CHAPTER 4: THE COMMISSION COMMUNICATION
47. The sub-title of the Commission Communication
is "Protecting Europe from large-scale cyber-attacks and
disruptions: enhancing preparedness, security and resilience."
The Communication is set out in full in Appendix 4. It is accompanied
by over four hundred pages of impact assessment which we do not
48. The Communication "focuses on prevention,
preparedness and awareness, and defines a plan of immediate actions
to strengthen the security and resilience of CIIs [Critical Information
Infrastructures]." Five "pillars" are proposed
to tackle these challenges:
- Preparedness and prevention: to ensure preparedness
at all levels;
- Detection and response: to provide adequate early
- Mitigation and recovery: to reinforce EU defence
mechanisms for CII;
- International cooperation: to promote EU priorities
- Criteria for the ICT sector: to support the implementation
of the Directive on the Identification and Designation of European
Critical Infrastructures (see paragraph 31).
49. The Commission does not intend, at least
for the present, to propose a binding legislative framework to
carry its proposals into effect. Initially the Communication and
Action Plan would provide the framework for coordination and cooperation
"to engage Member States, the private sector and civil society."
The Commission envisages that the Communication could be endorsed
by the Council, and that the European Parliament may also decide
to contribute to the discussion. It is only once the consequences
of this work had been assessed that the Commission might consider
putting forward proposals for legislation.
Reaction to the Communication
50. ENISA, which we consider in more detail in
the following chapter, has an important role in the EU plans.
It was perhaps predictable that they warmly welcomed the Communication
as "providing the clearest framework yet for enabling Europe
to act in case of major disruptions" (p 70).
But the Government also "very much welcomed the communication
we thought that was a positive step forward, and I think
you may recall that our explanatory memorandum
said that we welcomed the initiative. We had some concerns around
the action plan and the realistic deliverability of some components
of that, but in terms of should the European Union be providing
some degree of leadership in this area we have no problem with
that in principlewe think it is a good thing" (Smith,
51. A more common reaction was to say that the
Communication was fine as far as it went, but that it did not
go very far. This is not necessarily a criticism. As Mr Chantzos
said, the Communication is a policy statement; it is not a programme
itself, but a statement of intentionswhat the Commission
would like the EU to do in this particular area. He thought the
first requirement for the Communication to have an impact was
that it should actually be followed through. It was for the Commission
to do the different things that it talked about: the work on early
warning, on common exercises, on information exchange, and on
the review of the ENISA mandate (Q 141).
52. Others too, like Mr Cormack, thought
it was hard to assess the Communication without knowing what would
follow from it: "If I am feeling optimistic I can read the
communication as very positive in supporting and extending the
existing networks. I do not think there is anything in there that
automatically gives me nightmares but as with many communications
from governments it can be read in many ways, so it may be trite
to say the devil is in the detail" (Q 105). And Mr Smith
thought that the section of the Communication dealing with what
needed to be done globally to improve Internet resilience was
"one of the least clear parts of the Communication
even today I am not sure that I could give you a clear account
of where this work might take us" (Q 3).
53. We agree with those of our witnesses who
believe that a full assessment of the value of the Communication
as a whole will only be possible when we can see how it is followed
up, and whether it has in fact contributed to "protecting
Europe from large-scale cyber-attacks and disruptions by enhancing
preparedness, security and resilience", as its title envisages.
Meanwhile we share the broadly positive view of most of our witnesses.
54. The Communication says little about the
role of the EU in a global context. In any proposals for specific
action, the Commission will need to pay particular attention to
the way they will fit into a global framework. We believe that
the more advanced Member States, the United Kingdom among them,
have an influential role to play in broadening the dialogue with
other principal international players, in particular the US, Russia
55. The Communication, though addressed to the
Council, does not make specific proposals for the Council to adopt.
However it envisages specific actions, some of which are already
beginning to take place:
- Making National/Government CERTs a key component
of national capabilities;
- Creating an EU-level Public/Private Partnership
- Launching an EU-level forum for Member States
to share good practice and information relating to CIIs;
- Creating an EU-level information sharing and
- Running a national contingency planning exercise
in every Member State, then a pan-European exercise, and planning
for a global one; and
- Working at EU and global levels on principles
and guidelines for Internet resilience and stability.
56. We consider some of these actions in the
remainder of this chapter.
Computer Emergency Response Teams
57. A Computer Emergency Response Team, or CERT,
is an organisation that studies computer and network security
in order to provide incident response services to victims of attacks,
to publish alerts concerning vulnerabilities and threats, and
to offer other information to help improve computer and network
security. A closely
related organisation is the "abuse team" run by most
Internet Service Providers to handle reports of incidents involving
58. In the United Kingdom there are a number
of CERTs; many large private sector companies have their own,
and so do organisations with a common interest. An example is
JANET. Their Chief Regulatory Adviser, Mr Andrew Cormack,
explained that JANET is the United Kingdom's education network
connecting all universities, colleges, regional schools networks
and research organisations together and to the Internet. JANET
is a large computer network used by up to 16 million people in
the United Kingdom either as school pupils, as university students,
as teachers or as researchers, "though most of them were
probably unaware that we exist" (Q 49).
59. The Government explained that CERTS are a
critical part of dealing with Internet incidents, as they have
the relevant expertise and experience to deal rapidly with any
problems. Their view was that the CERT model found in the United
Kingdom had so far proved very effective. But it was important
that CERTS did not work in isolation, but maintained a close working
relationship with other organisations with an interest in cyber
incidents, such as the private sector and law enforcement (p 8).
This was a view shared by ISSA-UK and the BCS: "CERTs are
a useful, effective and essential response measure but they demand
high standards of skills, training and rehearsal, and they are
unlikely to have sufficient capacity to deal with widespread,
multiple incidents, as might be encountered in a large-scale major
cyber incident" (p 145).
60. There are a number of Government CERTs set
up to deal with Internet incidents. GovCertUK is the Government
CERT for the public sector system, housed within GCHQ. It provides
warnings, alerts and assistance in resolving serious IT incidents
for the public sector. It works closely with the CPNI (Centre
for the Protection of National Infrastructure, the Government
authority that provides protective security advice to businesses
and organisations across the national infrastructure) and with
relevant law enforcement agencies, international CERT networks
and, increasingly, the recently established CSOC (Cyber Security
Operations Centre, the Government body responsible for defence
against cyber-attacks, located in GCHQ). In addition to emergency
response, GCHQ and CPNI provide warnings, alerts and assessment
of information security products and services (pp 1-2).
61. The United Kingdom does not currently have
a national CERT in addition to sector and company specific CERTs.
However the Commission propose that all Member States should set
up national CERTs. Section 5.1 of the Communication invites Member
States to "define
a minimum level of capabilities
and services for National/Governmental CERTs and incident response
operations in support to pan-European cooperation", and to
"make sure National/Governmental CERTs act as the key component
of national capability for preparedness, information sharing,
coordination and response." The target for this is "end
of 2011 for establishing well functioning National/Governmental
CERTs in all Member States."
62. On the face of it, this appears to be suggesting
that all Member States, even those which like the United Kingdom
already have a large and sophisticated CERT network, should establish
a national CERT. If this is what is intended, there was a marked
lack of support for the proposal from our witnesses.
63. One of those most opposed to the Commission
trying to impose national CERTs on Member States was Professor
Anderson: "The problem is that national CERTs only have a
fraction of the necessary expertise, and if you limit effective
action to government bodies then you are in effect cutting out
the communication service providers, the electric power companies,
and the various other private utilities which, like it or not,
control most of Europe's critical national infrastructure. You
are also cutting out various NGOs and academics and others who
have good expertise, and are also, for example in the case of
the UK, probably marginalising other government bodies that have
or are building relevant expertise, such as the National Physical
Laboratory" (Q 239).
64. Despite the apparently unequivocal language
of the Communication, it is possible that the Commission intend
this proposal to apply only to those Member States with less developed
capacity to resist cyber-attacks. The Government thought it likely
that the Commission were seeking to address the problem of Member
States with little or no CERT capacity, and that it was unlikely
that they would seek to impose a "one size fits all"
model on Member States such as the United Kingdom which were "far
advanced in this area" (p 9). Lord West of Spithead,
the Parliamentary Under-Secretary of State at the Home Office
and Minister for Security, said: "
we need to keep
that under review, whether we should have a 'national' CERT or
not, and it is something we are looking at. When one looks at
some of the countries in the EU, they have no CERTs at all and
they need to get a kick-start" (Q 288).
65. Support for this interpretation of the Commission's
true intention came from Mr Servida: "How you organise
it [CERTs], whether it is just a national one or, the model which
is the UK, different ones, is really up to the Member States"
(Q 134). As one of the authors of the Communication, Mr Servida
can be assumed to know what was intended. If that is the true
intention, the words "all Member States" were poorly
66. It is certainly the case that a number of
Member States, mainly Eastern European, have very few CERTs. Until
2007 Estonia was a glaring example. ENISA told us that they focused
their efforts on supporting the development of CERTs in Member
States that were less well-developed than countries such as the
United Kingdom through brokering relations between potential partners.
They had worked with Hungary to provide expertise in the establishment
of a national CERT in Bulgaria (p 74). The Government thought
ENISA might be able to support less established CERTs in meeting
the standards of trust and competence required to join the EGC
(EU Government CERTs), a forum which does not currently cover
every Member State (p 10).
67. Dr Udo Hembrecht, the Executive Director
of ENISA, agreed that in smaller Member States with a less mature
Internet industry a national CERT initially made sense, but thought
this should not preclude them from subsequently having sector-specific
CERTs as they became more sophisticated. It had been shown in
the past that sector-specific CERTs worked very well because they
understood the business. "In the end if we have CERTs in
every sector or every Member State in a trusted communication
then we shall have really improved something" (QQ 206-207).
68. We believe that the Commission proposal as
described in evidence to us and as defined in the preceding paragraphs
could prove valuable and should be supported. Mr Cormack
pointed out that still only about 25 per cent of European IP addresses
had a CERT or an abuse team sitting somewhere above them. "There
is therefore definitely a role for Government, European bodies,
anyone, please, to try and help fill in those blanks on the map,
the 75 per cent of IP addresses which, when I get an incident
from them, I can do nothing about because I have no trusted contact"
69. The Commission propose establishing national
CERTs in all Member States. We agree that those Member States
where there are too few or inadequate CERTs should be encouraged
to set up national CERTs to replace or supplement them. The Government
should support this proposal.
70. None of our witnesses have suggested that
the United Kingdom's current system of sector and company specific
CERTs should be replaced by a national United Kingdom CERT, and
we agree with them that there would be no advantage in this. The
Government should explain that any suggestion that the United
Kingdom and any other countries with a sophisticated CERT network
should have to establish national CERTs would make no sense and
would bring no added protection.
71. We urge the Commission, when responding
to our report, to clarify their intentions in this respect.
Public private partnerships
72. Despite the fact that so much of the Internet
infrastructure is privately owned and operated, an important lesson
from the attack on Estonia was that when the extent of the problem
became apparent, it was to the Government that people looked to
sort the problem out. Not only do governments themselves believe
that Critical National Infrastructure is a matter for them, but
in times of crisis, citizens agree with that analysis. The importance
of a genuine public private partnership is clear.
73. This seems in principle to be well understood.
In their written evidence the Government told us that the United
Kingdom had adopted a public private partnership model, where
Government maintained a close working relationship with industry
on a voluntary basis to ensure communications resilienceincluding
that of the Internet. Their view was that to date this model had
proved successful in enhancing the resilience of the communications
sector. This, they thought, was something which the European Commission
had realised, and they saw value in the Commission exploring what
might be done on a multilateral basis within the European Union
and how that might link with global initiatives in this area (p 8).
74. We put to a number of witnesses the extent
to which the Internet industry relies on the skills of private
entrepreneurs, and asked them whether the often-repeated intention
of involving them in this work was matched on the ground. For
the Commission, Mr Servida went so far as to say: "The
very pillar for intervention is the European public private partnership
for resilience for which we have launched the idea." But
when pressed to say what exactly was being done, the most he could
say was: "We have started a process to engage at the European
level with private sector and public bodies in Member States in
order to see how to establish it. By the end of this year 
we will come forward with the road map and the plan is to launch
it by mid 2010." He added that the Commission, while agreeing
on the need to engage the private sector, saw this as a reason
"why the private sector should come forward" (QQ 128,
129). We suggest that, on the contrary, this is a reason for the
Commission to take the initiative, rather than wait for the private
sector to do so.
75. We would be better placed to assess the extent
of the problem if we had received evidence from United Kingdom
ISPs, but the only ISP which replied to our call for evidence
was XS4ALL, a Dutch company. With the single exception of JANET(UK),
the United Kingdom's networking companies, Internet trade bodies
and Internet exchange points showed a similar lack of interest.
76. We regret that United Kingdom Internet
Service Providers and the rest of the commercial United Kingdom
Internet industry should not have shown more interest in submitting
evidence to this inquiry. This may be a reflection of their view
that the Commission Communication will have little effect on them.
77. Mr Smith told us that the Government
had recast the European Communications Resilience and Response
Group (ECRRG) "to try and bring the industry more into the
centre of it, rather than Government leading this process"
(Q 17). Lord
West explained that historically the Government had been involved
with the industry, and that he had spoken to various groups in
the telecommunications industry; the Communications and Electronic
Security Group had been closely involved with them and there were
very close Government links with BT and other providers. He added:
"We need to develop mechanisms where we are talking to a
much broader range of the innovative entrepreneurial businesses
in the UK, but it is difficult to see quite how we can do that
and still maintain this trusted environment, and that is the challenge
we have" (QQ 278, 280).
78. We agree that there is a challenge, and it
seems plain to us that it has yet to be met. We share the view
of ISSA-UK and the BCS: "In the security field, public-private
partnerships tend to be talking shops rather than joint ventures.
They are useful for sharing best practices but by themselves are
unlikely to drive through the required levels of change"
(p 145). Talking to the industry, and emphasising the importance
of doing so, is a far cry from fully involving experienced Internet
entrepreneurs in the formulation of Government policy. We regard
this as essential if the policy is to be firmly grounded in reality,
for the benefit of users and of the industry.
79. It is clear to us that, despite good intentions,
the involvement of Internet entrepreneurs in the formulation of
Government policy is as yet at best superficial. Both the Government
and the Commission seem to think that it is for the private sector
to come forward. We think that, on the contrary, it is for the
public sector to take the initiative and to offer to experienced
Internet entrepreneurs a real say in how public private partnerships
are best developed.
The EU and NATO
80. The EU and NATO have a considerable overlap
in their respective memberships. In an earlier report dealing
with civil protection we have drawn attention to inadequate cooperation
and coordination between the two bodies, so that the work of each
tends too often to duplicate the work of the other, rather than
Where cyber-attacks are launched against NATO Member States it
is perhaps natural that NATO should see itself as having a significant
part to play. We asked our witnesses whether NATO should in fact
have a role, and if so, what this should be.
81. Since the attacks on Estonia in 2007, NATO
itself has been in no doubt that defending its Member States against
cyber-attacks is one of its responsibilities. In October 2008
the Cooperative Cyber Defence Centre of Excellence, which had
been set up in Tallinn in May 2008, was accredited to NATO by
a decision of the North Atlantic Council. In April 2008 NATO had
launched its Policy on Cyber Defence which allows for extended
cyber defence if requested from NATO Member States. The new policy
envisages a common coordinated approach to cyber defence and any
response to cyber-attacks. It does not allow for pre-emptive operations,
but reflects an understanding that militarised cyber-war is inherently
escalatory. Through its Cyber Defence Management Authority (CDMA)
established by the Policy, NATO has the authority to respond immediately
to cyber-attacks on its Member States and to deploy support teams.
It holds annual "red team" exercises aimed at engendering
cooperation and awareness across the NATO community. NATO evidently
hopes that its operations can provide a model of best practice
that can filter down to national levels.
82. Dr Marsh told us: "There is no
one way to protect the Internet; many organisations have a role
to play in this and clearly NATO has a role itself in protecting
certain networks, the EU has a role and national bodies have a
role as well" (Q 34). However, Lord West was more doubtful
that NATO had any part to play. Asked whether we should be looking
more to NATO to protect the Internet, he replied that he did not
regard them as the appropriate body unless an individual member's
security was threatened: "If the security of one nation was
involved we could draw on some of their abilities" (Q 275).
83. Professor Anderson explained his reservations
about NATO having a role. "First, on the technical side,
NATO tried for many, many years and failed, for example, to get
agreement between NATO Member States on technical standards for
identifying friend and foe in the military ... The second reservation
that I have about that is that, if you make NATO lead agency rather
than the European Union or ENISA, you intrinsically make cooperation
with the Russians much harder" (Q 250).
84. It is unclear what the Commission's own views
are about the involvement of NATO. The Communication itself has
a single reference to NATO: "This initiative takes into account
NATO activities on common policy on cyber defence, i.e. the Cyber
Defence Management Authority and the Cooperative Cyber Defence
Centre of Excellence." Just what account is taken of these
matters, and whether, and if so how, they affect the Commission's
proposals, is not vouchsafed. Nor, when we put to Mr Servida
the question of cooperation between the two institutions, did
we get a very satisfactory answer: "The relationship of the
institution with NATO is mostly with Solana, the Office of External
Relations and I must say that, in preparation of the policy proposal
that is on the table today, Commissioner Reding actually met the
Secretary-General of NATO at that time to address a very specific
aspect, that is the aspect of how to work with the private sector"
(Q 117). Mr Servida then explained some of the initiatives
of NATO with the private sector, but we are still in the dark
as to how the EU and NATO will, in planning protection against
and combating major cyber-attacks, complement each other's work
rather than duplicating it.
85. The Communication mentions NATO only once.
The EU and NATO should urgently develop their thinking on working
together, and the Government should encourage this to happen,
to achieve cooperation rather than duplication.
86. Just as with other aspects of civil protection,
there is considerable overlap between the roles of the EU and
NATO in relation to cyber-attacks, and cooperation between them
should be put on a more formal basis.
87. The institutional changes introduced by
the Treaty of Lisbon, and in particular the merging of the external
relations responsibilities of the Commission and the Council Secretariat,
should enable a more coherent approach to be taken.
88. When he gave evidence to us early in November
2009 Mr Smith explained that on 11 and 12 November the Government
would be running Exercise White Noise, the first major test in
the United Kingdom of a (simulated) catastrophic communications
failure (Q 39). The exercise would test the Government's
strategic response to a widespread failure of the United Kingdom
telecommunications system, lasting for a number of days. It was
part of an ongoing programme of civil contingencies exercises
that rehearsed and thereby improved the efficiency of the United
Kingdom response to a range of emergency scenarios. A month after
the exercise Mr Smith gave further details.
Exercise White Noise
|The scenario focused on the consequences of a widespread failure of the United Kingdom Public Switched Telephone Network. The hypothetical failure was introduced through an unspecified technical error by a foreign operator with a connection to the United Kingdom. The effect of the failure was that all fixed line and mobile operators in the United Kingdom lost the ability to connect calls both within their own networks and between each other's systems; no voice telephony, either fixed line or mobile, was possible within the UK unless it was over either a private wire/network or Voice Over Internet Protocol (VOIP) telephony system. The simulated fault meant that the Internet and other forms of Internet Protocol communication (e.g. email and VOIP) were possible; however fax, dial-up Internet, mobile phones (including mobile data), international connections and access to the 999 service all failed under this scenario.|
The focus of the exercise for Government was to mitigate the effects of the failure on citizens, while ensuring that the telecoms networks were restored to normal operation as quickly as possible. Telecoms operators needed to isolate their systems from each other in order to correct the fault and re-establish their ability to carry traffic over their networks. The United Kingdom telecoms network is in fact a complex set of interlinking networks, all owned by private companies. The interconnections and the flow of traffic between networks are determined by commercial contracts between individual telecoms companies. This makes establishing priorities for reconnection and co-ordination between the telecoms operators and Government following a major incident complex.
89. Mr Smith told us that the exercise was
a success, as judged by the participants (over 95% of whom stated
in the post-exercise survey that they had learned from the exercise),
by Exercise Control and by the Department for Business, Innovation
and Skills (BIS) as lead Department. The exercise identified some
key areas where the response could be improved. These were being
reviewed, and action would be taken over the coming year to address
the issues (p 24). On 12 February 2010 Stephen Timms MP,
a Parliamentary Under-Secretary of State at BIS, wrote to say
he thought the exercise was realistic in terms of the pressure
such an event would place on ministers and officials. It was in
particular clear that the Government needed to work with the industry
"to avoid the obvious problem of not being able to manage
a communications failure through lack of communications"
90. In their Communication the Commission invite
Member States "to develop national contingency plans and
organise regular exercises for large-scale network security incident
response and disaster recovery, as a step towards closer pan-European
coordination". The target is for each Member State to run
at least one national exercise by the end of 2010. This would
lead to pan-European exercises on large-scale network security
incidents; again, the target was to design and run the first such
exercise by the end of 2010. Dr Udo Helmbrecht, the Executive
Director of ENISA, told us that it was now part of ENISA's work
programme that there should be an exercise in 2010. He added:
"I know that the military community has a lot of expertise
in how to do exercises, so we do not have to invent the wheel
again" (Q 201).
91. With the exception of Sweden, other Member
States have not yet run such exercises, so it may be that a pan-European
exercise would be premature and of limited use until at least
the majority of Member States with a developed cyber system have
run their own national exercises. As the Government said, this
is an area where preparedness needs to be built up in individual
Member States before becoming effective at EU level.
We understand from NATO's exercise director, Major Carlos S. Torralba,
that NATO has run two cyber-exercises in the last two years, and
that although the United Kingdom has participated in these only
as an observer, it will play a full part in the exercise planned
for 2010. Further annual exercises are planned, evidence of the
importance which NATO continues to attach to the need for robust
defences against cyber-attacks.
92. We hope that the United Kingdom and other
Member States with a capacity for protection against cyber-attacks
will shape Commission thinking as to when a pan-European exercise
might be of value. An exercise involving the US might be beneficial.
This points again to the need for close cooperation between the
EU and NATO.
93. In the case of much that is proposed in the
Communication, our witnesses thought the suggested timetables
were unrealistic, but particularly in the case of resilience exercises.
In their Explanatory Memorandum, submitted in April 2009 less
than a month after the publication of the Communication, and so
still 20 months from the end of 2010, the Government described
the timetable for emergency response exercises as "highly
Mr Smith, who on the day he gave evidence to us was just
concluding the organisation of Exercise White Noise, and was therefore
particularly well-placed to speak, told us frankly: "What
we worry about is how realistic this would be to expect every
country to do this by the end of 2010frankly, that is not
going to happenhow realistic it is to have really large-scale
exercises in Europe ... Again, that would be a major challenge,
to put it politely, to do that in the next 18 months" (Q 39).
Lord West felt able to be more forthright: "
of a pan-European exercise on the scale they are talking about
[by the end of 2010] is really not a starter. If they tried to
do it, and it would be then probably without proper preparation,
you would not learn anything from it, it would just be a bit of
a mess." He suggested that the Commission should set their
sights lower and do a rather smaller-scale exercise first of all,
learn the lessons from that, see what problems and issues arose,
and only then move to something bigger (Q 286).
94. We agree with the Government that the
Commission's timetable for a pan-European exercise in the course
of this year is unrealistic. Instead, as a first step, they should
encourage the majority of Member States to have carried out national
resilience exercises by the end of the year.
95. It is not only in the case of exercises that
our witnesses thought many of the Commission's target dates over-ambitious.
The Government referred to the view expressed in their Explanatory
Memorandum, and added: "We have now clear evidence that the
Commission is seeking to make progress on all of the key activities
in the timescale envisaged. We still believe that some of the
ideas for what Member States should doparticularly in terms
of carrying out exerciseswill prove to be unrealistic"
96. ISSA-UK and the BCS thought there were potential
short-term matters, such as the establishment of a shared, global
infrastructure and response capability to detect botnets, which
could be achieved by the end of 2010, but added: "It is hard
to imagine that any major change could be driven thorough in such
a short timescale. Cyber security demands immediate attention
but most change needs to evolve through distinct stages of process
maturity over a number of years" (p 146). The Payments
Council, the organisation responsible for developing tactical
and strategic responses to threats to payment services, concluded:
"This is an enduring problem that will require a well thought-through
strategic response and it will therefore not be feasible to implement
this by the end of 2010. Existing structures have taken many years
to evolve and become effective following a process of trial and
effort and numerous false starts. We recommend that the Commission
takes this opportunity to adopt a more flexible approach that
takes a longer term view, and that builds on existing successes
rather than attempt to create too much that is new" (p 157).
97. Mr Cormack, looking at the effect the
proposed timetable would have on ENISA, described it as "quite
an aggressive timescale," and thought that with their current
resources ENISA would struggle with it (Q 102).
98. It is not only in the case of resilience
exercises that our witnesses thought many of the Commission's
target dates over-ambitious. We hope the Commission will accept
that changes that are meticulously prepared will be more valuable
than any designed only to meet artificial deadlines.
31 COM(2009)149 final, Council document 8375/09. http://register.consilium.europa.eu/pdf/en/09/st08/st08375.en09.pdf
The impact assessment is in three parts and can be found at:
A summary of the impact assessment can be found at:
Summary of impact assessment, sections 4 and 5. Back
It is clear from the remainder of ENISA's evidence that it does
not think it is for the EU as such "to act in case of major
Definition taken from "Inventory of CERT activities in Europe",
ENISA, September 2007. Back
The expression "public private partnership" is often
used to describe the forum for the Private Finance Initiative
(PFI). Like the Commission and the majority of our witnesses,
we use it simply to indicate a close working relationship between
governments and the private sector. Back
The Group brings together representatives of the telecommunications
industry and the relevant Government departments, Ofcom and other
bodies. It is chaired by a representative of the industry. Back
Civil Protection and Crisis Management in the European Union
(6th Report, Session 2008-09, HL Paper 43). Back
Written evidence of Tim Stevens, p 162. See also the report of
the NATO Parliamentary Assembly "NATO and Cyber Defence",
Extracted from the supplementary evidence from the Department
for Business, Innovation and Skills (BIS), pp 23-24. Back
Explanatory Memorandum, 28 April 2009, paragraph 14. Back