Documents considered by the Committee on 9 January 2019 Contents

1ENISA / EU Cybersecurity Agency

Committee’s assessment

Politically important

Committee’s decision

Waiver granted; further information requested

Document details

Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’)

Legal base

Article 114 TFEU; ordinary legislative procedure; QMV

Department

Digital, Culture, Media and Sport

Document Number

(39045), 12183/17, COM(17) 477

Summary and Committee’s conclusions

1.1In September 2017 the European Commission presented a proposal for a Regulation 12183/17 which would make permanent the European Union Agency for Network and Information Security (ENISA) and update its mandate. The most significant aspect of the proposal would be the creation of a new Cybersecurity Certification Framework, which would enable the Commission to adopt EU-wide cybersecurity certification schemes. ENISA would play a central role in the development of such schemes, supported by a Cybersecurity Certification Group consisting of national certification supervisory authorities of all Member States.

1.2During its scrutiny of the implications of the proposal, the Committee has sought and received assurances from the Government that the proposal would not grant ENISA an operational role which would impinge on national competences, and that the comitology procedure proposed for the adoption of implementing acts which would establish a specific cybersecurity certification scheme would be adopted in accordance with the more stringent examination procedure.

1.3A further concern subsequently arose during negotiations in Working Groups within the Council, when it was proposed that three “assurance levels” should be introduced for all EU certification schemes: basic, substantial or high. The Government was unsure whether this would be compatible with its Secure by Design initiative,1 which relates to Consumer Internet of Things (IoT) Security. On the basis of assurances from the Minister (Margot James MP),2 the Committee granted the Government a waiver to support a general approach in June 2018.

1.4Trilogue negotiations began formally on the 1st October 2018 and on 22 December 2018 the Minister wrote3 to inform the Committee that they had concluded with the agreement of a compromise text which was expected to be adopted in the Council in January 2019.

1.5In the Minister’s update she informed the Committee that:

1.6Given the Government’s overall support for the Regulation, the Minister indicates that the Government intends to vote in favour of the Regulation. The Minister adds that the Government will include a Minute Statement alongside its vote, to put on record the UK’s formal position in relation to the language on ‘public core’.

1.7The Regulation will be directly applicable in UK law if it comes into force before the UK leaves the EU on 29th March 2019 or within the Implementation Period provided for in the Withdrawal Agreement if it is in effect.

1.8Trilogues have concluded regarding the proposed Regulation, which would make the European Union Agency for Network and Information Security (ENISA) permanent and update its mandate, as well as creating a framework which would enable the Commission to adopt EU-wide cybersecurity certification schemes.

1.9The Government’s principal concerns have been addressed during the negotiations: despite pushback from the European Parliament, ENISA’s “operational” role is limited to supporting cooperation among the Member States with technical support being provided at their request; the more flexible text on “assurance levels” introduced into the Council’s General Approach in order to address UK concerns is retained, meaning that the certification framework will not interfere with the UK’s Secure by Design initiative; and the European Parliament’s proposal that mandatory cybersecurity certification be required for operators of essential services under the NIS Directive has been replaced with a much lighter-touch provision which allows for a future assessment to be carried out to consider whether any EU cybersecurity schemes should be made mandatory through Union legislation. The most substantive elements of the proposal are thus in line with UK interests.

1.10We note the Minister’s concern at the inclusion, at the behest of the European Parliament, of text which establishes a task for ENISA to promote cyber security policies “related to sustaining the general availability or integrity of the public core of the open internet”, which the Government considers to be contrary to the multi-stakeholder model of internet governance which it supports. As it was a late addition to the text, the practical import of the provision is not particularly clear and has not been subjected to a detailed impact assessment, and the Minister’s analysis, although welcome, does not provide sufficient information for the Committee to evaluate the extent to which it may have significant negative effects; however, our provisional assessment is that establishing this task for ENISA will not herald significant changes in the approach of the EU and its Member States to internet governance more widely. Officials have been contacted about this aspect of the proposal and have undertaken to provide the Committee with further information as soon as possible.

1.11Although the UK’s principal concerns have been addressed in the negotiations, we are unwilling to clear the proposal from scrutiny due to the lack of clear information on this point. We are, however, willing to grant the Government a conditional waiver to vote in support of the adoption of the Regulation on the condition that it is the Minister’s considered assessment, having reviewed the implications of this provision, that it will not have substantial detrimental policy impacts.

1.12Following the vote in Council in January, we ask the Minister to provide us with a further written update which explains in greater detail why the Government objects to the conception of the “public core of the open internet”, as defined in a paper by the Global Commission on the Stability of Cyberspace, what practical effects the provision can be anticipated to have, particularly in relation to internet governance, and which provides a justification of how the Government voted. In the meantime, we retain this document under scrutiny.

Full details of the documents:

Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’): (39045), 12183/17, COM(17) 477.

Previous Committee Reports

Thirtieth Report HC 301–xxix (2017—19), chapter 7 (6 June 2018); Fourteenth Report HC 71–xvi (2017–19), chapter 2 (21 February 2018); Fourth Report HC 301–iv (2017–18), chapter 3 (6 December 2017).


1 HM Government, Secure by Design: The Government’s Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home (7 March 2018).

2 Letter from the Minister, DCMS, to the Chair of the European Scrutiny Committee (15 May 2018).

3 Letter from the Minister, DCMS, to the Chair of the House of Lords European Union Committee (22 December 2018). An identical letter was sent to the Chair of the European Scrutiny Committee but is not yet available on the Department for Exiting the EU’s European Memoranda web-site.

4 Global Commission on the Stability of Cyberspace: “Definition of the public core, to which the norm applies” (May 2018).

5 Gouvernement FR, Paris Call for Trust and Security in Cyberspace (11 December 2018).

6 The recital states that “The public core of the open internet, meaning its main protocols and infrastructure, which are a global public good”.




Published: 15 January 2019