separate memorandum on the Commission’s communication on implementation of the NIS Directive, the Minister (Matt Hancock) describes the Communication as “a brief commentary by the Commission on NIS Implementation [which] makes no substantive changes to our NIS implementation.” He emphasises that the Government supports the overall aims of the NIS Directive—to increase the cyber security of member states across the EU and protect citizens and businesses online—and says that the Government is considering how best to implement the NIS Directive into UK legislation in a manner that delivers a more secure environment for the UK’s essential services and digital service providers, balanced against a need to avoid placing unnecessary burdens on business. The UK’s proposed implementation takes into account the issues raised by the Commission in their Communication.
3.49On Brexit, the Minister states that the impact of the UK’s departure from the European Union is being incorporated into the UK’s transposition preparations. He states that the main impacts of departure are:
3.50The Minister states that the Government is looking at ways in which it can maintain membership of the Cooperation Group and CSIRT network, amending incident reporting to make it either voluntary or remove the requirement to report to EU institutions, as well as minimize any negative impacts on digital service providers.
3.51Separately, the Minister for Europe and the Americas (Sir Alan Duncan) at the Foreign and Commonwealth Office has submitted an explanatory memorandum on the External Action Service’s Joint Communication: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU.
3.52The Minister states that the Communication is not a policy document but represents a recommended policy approach: Member States will subsequently give their view on the policy approach in the form of Council Conclusions. Any subsequent action requiring member state approval would be subject to the normal decision making procedures.
3.53The Minister emphasises that the publication of this Communication demonstrates the importance the Commission is placing on cyber security, and states that this is something that the UK supports. The Minister adds that the overarching goal of the Communication is to make the EU proactive instead of reactive on cybersecurity issues and enumerates aspects of the strategy which the Government supports including: the focus the Communication places on cyber resilience of the EU, Member States and the EU neighbourhood; improved international engagement to enhance our overall collective security, including with NATO; and cyber deterrence.
3.54The Minister also highlights areas of possible concern, which include:
3.55The Minister states that the Government will seek to influence the impact of these areas through the Council Conclusions, and also adds that there are areas of the Communication that are too vague to comment on at present, where the Government will seek to influence detailed proposals.
18 EU law blog: ENISA, legal base and Case C-217/04 (accessed 30 October 2017).
20 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. It provides a variety of security benefits relative to IPv4, its predecessor. See: (accessed 26 October 2017).
23 Regulation (EC) No 460/2004 was subsequently amended in 2008 and 2011 to extend the duration of its mandate. It was later superseded by Regulation (EU) No 526/2013 (the ENISA Regulation).
31 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. It provides a variety of security benefits relative to IPv4, its predecessor. See: (accessed 26 October 2017).
34 Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry (Commission Communication) 11013/16, COM (16) 410.
11 December 2017