Fortieth Report of Session 2019–21 Contents

1Cybersecurity: EU Strategy and revised Network and Information Systems Directive1

These EU documents are politically important because:

  • the Government acknowledges that the final Network and Information Systems Directive has the potential to be raised with the UK by the EU under Article 13(4) of the Northern Ireland Protocol (which covers planned or adopted EU law that falls within the scope of the Protocol but which neither amend nor replace an EU act listed in the Annexes); and
  • as the Communication refers to a cybersecurity framework that the UK has maintained after EU Exit, it holds domestic relevance for the Government as it develops the UK’s post-Brexit cybersecurity strategy.

Action

  • Write to the Minister requesting more information.
  • Draw to the attention of the Digital, Culture Media and Sport Committee, the Home Affairs Committee, the Foreign Affairs Committee and the Defence Committee.

Overview

1.1The two documents under scrutiny concern a Commission Communication on the EU’s Cybersecurity Strategy for the Digital Decade and a related proposal for a Directive on measures for a high common level of cybersecurity across the EU.

Document (a) (41774)—Joint Communication: Cybersecurity Strategy for the Digital Decade

1.2The EU’s Cybersecurity Strategy for the Digital Decade was adopted on 16 December 2020. The document outlines the EU’s proposals and forthcoming interventions to bolster Europe’s collective resilience against cyber threats and safeguard citizens and businesses by ensuring trustworthy and reliable services and digital tools. The European Commission considers this as one of its top priorities.

1.3The strategy sets out an ambition of reaching a combined investment of public and private funds of €4.5bn2 in cybersecurity preparedness during the course of the next Multi-Annual Financial Framework (MFF) period (2021–27). The Commission states that it will support the cyber security strategy initiatives with investment through the next long-term EU budget, notably the Digital Europe Programme and Horizon Europe, as well as the Recovery Plan for Europe. Member States have been actively encouraged to make use of the EU Recovery and Resilience Facility to boost their cybersecurity capabilities and match EU-level investment.

1.4The Strategy details forthcoming legislative proposals to address the cyber and physical resilience of critical national infrastructure and networks. These issues are addressed in the accompanying proposal for a revised Network and Information Systems Directive (document (b)), which covers both medium and large companies, and is based on assessments of how critical their functions are for economic activities and society. In addition, the Strategy details a proposal for a revised Critical Entities Resilience Directive, which broadens the scope of the 2008 European Critical Infrastructure Directive,3 covering 10 sectors including: public administration; financial market infrastructures; health; drinking water; wastewater; energy; transport; banking; digital infrastructure; and space.

1.5The Commission aims to implement the EU Cybersecurity Strategy in 2021 and, once the European Parliament and Council review and adopt the revised Network and Infrastructure Systems Directive and the Critical Entities Resilience Directive, Member States will be required to transpose the two Directives within 18 months of their entry into force. Under the Critical Entities Resilience Directive, Member States will be required to adopt a national strategy for securing the resilience of critical entities and to perform regular risk assessments. In addition to the two Directives, the Commission also aims to introduce a proposed Regulation for internet of things (IoT) devices4 in 2021.

1.6The EU Cybersecurity Strategy covers a number of other priority areas, grouping these within three categories. These categories are described below.

‘Resilience, technological sovereignty and leadership’

1.7This category outlines measures for ensuring that infrastructure, services and all internet-connected devices within the EU should be fundamentally secure by design, resilient to cyber threats, and more amenable to the mitigation of vulnerabilities once they are discovered. In addition to the Critical Entities Resilience Directive, the EU proposes building a European Cyber Shield5 for the purpose of information sharing, monitoring, and analysis. The EU sets out proposals for establishing a highly-secure communications infrastructure, to be supported by secure and cost-efficient communications capabilities, with an initiative to develop and deploy new and more secure forms of encryption and to devise new ways of protecting critical communication and data assets.

1.8The EU outlines proposals for ensuring technological sovereignty and secure devices. This includes an emphasis on securing internet of things devices through a new duty of care for connected device manufacturers to address software vulnerabilities, as well as the deletion of end-of-life sensitive data. Following this, the EU will use enforcement to ensure resilience of connected devices. The strategy additionally sets out an ambition for greater global internet security, encouraging Member States to adopt a domain name system resolution diversification strategy. In its ambitions for ensuring technological sovereignty, the Strategy sets out to establish a reinforced presence on the technology supply chain and to demonstrate leadership in digital technologies and cyber security across the digital supply chain. To support these activities, the Strategy emphasises the importance of building a more cyber-skilled EU workforce. This will include expanding efforts to upskill the current workforce as well as developing, attracting and retaining cybersecurity talent to help invest in world class research and innovation.

‘Building operational capacity to prevent, deter and respond’

1.9Within this category, the EU seeks to leverage the full implementation of regulatory tools, mobilisation and cooperation to enable systematic and comprehensive information sharing and cooperation against cyber incidents. A key initiative proposed for mitigating cyber threats is a Joint Cyber Unit, which would serve as a virtual and physical platform for cooperation for the different cyber security communities in the EU. The establishment of the Unit seeks to create a common space for multi-stakeholder groups to nurture structured cooperation, facilitate operational and technical cooperation, and to harness the potential of operational cooperation and mutual assistance within existing networks and communities. Another initiative under this ‘prevent, deter and respond’ category is an EU cyber diplomacy toolbox, which uses an array of measures, potentially restrictive, seeking to resolve international disputes by peaceful means. Although not explicitly stated, the measures outlined in this section of the Cybersecurity Strategy could, in theory, apply to both private organisations and state-sponsored actors which are viewed as a cybersecurity threat.

1.10Additional priorities include initiatives for tackling cybercrime in conjunction with the EU’s counter-terrorism agenda and the Security Union Strategy. This covers the scrutiny of electronic evidence and navigating encryption while preserving function in the maintenance of fundamental human rights. Furthermore, the strategy makes a commitment to significantly boost cyber defence capabilities ensuring that cyber security and cyber defence are further integrated into the wider security and defence agenda and encourages the development of state-of-the-art cyber defence capabilities, tying in with ambitions to establish greater EU technological sovereignty.

‘Advancing a global and open cyberspace through increased cooperation’

1.11This category relates to the EU’s ambition of working with international partners to strengthen the rules-based global order, promote international security and stability in cyberspace, and protect human rights and fundamental freedoms online. The Strategy seeks to continue establishing EU leadership on standards, norms and frameworks in cyberspace while, additionally, highlighting cooperation with partners and the multi-stakeholder community as an ongoing key commitment.

Document (b) (41773)—Proposal for a revised Network and Information Systems Directive

1.12The document under scrutiny—document (b)—is a proposal for a revision of the Network and Information Systems Directive (also known as the ‘NIS’ Directive).6 The proposal is based on the results of a review of the current iteration of the Directive.

1.13The NIS Directive entered into force in 2016. It places requirements on EU Member States to identify ‘Operators of Essential Services’ and ensure that they have appropriate and proportionate security measures in place to manage and mitigate any risks to their network and information systems, and to ensure the security of critical services that are important for the economy and wider society. This could, for example, require utilities suppliers to undertake a tailored cybersecurity risk assessment before putting in place appropriate measures of mitigation or providers of key digital services, such as search engines, cloud computing services or online marketplaces, having to comply with bolstered security and notification requirements. Currently, in the UK, operators of essential services covered by the domestic NIS Regulations are those in the energy, transport, water, digital infrastructure, and health sectors.

1.14The proposal under scrutiny would repeal the current NIS Directive and make amendments to its general framework. As the UK is no longer an EU Member State, it will not have to implement the proposed Directive. However, as the proposal refers to a framework that the UK has maintained after EU Exit, it retains domestic relevance.

Main proposed changes

1.15One of the most notable changes proposed to the NIS Directive is to its scope. The current Directive covers the energy, transport, banking, financial services, health, drinking water, and digital infrastructure sectors. Organisations in scope of these sectors are named operators of essential services and are subject to a proactive (ex-ante) regulatory regime across the EU. In addition to this, digital service providers (comprising online marketplaces, online search engines, and cloud computing services) are also subject to the NIS Directive in a reactive (ex-post) manner.

1.16The proposal under scrutiny would expand the sectoral application of the NIS Directive by adding the wastewater, public administration, space, postal and courier services, waste management, the production and distribution of chemicals, food production, processing and distribution, and manufacturing sectors.

1.17The proposal also makes a change regarding the regulatory approach to these sectors, moving away from the distinction between operators of “essential services” (ex-ante) and “digital service” providers (ex-post) in favour of a new distinction between “essential” services and “important” services.

1.18Both groups of entities would be subject to the same risk management requirements and reporting obligations; only the regulatory approach differs. Micro and small entities are excluded from the scope of the proposal (as per its current iteration), with some notable exceptions on a Member State case-by-case basis.

1.19The proposal aims to eliminate identification thresholds and would, therefore, envisage that any medium or large enterprises that operate in the sectors covered by the Directive would fall under the scope of the Directive. An exception to this rule would apply only in circumstances where a Member State deems that organisations have a key role for the economy or society.

1.20The proposal makes a number of other recommendations and changes regarding the scope of organisations falling under the framework. It explicitly brings data centre services in scope as essential entities and identifies the importance of addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers, which is notably absent from the current Directive. It also recognises the importance of managed security service providers in areas such as incident response, penetration testing, security audits, and consultancy, and recommends increased diligence in their selection given their susceptibility to cyberattacks.

1.21The new proposal would create a European Cyber Crises Liaison Organisation Network (EU-CyCLONe) composed of representatives of EU Member State crisis management authorities, the European Commission, and the European Union Agency for Cybersecurity (ENISA).7 It would aid the management of large-scale incidents and crises while coordinating large-scale incident responses.

1.22The Commission also proposes the establishment of a European vulnerability registry, where ENISA would have the responsibility to establish and maintain an appropriate information system, policies, and procedures with a view to enabling important and essential services and their suppliers to disclose and register vulnerabilities present in ICT services. It would also provide an opportunity for interested parties to access the information on vulnerabilities in the register. This is part of the new Commission’s proposal to develop a framework for coordinated vulnerability disclosure.

1.23The NIS Directive requires national competent authorities to develop strategies on the security of network and information systems. The proposal builds on that requirement, adding in explicit requirements that are not present in the current version. Notable additions include, among others, the requirement to have a national policy to address cyber security in supply chains and a coordinated vulnerability disclosure policy.

1.24In addition, EU Member States would also be required, beyond the requirements of the Directive, to establish national cybersecurity crisis management frameworks, where objectives and modalities in the management of large-scale cybersecurity incidents are set out.

The Government’s position

1.25Parliamentary Under-Secretary of State at the Department for Digital, Culture, Media and Sport, Matt Warman MP, wrote to us by separate Explanatory Memoranda on the Commission’s Communication and proposed Directive on 26 January 2021.

Document (a)—Cybersecurity Strategy

1.26The Minister explains that there are no legal or political issues relating to the Communication as it concerns a strategy published by the EU applying solely to its Member States. Neither does the Government foresee any issues arising from the Communication in relation to the Protocol on Ireland/Northern Ireland to the UK/EU Withdrawal Agreement. That said, as the Communication refers to a cybersecurity framework that the UK has maintained after EU Exit, it has some domestic relevance.

1.27To this end, the Minister notes that responsibility for delivering the strategic objectives under the UK’s own National Cyber Security Strategy (NCSS) are distributed across Government, given various Departmental interests and a need for a cross-cutting Government response to cybersecurity challenges that the UK faces. Key ministerial responsibilities relating to cybersecurity are as follows:

Document (b)—Proposed revision of the NIS Directive

1.28As with the Communication under scrutiny, the Minister explains that there are no legal or political issues relating to the proposed Directive as the UK is no longer an EU Member State and, as such, it is not obliged to transpose the proposed Directive into domestic law. Furthermore, the Directive, which has yet to be adopted by the EU, does not raise any matters of vital national interest to the UK.

1.29Once again, the Minister does not foresee any issues arising from the Directive in relation to the Protocol on Ireland/Northern Ireland to the UK/EU Withdrawal Agreement, however he acknowledges that the final proposal could potentially be raised with the UK by the EU under Article 13(4) of the Protocol.9 As such, the Government commits to further monitoring of the proposal throughout its negotiation and adoption.

Potential implications for the UK

Document (a)—Cybersecurity Strategy

1.30In his Explanatory Memorandum, the responsible Minister (Matt Warman MP) states that the UK’s exit from the EU on 31 December 2020 means that the UK is not subject to the provisions of the European Cybersecurity Strategy nor involved in its delivery or implementation.

1.31That said, the Minister notes that there are a number of key areas outlined in the Strategy which align with UK interests and ambitions in the cybersecurity field such as: working with international partners to strengthen the rules-based global order; promoting international security and stability in cyberspace; attracting and increasing the talent pipeline; and investing in innovative cyber solutions to improve cyber resilience across the economy. The Minister also notes that it will want to continue engagement with the EU regarding shared ambitions, goals and solutions on a number of global cyber security issues as the UK’s own National Cyber Security Strategy is updated and published later this year. To this end, there could also be wider considerations that the Government should be mindful of as it develops the UK’s NCSS vis-à-vis international partners. The UK currently enjoys close cooperation with Five Eyes partners and NATO allies in the field of cybersecurity and future Government action in this field should consider these ties and their ongoing importance to UK cybersecurity policy.

1.32Furthermore, the Government states that it is in the UK’s interest to see how the EU’s new initiatives develop and to encourage the sharing of best practice and lessons learned from these new initiatives in the context of increasing threats both from hostile state actors and sophisticated cyber criminals. The Government notes that Part 4 of the UK/EU Trade & Cooperation Agreement includes provisions for cooperation in the field of cyber security, and that it will use this means of engagement to discuss EU activities and areas where UK/EU cooperation is of mutual benefit. These include, but are not limited to: deterrence; capacity building; and technical cooperation.

Document (b)—Proposal for a revised Network and Information Systems Directive

1.33In his Explanatory Memorandum, the responsible Minister (Matt Warman MP) states that, as the proposal for a revised NIS Directive is still under negotiation and was not adopted during the Brexit Transition Period, the UK is not under any obligation to transpose it into domestic legislation. The Government notes, however, that the original transposition of the 2016 Directive was given effect to by the Network and Information Systems (NIS) Regulations 2018, which will remain on the UK statute book as retained EU law.

1.34Furthermore, the Government states that the UK conducted its own review of the NIS Regulations in May 202010 and that various legislative amendments to implement its recommendations have already been made.11 These include:

1.35The Government also notes that it will consider proposals for the EU’s new NIS Directive, amongst other evidence, in development of the UK’s own objectives and priorities for cyber security legislation in the next iteration of the UK’s National Cyber Security Strategy and future reviews planned for the NIS Regulations.

1.36As regards to the position of the UK as a third-country to the EU, the Trade & Cooperation Agreement provides for future cooperation in the field of cyber security. This will enable both sides to work together where it is in their mutual interest through expert committees and bodies including, for example the European Union Agency for Cybersecurity (ENISA). Notably, the Trade and Cooperation Agreement stipulates that the UK may, upon invitation, participate in some of the activities of the NIS Cooperation Group in order to support the exchange of information with regard to exercises relating to security of network and information systems, best practices and capacity-building. These endeavours fall within a wider umbrella of cooperation on cyber issues, where the UK and EU will cooperate where it is of mutual interest, on a shared ambition to promote and protect an open, free, stable, peaceful, and secure cyberspace.

Action

1.37We have written to the Minister requesting further information on the potential implications of the EU’s Cybersecurity Strategy for UK law and policy, in particular, concerning Northern Ireland, and UK-based stakeholders.

1.38We have drawn this Report chapter to the attention of the Digital, Culture, Media and Sport Committee, the Home Affairs Committee, the Foreign Affairs Committee, and the Defence Committee.

Letter to the Parliamentary Under-Secretary at the Department for Digital, Culture, Media and Sport (Matt Warman MP)

The Committee has asked me to thank you for your two Explanatory Memoranda (EM) on the above listed documents.

In light of the end of the post-Brexit Transition Period—as per the UK/EU Withdrawal Agreement—and the recent agreement and provisional application of the UK/EU Trade and Cooperation Agreement (TCA), the Committee would appreciate it if you could provide further information on the following points.

We request a response to this letter within 15 working days.

1 Document (a)—JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the EU’s Cybersecurity Strategy for the Digital Decade; Council and COM number: 14133/20 and JOIN(20) 18; Legal base: N/A; Government Department: Digital, Culture, Media and Sport; Devolved Administrations: Not consulted; ESC number: 41774. Document (b)—Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148; Council and COM number: 14150/20 + ADDs 1–6 and COM(20) 823; Legal base: Article 114 TFEU, QMV, ordinary legislative procedure; Government Department: Digital, Culture, Media and Sport; Devolved Administrations: Not consulted; ESC number: 41773.

2 Approximately £3.8bn at current prices.

3 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (Text with EEA relevance).

4 The Internet of Things (IoT) describes the network of physical objects that are embedded with sensors, software and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.

5 The European Cyber Shield is a planned network of Artificial Intelligence-enabled Security Operations Centres that will be capable of detecting signs of a cyberattack and enable preventative action before damage occurs.

6 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

7 Commission Recommendation (EU) 2017/1584 on a coordinated response to large-scale cybersecurity incidents and crises.

8 Government Communications Headquarters is the intelligence and security organisation responsible for providing signals intelligence and information assurance to the UK Government and the UK Armed Forces.

9 Article 13(4) of the Protocol states “Where the Union adopts a new act that falls within the scope of this Protocol, but which neither amends nor replaces a Union act listed in the Annexes to this Protocol, the Union shall inform the United Kingdom of the adoption of that act in the Joint Committee. Upon the request of the Union or the United Kingdom, the Joint Committee shall hold an exchange of views on the implications of the newly adopted act for the proper functioning of this Protocol, within 6 weeks after the request. As soon as reasonably practical after the Union has informed the United Kingdom in the Joint Committee, the Joint Committee shall either: (a) adopt a decision adding the newly adopted act to the relevant Annex to this Protocol; or (b) where an agreement on adding the newly adopted act to the relevant Annex to this Protocol cannot be reached, examine all further possibilities to maintain the good functioning of this Protocol and take any decision necessary to this effect. If the Joint Committee has not taken a decision referred to in the second subparagraph within a reasonable time, the Union shall be entitled, after giving notice to the United Kingdom, to take appropriate remedial measures. Such measures shall take effect at the earliest 6 months after the Union informed the United Kingdom in accordance with the first subparagraph, but in no event shall such measures take effect before the date on which the newly adopted act is implemented in the Union.”




Published: 23 March 2021 Site information    Accessibility statement