Explanatory Memorandum to COM(2013)48 - Measures to ensure a high common level of network and information security across the Union

Please note

This page contains a limited version of this dossier in the EU Monitor.

The aim of the proposed Directive is to ensure a high common level of network and information security (NIS). This means improving the security of the Internet and the private networks and information systems underpinning the functioning of our societies and economies. This will be achieved by requiring the Member States to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.

This proposal is presented in connection with the joint Communication of the Commission and High Representative of the Union for Foreign Affairs and Security Policy on a European Cybersecurity Strategy. The objective of the Strategy is to ensure a secure and trustworthy digital environment, while promoting and protecting fundamental rights and other EU core values. This proposal is the main action of the Strategy. Further actions under the Strategy in this area focus on raising awareness, developing an internal market for cybersecurity products and services, and fostering R&D investment. These actions will be complemented by others aimed at stepping up the fight against cybercrime and building an international cybersecurity policy for the EU.

4.

1.1. Reasons for and objectives of the proposal


NIS is increasingly important to our economy and society. NIS is also an important precondition to create a reliable environment for worldwide trade in services. However, information systems can be affected by security incidents, such as human mistakes, natural events, technical failures or malicious attacks. These incidents are becoming bigger, more frequent, and more complex. The Commission’s online public consultation on ‘Improving network and information security in the EU’ found that 57 % of respondents had experienced NIS incidents over the previous year that had a serious impact on their activities. Lack of NIS can compromise vital services depending on the integrity of network and information systems. This can stop businesses functioning, generate substantial financial losses for the EU economy and negatively affect societal welfare.

Moreover, as a borderless communication instrument, digital information systems, in particular the internet, are interconnected across Member States and play an essential role in facilitating the cross-border movement of goods, services and people. Substantial disruption of these systems in one Member State can affect other Member States and the EU as a whole. The resilience and stability of network and information systems is therefore essential to the completion of the Digital Single Market and the smooth functioning of the Internal Market. The likelihood and frequency of incidents and the inability to ensure efficient protection also undermine public trust and confidence in network and information services: for example, the 2012 Eurobarometer on Cybersecurity found that 38 % of EU internet users are concerned about the safety of online payments and have changed their behaviour because of concerns with security issues: 18 % are less likely to buy goods online and 15 % are less likely to use online banking.

The current situation in the EU, reflecting the purely voluntary approach followed so far, does not provide sufficient protection against NIS incidents and risks across the EU. Existing NIS capabilities and mechanisms are simply insufficient to keep pace with the fast-changing landscape of threats and to ensure a common high level of protection in all the Member States.

Despite the initiatives undertaken, the Member States have very different levels of capabilities and preparedness, leading to fragmented approaches across the EU. Given the fact that networks and systems are interconnected, the overall NIS of the EU is weakened by those Member States with an insufficient level of protection. This situation also hinders the creation of trust among peers, which is a prerequisite for cooperation and information sharing. As a result, there is cooperation only among a minority of Member States with a high level of capabilities.

Therefore, there is currently no effective mechanism at EU level for effective cooperation and collaboration and for trusted information sharing on NIS incidents and risks among the Member States. This may result in uncoordinated regulatory interventions, incoherent strategies and divergent standards, leading to insufficient protection against NIS across the EU. Internal Market barriers may also arise, generating compliance costs for companies operating in more than one Member State.

Finally, the players managing critical infrastructure or providing services essential to the functioning of our societies are not under appropriate obligations to adopt risk management measures and exchange information with relevant authorities. On the one hand, therefore, businesses lack effective incentives to conduct serious risk management, involving risk assessment and taking appropriate steps to ensure NIS. On the other hand, a large proportion of incidents does not reach the competent authorities and go unnoticed. However, information on incidents is essential for public authorities to react, take appropriate mitigating measures, and set adequate strategic priorities for NIS.

The current regulatory framework requires only telecommunication companies to adopt risk management steps and to report serious NIS incidents. However, many other sectors rely on ICT as an enabler and should therefore be concerned about NIS as well. A number of specific infrastructure and service providers are particularly vulnerable, due to their high dependence on correctly functioning network and information systems. These sectors play an essential role in providing key support services for our economy and society, and the security of their systems is of particular importance to the functioning of the Internal Market. These sectors include banking, stock exchanges, energy generation, transmission and distribution, transport (air, rail, maritime), health, internet services and public administrations.

A step-change is therefore needed in the way NIS is dealt with in the EU. Regulatory obligations are required to create a level playing field and close existing legislative loopholes. To address these problems and increase the level of NIS within the European Union, the objectives of the proposed Directive are as follows.

First, the proposal requires all the Member States to ensure that they have in place a minimum level of national capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans.

Secondly, the national competent authorities should cooperate within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level. Through this network, Member States should exchange information and cooperate to counter NIS threats and incidents on the basis of the European NIS cooperation plan.

Thirdly, based on the model of the Framework Directive for electronic communications, the proposal aims to ensure that a culture of risk management develops and that information is shared between the private and public sectors. Companies in the specific critical sectors outlined above and public administrations will be required to assess the risks they face and adopt appropriate and proportionate measures to ensure NIS. These entities will be required to report to the competent authorities any incidents seriously compromising their networks and information systems and significantly affecting the continuity of critical services and supply of goods.

5.

1.2. General context


Already in 2001, in its Communication Network and Information Security: Proposal for A European Policy Approach’, the Commission outlined the increasing importance of NIS. This was followed by the adoption in 2006 of a Strategy for a Secure Information Society, aiming to develop a culture of NIS in Europe. Its main elements were endorsed in a Council Resolution.

The Commission further adopted, on 30 March 2009, a Communication on Critical Information Infrastructure protection (CIIP) focusing on the protection of Europe from cyber disruptions by enhancing security. The Communication launched an action plan to support Member States’ efforts to ensure prevention and response. The Action Plan was endorsed in the Presidency Conclusions of the Ministerial Conference on CIIP in Tallinn in 2009. On 18 December 2009 the Council adopted a Resolution on ‘A collaborative European approach to network and information security’[7].

The Digital Agenda for Europe i (DAE), adopted in May 2010, and the related Council Conclusions[9] highlighted the shared understanding that trust and security are fundamental pre-conditions for the wide uptake of ICT and thus for achieving the objectives of the ‘smart growth’ dimension of the Europe 2020 Strategy[10]. Under its Trust and Security chapter, the DAE emphasised the need for all stakeholders to join forces in a holistic effort to ensure the security and resilience of ICT infrastructure, by focusing on prevention, preparedness and awareness, as well as to develop effective and coordinated security mechanisms. In particular, key action 6 of the Digital Agenda for Europe calls for measures aimed at a reinforced and high-level NIS policy.

In its Communication on CIIP of March 2011 on ‘Achievements and next steps: towards global cyber-security’[11], the Commission took stock of the results achieved since the adoption of the CIIP action plan in 2009, concluding that the implementation of the plan showed that purely national approaches to tackling the security and resilience challenges are not sufficient, and that Europe should continue its efforts to build a coherent and cooperative approach across the EU. The 2011 CIIP Communication announced a number of actions, with the Commission calling upon the Member States to set up NIS capabilities and cross-border cooperation. Most of these actions should have been completed by 2012, but have not yet been implemented.

In its Conclusions of 27 May 2011 on CIIP, the Council of the European Union stressed the pressing need to make ICT systems and networks resilient and secure against all possible disruptions, whether accidental or intentional, to develop across the EU a high level of preparedness, security and resilience capabilities, to upgrade technical competences to allow Europe to meet the challenge of network and information infrastructure protection, and to foster cooperation between the Member States by developing incident cooperation mechanisms between the Member States.

6.

1.3. Existing European Union and international provisions in this area


Under Regulation (EC) No 460/2004, the European Community established in 2004 the European Network and Information Security Agency (ENISA)[12], with the aim of contributing to ensuring a high level and developing a culture of NIS within the EU.A proposal to modernise the mandate of ENISA was adopted on 30 September 2010[13] and is under discussion in the Council and the European Parliament. The revised regulatory framework for electronic communications[14], in force since November 2009, imposes security obligations on electronic communication providers[15]. These obligations had to be transposed at national level by May 2011.

All players that are data controllers (for example banks or hospitals) are obliged by the data protection regulatory framework[16] to put in place security measures to protect personal data. Also, under the 2012 Commission proposal for a General Data Protection Regulation[17], data controllers would have to report breaches of personal data to the national supervisory authorities. This means that, for example, a NIS security breach affecting the provision of a service without compromising personal data (e.g. an ICT outage at a power company resulting in a blackout) would not have to be notified.

Under Directive 2008/114 on the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection, the ‘European Programme for Critical Infrastructure Protection (EPCIP)’[18] sets out the overall ‘umbrella’ approach to the protection of critical infrastructures in the EU. The objectives of EPCIP are fully consistent with this proposal and the Directive should apply without prejudice to Directive 2008/114. EPCIP does not oblige operators to report significant breaches of security and does not set up mechanisms for the Member States to cooperate and respond to incidents.

The co-legislators are currently discussing the Commission proposal for a Directive on attacks against information systems[19], which aims to harmonise the criminalisation of specific types of conduct. It covers only the criminalisation of specific types of conduct and does not address the prevention of NIS risks and incidents, the response to NIS incidents and the mitigation of their impact. The present Directive should apply without prejudice to the Directive on attacks against information systems.

On 28 March 2012, the Commission adopted a Communication on the establishment of a European Cybercrime Centre (EC3)[20]. This Centre, established on 11 January 2013, is part of the European Police Office (EUROPOL) and act as the focal point in the fight against cybercrime in the EU. EC3 is intended to pool European cybercrime expertise to support the Member States in capacity building, provide support to Member States’ cybercrime investigations and, in close cooperation with Eurojust, become the collective voice of European cybercrime investigators across law enforcement and the judiciary.

The European Institutions, agencies and bodies have set up their own Computer Emergency Response Team, called CERT-EU.

At international level, the EU works on cybersecurity at both bilateral and multilateral level. The 2010 EU-US Summit[21] saw the establishment of the EU-US Working Group on Cybersecurity and Cybercrime. The EU is also active in other relevant multilateral fora, such as the Organisation for Economic Co-operation and Development (OECD), the United Nations General Assembly (UNGA), the International Telecommunication Union (ITU), the Organisation for Security and Co-operation in Europe (OSCE), the World Summit on the Information Society (WSIS) and the Internet Governance Forum (IGF).

1.

RESULTS OF CONSULTATIONS WITH THE INTERESTED PARTIES AND IMPACT ASSESSMENTS



7.

2.1. Consultation with interested parties and use of expertise


An online public consultation on ‘Improving NIS in the EU’ ran between 23 July and 15 October 2012. In total, the Commission received 160 responses to the online questionnaire.

The key outcome was that stakeholders showed general support for the need to improve NIS across the EU. In particular: 82.8 % of respondents expressed the view that governments in the EU should do more to ensure a high level of NIS; 82.8 % were of the opinion that users of information and systems were unaware of existing NIS threats and incidents; 66.3 % would in principle be in favour of introducing a regulatory requirement to manage NIS risks; and 84.8 % said that such requirements should be set at EU level. A high number of respondents thought that it would be important to adopt NIS requirements in the following sectors in particular: banking and finance (91.1 %), energy (89.4 %), transport (81.7 %), health (89.4 %), internet services (89.1 %), and public administrations (87.5 %). Respondents also considered that if a requirement to report NIS security breaches to the national competent authority were introduced, it should be set at EU level (65.1 %) and affirmed that public administrations should also be subject to it (93.5 %). Finally, respondents affirmed that a requirement to implement NIS risk management in line with the state of the art would entail for them no significant additional costs (63.4 %), and that a requirement to report security breaches would cause no significant additional costs (72.3 %).

Member States were consulted in a number of relevant Council configurations, in the context of the European Forum for Member States (EFMS), at the Conference on Cybersecurity organised by the Commission and the European External Action Service on 6 July 2012, and in dedicated bilateral meetings convened at the request of individual Member States.

Discussions with the private sector were also held within the European Public-Private Partnership for Resilience[22] and through bilateral meetings. As for the public sector, the Commission held discussions with ENISA and the CERT for the EU institutions.

8.

2.2. Impact assessment


The Commission has carried out an impact assessment of three policy options:

Option 1: Business as usual (baseline scenario): maintaining the current approach;

Option 2: Regulatory approach, consisting of a legislative proposal establishing a common EU legal framework for NIS regarding Member State capabilities, mechanisms for EU-level cooperation, and requirements for key private players and public administrations;

Option 3: Mixed approach, combining voluntary initiatives for Member State NIS capabilities and mechanisms for EU-level cooperation with regulatory requirements for key private players and public administrations.

The Commission concluded that Option 2 would have the strongest positive impacts, as it would considerably improve the protection of EU consumers, business and governments against NIS incidents. In particular, the obligations placed on the Member States would ensure adequate preparedness at national level and would contribute to a climate of mutual trust, which is a precondition for effective cooperation at EU level. The setting up of mechanisms for cooperation at EU level via the network would deliver coherent and coordinated prevention and response to cross-border NIS incidents and risks. The introduction of requirements to implement NIS risk management for public administrations and key private players would create a strong incentive to manage security risks effectively. The obligation to report NIS incidents with a significant impact would enhance the ability to respond to incidents and foster transparency. Moreover, by putting its own house in order, the EU would be able to extend its international reach and become an even more credible partner for cooperation at bilateral and multilateral level. The EU would hence also be better placed to promote fundamental rights and EU core values abroad.

The quantitative assessment showed that Option 2 would not impose a disproportionate burden on Member States. The costs for the private sector would also be limited since many of the entities concerned are already supposed to comply with existing security requirements (namely the obligation for data controllers to take technical and organisational measures to secure personal data, including NIS measures). Existing spending on security in the private sector has also been taken into account.

This proposal observes the principles recognised by the Charter of Fundamental Rights of the European Union notably, the right to respect for private life and communications. the protection for personal data, the freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard. This Directive must be implemented according to these rights and principles.

2.

LEGAL ELEMENTS OF THE PROPOSAL



9.

3.1. Legal basis


The European Union is empowered to adopt measures with the aim of establishing or ensuring the functioning of the Internal Market, in accordance with the relevant provisions of the Treaties (Article 26 of the Treaty on the Functioning of the European Union — TFEU). Under Article 114 TFEU, the EU can adopt ‘measures for the approximation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market’.

As indicated above, network and information systems play an essential role in facilitating the cross-border movement of goods, services and people. They are often interconnected, and the internet is global in nature. Given this intrinsic transnational dimension, a disruption in one Member State can also affect other Member States and the EU as a whole. The resilience and stability of network and information systems is therefore essential to the smooth functioning of the Internal Market.

The EU legislator has already recognised the need to harmonise NIS rules to ensure the development of the Internal Market. In particular, this was the case for Regulation 460/2004 establishing ENISA[23], which is based on Article 114 TFEU.

The disparities resulting from uneven NIS national capabilities, policies and level of protection across the Member States lead to barriers to the Internal Market and justify EU action.

10.

3.2. Subsidiarity


European intervention in the area of NIS is justified by the subsidiarity principle.

Firstly, considering the cross-border nature of NIS, non-intervention at EU level would lead to a situation where each Member State would act alone, disregarding the interdependencies among EU network and information systems. An appropriate degree of coordination among the Member States would ensure that NIS risks could be well managed in the cross-border context in which they arise. Divergences in NIS regulations represent a barrier to companies wanting to operate in several countries and to the achievement of global economies of scale.

Secondly, regulatory obligations at EU level are needed to create a level playing field and close legislative loopholes. A purely voluntary approach has resulted in cooperation only among a minority of Member States with a high level of capabilities. In order to involve all the Member States, it is necessary to ensure that they all have the required minimum level of capability. NIS measures adopted by governments need to be consistent with one other and be coordinated to contain and minimise the consequences of NIS incidents. Within the network, through exchange of best practices and continuous involvement of ENISA, the competent authorities and the Commission will cooperate to facilitate a convergent implementation of the Directive across the EU. In addition, concerted NIS policy actions can have a strong positive impact for the effective protection of fundamental rights, and specifically the right to the protection of personal data and privacy. Action at EU level would therefore improve the effectiveness of existing national policies and facilitate their development.

The proposed measures are also justified on grounds of proportionality. The requirements for the Member States are set at the minimum level necessary to achieve adequate preparedness and to enable cooperation based on trust. This also enables Member States to take due account of national specificities and ensures that the common EU principles are applied in a proportionate manner. The wide scope of application will allow the Member States to implement the Directive in light of the actual risks faced at national level as identified in the national NIS strategy. The requirements to implement risk management target only critical entities and impose measures that are proportionate to the risks. The public consultation underlined the importance of ensuring the security of these critical entities. The reporting requirements would concern only incidents with a significant impact. As indicated above, the measures would not impose disproportionate costs, as many of these entities as data controllers are already required by the current data protection rules to secure the protection of personal data.

To avoid imposing a disproportionate burden on small operators, in particular on SMEs, the requirements are proportionate to the risk presented by the network or information system concerned and should not apply to micro enterprises. The risks will have to be identified in the first place by the entities subject to these obligations, which will have to decide on the measures to be adopted to mitigate such risks.

The stated objectives can be better achieved at EU level, rather than by the Member States alone, in view of the cross-border aspects of NIS incidents and risks. Therefore, the EU may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, the proposed Directive does not go beyond what is necessary in order to achieve those objectives.

To achieve the objectives, the Commission should be empowered to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the European Union, in order to supplement or amend certain non-essential elements of the basic act. The Commission's proposal also strives to support a process of proportionality in the implementation of the obligations placed upon private and public operators.

In order to ensure uniform conditions for the implementation of the basic act, the Commission should be empowered to adopt implementing acts in accordance with Article 291 of the Treaty on the Functioning of the European Union.

Considering in particular the broad scope of the proposed Directive, the fact that it tackles heavily regulated domains, and the legal obligations deriving from its Chapter IV, Explanatory Documents should accompany the notification of transposition measures. In accordance with the Joint Political Declaration of Member States and the Commission on explanatory documents of 28 September 2011, Member States have undertaken to accompany, in justified cases, the notification of their transposition measures with one or more documents explaining the relationship between the components of a Directive and the corresponding parts of national transposition instruments. With regard to this Directive, the legislator considers the transmission of such documents to be justified.

3.

BUDGETARY IMPLICATIONS



Cooperation and exchange of information between Member States should be supported by a secure infrastructure. The proposal will have EU budgetary implications only if Member States choose to adapt an existing infrastructure (e.g. sTESTA) and task the Commission to implement this under the MFF 2014-2020. The one-off cost is estimated to be EUR 1 250 000 and would be borne by the EU budget, budget line 09.03.02 (to promote the interconnection and interoperability of national public services online as well as access to such networks — Chapter 09.03, Connecting Europe Facility — telecommunications networks) on condition that sufficient funds are available under CEF. Alternatively, Member States can either share the one-off cost of adapting an existing infrastructure or decide to set up a new infrastructure and bear the costs, which are estimated to be approximately EUR 10 million per year.