(a) Not cleared from scrutiny; further information requested; (b) (c) and (d) cleared from scrutiny; drawn to the attention of the Digital, Culture, Media and Sport Committee
(a) Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’); (b) Communication from the Commission to the European Parliament and the Council: Making the most of NIS—towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union; (c) Report from the Commission to the European Parliament and the Council on the evaluation of the European Union Agency for Network and Information Security (ENISA); (d) External Action Service Joint Communication to the European Parliament and to the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU.
Article 114 TFEU; ordinary legislative procedure; QMV
Digital, Culture, Media and Sport
(a) (39045), 12183/17, COM(2017) 477; (b) (39021), 12205/17 + ADD 1; (c) (39022), 12208/17, COM(17) 478; (d) (39050), 12211/17, COM(17) 450
2.1In September 2017, as part of its Digital Single Market Strategy, the European Commission presented a ‘Cybersecurity package’ which proposed, to make the European Union Agency for Network and Information Security (ENISA) permanent and to update its mandate to reflect current and future needs in the field of cybersecurity. The modified mandate for ENISA, contained in a draft Regulation, would also create a new Cybersecurity Certification Framework, which would minimise market fragmentation in this policy area.
2.2The Government did not raise any serious concerns about the proposal in its Explanatory Memorandum on the Regulation, noting that a certain degree of EU coordination is beneficial to manage cross-border cyber risks, and that “the current flexibility in the text means that the Government is content that the proposed measures remain proportionate to the need”.
2.3In our report on 6 December 2017, the Committee noted Foreign and Commonwealth Office concerns (expressed in relation to a separate cybersecurity-related document, concerning external policy) at the Commission’s use of the word “operational” to describe the role envisaged for ENISA in cybersecurity crisis management, and sought further information on this point. We also asked whether the Government considered the Justice and Home Affairs Opt-In Protocol applied to the proposal, and requested further information on the implications of EU exit for this proposal and the wider policy area of cybersecurity.
2.4Matt Hancock’s successor as Minister of State at the Department of Digital, Culture, Media and Sport (Margot James MP) replied to the Committee’s questions on 16 January 2018. In brief, the Minister addresses our concerns about a possible “operational” role for ENISA that would impinge on Member State competences, and provides a helpful account of the third country provisions in ENISA and the NIS Directive. The detail of the Minister’s responses to the our individual questions is summarised at the end of this chapter.
2.5We thank the Minister for this detailed update which addresses the various concerns that we raised. We note the Government’s assessment that concerns about a possible “operational” role for ENISA impinging on national competences are not borne out by the text of the draft Regulation, and that the Government will continue to police the boundaries of national competence during negotiations to ensure that this does not change. The Government also notes that the cybersecurity certification framework seeks to align with international standards, to avoid creating barriers to global trade. As long as this is the case, the introduction of an EU-level cybersecurity certification framework should decrease, not increase, barriers to trade and compliance costs incurred by businesses seeking to operate in multiple EU Member States.
2.6One additional point the Committee wishes to raise is that the advisory comitology procedure is proposed for the European Cybersecurity Certification Group. Under this procedure, even if the Group of national cybersecurity experts opposed a proposal for a particular cybersecurity certification scheme, the Commission would still be allowed to adopt it. We ask the Government to clarify whether it intends to press for the more stringent examination procedure to be used instead, and, if not, to provide its reasons.
2.7Regarding the UK’s withdrawal from the EU and the possibility of future UK-EU cooperation in cybersecurity, we note that:
2.8The Government states that it will seek solutions to these issues through its negotiations with the EU on the future EU/UK relationship.
2.9We retain the proposal under scrutiny. We request an update regarding progress of the proposal in due course, including further information regarding future UK-EU co-operation in the area of cybersecurity, a fuller account of the implications of non-participation in ENISA and the CSIRT Network, and a response to our query about the type of comitology procedure that is proposed, as well as a request for clearance/a scrutiny waiver as appropriate. We draw this report to the attention of the Digital, Media, Culture and Sport Committee.
(a) Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’): (39045), 12183/17, COM(17) 477; (b) Communication from the Commission to the European Parliament and the Council: Making the most of NIS—towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union: (39201), 12205/17 + ADD 1, COM(17) 476; (c) Report from the Commission to the European Parliament and the Council on the evaluation of the European Union Agency for Network and Information Security (ENISA): (39022),12208/17 + ADD 1, COM(17) 478; (d) External Action Service Joint Communication to the European Parliament and to the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU: (39050), 12211/17, COM(17) 450.
2.10The European Union Agency for Network and Information Security (ENISA) was established by Regulation (EC) No 460/2004 to contribute to the overall goal of ensuring a high level of network and information security within the EU. The Agency has its administrative seat in Heraklion (Crete) and its core operations in Athens. ENISA is a small agency with a low budget (€11.25m) and number of staff (84) compared to all EU agencies. It is headed by an Executive Director and governed by a Management Board and Executive Board made up of EU Member States and Permanent Stakeholders. An informal Network of National Liaison Officers facilitates outreach with EU Member States.
2.11The ENISA Regulation sets out the ENISA’s current mandate, which is due to expire on 19 June 2020. ENISA’s main task is to enhance capability to prevent and respond to network and information security problems within the EU by building on national and Union efforts.
2.12The Commission’s proposed Regulation (12183/17), which provides a new mandate for ENISA, proposes to grant ENISA a permanent mandate. The proposed Regulation also modifies the scope of ENISA’s mandate in a number of respects, to align it with experience of what has demonstrated clear added value (as reflected in the Report) as well as recent additions to its role, including those which are proposed in this Regulation.
2.13The following are the main changes that are proposed to ENISA’s mandate:
2.14The Commission argues that cybersecurity certification frameworks are important for developing trust in ICT products and services, but that the current certification framework landscape is patchy and as a result companies are often required to undergo multiple processes in order to offer products across EU Member States. This fragmentation increases costs for businesses. The Commission adduces various examples to illustrate this point—for example, the cost of smart meter cybersecurity certification in the UK is almost €150,000, and costs a similar amount in France. Ultimately, consumers incur a proportion of these increased costs.
2.15In response, the Commission proposes to introduce a framework which will govern the introduction of EU-wide cybersecurity certification schemes. The Regulation itself does not introduce certification schemes, but seeks to create a system which will allow such schemes to be established and recognised across the EU. The proposal outlines the minimal content of what would be required under such schemes. Specific cybersecurity certification schemes would be adopted by the Commission in the form of implementing acts, with ENISA playing a central role in their development.
2.16Where the Commission adopts a specific certification scheme, national schemes or procedures will immediately cease to apply. Manufacturers of ICT products or providers of ICT services would then be able to submit an application for certification to an accredited conformity assessment body of their choice.
2.17The proposal establishes the European Cybersecurity Certification Group (the ‘Group’), consisting of national certification supervisory authorities of all Member States, with ENISA and Commission officials providing the secretariat of the group. The main task of the Group is to advise the Commission on issues concerning cybersecurity certification policy and to work with ENISA on the development of draft European cybersecurity certification schemes. ENISA would also liaise with standardisation bodies to ensure the appropriateness of standards used in approved schemes and to identify areas in need of cybersecurity standards.
2.18Member States will be responsible for monitoring, supervisory and enforcement tasks, and to this end they will appoint a certification supervisory authority.
2.19Important limitations to the scope of the proposed framework include that:
2.20In our first report on the proposal, we asked the Government:
2.21The Parliamentary Under Secretary of State at the Department of Digital, Culture, Media and Sport (Margot James MP) has responded to the Committee’s report. The Minister states that Council negotiations have re-commenced under the new Bulgarian Presidency, and that the EU’s Action Plan for cybersecurity cites December 2018 as the date at which it intends the negotiations to conclude.
2.22The Minister also provides detailed responses to the Committee’s questions, which are summarised below.
2.23In response to the Committee’s question whether the proposal would create EU-only cybersecurity certification standards, the Minister provides a detailed response which includes the points that:
2.24The Minister undertakes to ensure during negotiations that any proposals are in line with global standards which are applied in an open and transparent way.
2.25The Minister indicates that the Government does not think that the proposal to create an EU cybersecurity certification framework will create barriers to international trade. She states that it aims to build flexibility into the approach by setting out a framework under which schemes would operate, rather than setting out directly operational schemes. Furthermore, where the certification framework sets out minimum content of schemes, it makes reference to international standards. The Government takes assurance from this that ENISA will seek to align with existing internationally recognised standards, which will protect against unnecessary barriers to trade and investment.
2.26The Minister summarises the scrutiny that would take place of proposed cybersecurity certification schemes. She states that, when preparing certification schemes, ENISA would consult all relevant stakeholders and closely cooperate with the European Cybersecurity Certification Group, which is composed of Member State national supervisory authority representatives. The Group’s role in advising ENISA would include ensuring a consistent application of the framework and reviewing existing European certification schemes. The Regulation also provides for an evaluation and review of the certification provisions within five years, to assess the impact, effectiveness and efficiency. The results of this would be reviewed by the European Parliament, Council, Management Board and would be made public.
2.27The Minister does not mention that the comitology procedure that is proposed for the Group is the advisory procedure (this is specified in Article 55 of the Regulation). This means that, even if the Group of national cybersecurity experts objects to a proposed cybersecurity certification scheme, the Commission will still be able to adopt it in the form of an Implementing Regulation.
2.28The Minister acknowledges concerns about the Regulation’s description of some of its tasks as ‘operational’, a term which is normally used in the context of national intelligence activities, which are the preserve of Member States. The Minister states that some of the tasks, such as preparing technical situation reports and providing technical assistance, could be viewed as representing an extension of powers towards a more technical role, and that a number of large Member States were likely to object to these provisions. However, the Minister concludes from the detailed text of the Regulation and the Commission’s own explanation, that the proposals do not envision any incursion into national competences, but to increase ENISA’s role in enhancing cooperation and information sharing. The Government undertakes to cooperate with like-minded Member States so to ensure that any ‘operational’ role for ENISA remains a supporting but not a leading one.
2.29The Government is of the view that the JHA opt-in does not apply in relation to the ENISA Regulation, as it does not cite a Title V TFEU legal base and does not appear to contain JHA content. The Regulation does not seek to impose any requirements on the police or any other law enforcement agency. The purpose of the Regulation is to maintain optimal cyber-security generally, rather than in areas of JHA specifically, and the Government therefore considers that the JHA opt-in does not apply.
2.30The Minister states that the proposed new mandate for ENISA provides for continued participation between the Agency and competent authorities of third countries. It sets out that it may, subject to approval by the Commission, establish working arrangements with the authorities of third countries. Article 30 of the current legislation which underpins ENISA (EU No 526/2013 of the European Parliament and of the Council of 21 May 2013) also allows for the participation of third countries.
2.31The Minister states that arrangements are made under the relevant provisions of these agreements, specifying the nature, extent and manner in which those countries will participate in the Agency’s work, including provisions relating to participation in the initiatives undertaken by the Agency, financial contributions and staff. The only third country to play an active role in the ENISA management board is Norway, which plays an observer role at Management Board meetings attending and has no voting rights.
2.32Regarding the NIS Directive, the Minister states that it contains a provision (Article 13) which allows associate membership of the NIS Cooperation Group by third countries through a third country agreement. Norway and Switzerland have participated in NIS Cooperation Group Meetings. If the UK is considered a third country after the UK exits the EU then the Government would need to seek associate membership of the NIS Cooperation Group if it wanted to continue to participate in this group.
2.33The Minister notes that there is no equivalent provision for the Computer Security Incident Response Teams (CSIRT) network established by the NIS Directive. If the UK wanted to continue to participate in the CSIRT network as a third country it would therefore need to seek an alternative or bespoke solution to maintain access.
2.34Additionally, the Minister notes that the NIS Directive states that any Digital Service Provider (DSP) established outside the EU, which offers services within the EU must designate a representative in one of the Member States where they provide services and comply with the oversight of that Member State’s competent authority. For the UK this means that post-EU Exit, if the UK is considered a third country, all UK-established DSPs must designate a representative in another Member State if they want to offer services within the EU. They would then have to comply with that other Member State’s security and incident reporting requirements, along with the UK’s requirements (through the UK’s national implementation of the NIS Directive).
2.35The Government states that it will seek solutions to these issues through its negotiations with the EU on the future EU/UK relationship.
2.36As part of a forward look at the Bulgarian Presidency of the Council of the European Union, the Secretary of State at DCMS (Matt Hancock MP) states that the Presidency have indicated its aim to reach a General Approach within its Presidency.
2 Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’) .
3 Explanatory Memorandum 12183/17 submitted to Parliament ().
4 Fourth Report HC 301–iv (2017–18), chapter 3 ().
5 Letter from the Minister, DCMS, to the Chairman of the European Scrutiny Committee ().
6 For further information about the precise role of the NIS Cooperation Group and the CSIRT Network see this by the European Commission ().
7 Regulation (EC) was subsequently amended in 2008 and 2011 to extend the duration of its mandate. It was later superseded by Regulation (EU) (the ENISA Regulation).
8 Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’) .
9 Fourth Report HC 301–iv (2017–18), chapter 3 ().
10 Letter from the Minister, DCMS, to the Chairman of the European Scrutiny Committee ().
See Article 4 of the … for detail of advisory procedure.
12 Article 30 states that “The Agency shall be open to the participation of third countries which have concluded agreements with the European Union by virtue of which they have adopted and applied Union legal acts in the field covered by this Regulation.”
13 Article 13 states that “The Union may conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in some activities of the Cooperation Group. Such agreements shall take into account the need to ensure adequate protection of data.”
14 Letter from the Minister, DCMS, to the Chairman of the European Scrutiny Committee ().
23 February 2018