Documents considered by the Committee on 6 June 2018 Contents

7ENISA / EU Cybersecurity Agency

Committee’s assessment

Politically important

Committee’s decision

Not cleared from scrutiny; waiver granted; further information requested.

Document details

Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’).

Legal base

Article 114 TFEU; ordinary legislative procedure; QMV

Department

Digital, Culture, Media and Sport

Document Number

(39045), 12183/17, COM(17) 477

Summary and Committee’s conclusions

7.1In September 2017 the European Commission presented a draft Regulation which would make the European Union Agency for Network and Information Security (ENISA) permanent and update its mandate to reflect current and future needs in the field of cybersecurity.

7.2The most notable aspect of the proposed Regulation is its creation of a new Cybersecurity Certification Framework, which would seek to limit market fragmentation in this area by enabling the Commission to adopt EU-wide cybersecurity certification schemes in the form of implementing acts. ENISA would play a central role in the development of such schemes, supported by a Cybersecurity Certification Group consisting of national certification supervisory authorities of all Member States.

7.3In its initial response to the proposal, the Government did not raise any major concerns, acknowledging that a certain degree of EU coordination can be beneficial to manage cross-border cyber risks, and concluding that “the proposed measures remain proportionate to the need”.

7.4In its first consideration of the proposal on 6 December 2017, the Committee sought further information from the Government about Foreign and Commonwealth Office concerns about a possible “operational” role for ENISA which might impinge on national competences, as well as the implications of EU exit for cybersecurity. The Minister’s response on 16 January 2018 concluded that the FCO’s concerns were not borne out by the text of the draft Regulation, but that the Government would continue to monitor the issue during negotiations.

7.5The Minister also responded to the Committee’s questions regarding the implications of EU exit for UK cybersecurity. In its second consideration on 21 February 2018, regarding EU exit, the Committee concluded that:

7.6The Committee also sought further information from the Government regarding the comitology procedure under which specific cybersecurity schemes could be adopted, as well as an update on progress in Council.

7.7On 15 May 2018 the Minister of State for Digital and the Creatives Industries at the Department of Digital, Culture, Media and Sport (Margot James MP) provided the Committee with an update. The Minister reassures the Committee that if the Commission wishes to adopt implementing acts which would establish a specific cybersecurity certification scheme Article 52(5) of the draft Regulation provides that those implementing acts must be adopted in accordance with the examination procedure. Moreover, Article 55(2) makes clear that Article 5(4)(b) of Regulation (EU) No 182/2011 applies, which means that any draft implementing act cannot be adopted if there is no opinion delivered by the committee. The more stringent examination procedure is therefore used.

7.8On the implications of UK non-participation in ENISA and the CSIRT (Computer Security Incident Response Team) Network, the Minister states that if the UK does not secure agreement to participate in the ENISA Management Board or the CSIRT Network “we would instead use our bilateral relationships with EU Member States to share expertise and information.” The Minister is nonetheless of the view that the UK should continue to work with the EU to promote strategic frameworks for conflict prevention, cooperation and stability in cyberspace.

7.9Regarding the progress of negotiations in Working Groups, the Minister reiterates how previous concerns have been addressed, and states that the Government’s only remaining point of concern relates to the proposed inclusion of three “assurance levels” for all EU certification schemes—basic, substantial or high. The Government is unsure whether this would provide sufficient flexibility or transparency as to what security measures have been taken. The Government would prefer an approach which gives consideration to the processes by which internet connected products and services are developed, in line with the Government’s Secure by Design initiative. The Minister states that some measures have already been taken in negotiations to increase the flexibility of this framework, and that work is ongoing in this regard.

7.10The Minister states that the Presidency’s current intention is to seek agreement on a General Approach at the Telecoms Council on 8 June 2018. If there is a vote, the Minister states that the Government’s decision to vote in favour “will be dependent on reaching a satisfactory compromise in relation to the points noted above on ‘assurance levels’.” On this basis, the Minister asks the Committee to grant either scrutiny clearance or a scrutiny waiver.

7.11We thank the Minister for her comprehensive update. The Government has now responded thoroughly to each of the Committee’s previous questions relating to this proposal. We are reassured that the draft text does not grant ENISA a role that would impinge on the activities of national intelligence agencies, and that future certification schemes will seek to align with global standards where they exist. The Minister emphasises that the more stringent examination procedure will be used when any implementing acts are to be adopted.

7.12Nonetheless, because the Government’s support for the proposed Regulation at Telecoms Council on 8 June 2018 is contingent on securing a satisfactory compromise regarding the proposed system of ‘assurance levels’ for the cybersecurity certification framework, which could have implications for the Government’s Secure by Design initiative, and because this issue has not yet been sufficiently explained to the Committee, we are not yet prepared to clear the file from scrutiny.

7.13We therefore grant the Government a scrutiny waiver to participate at Telecoms Council subject to a satisfactory outcome being reached on this point. We also ask the Government to provide us in due course with a fuller explanation of the extent to which the latest compromise text, whether agreed or not, is compatible with the Government’s proposed Secure by Design initiative, and could constrain it.

Full details of the documents

Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’): (39045), 12183/17, COM(2017) 477.

Previous Committee Reports

Fourteenth Report HC 71–xvi (2017–18), chapter 2 (21 February 2018); Fourth Report HC 301–iv (2017–18), chapter 3 (6 December 2017).





Published: 12 June 2018