32003G0228(01)

Council Resolution

of 18 February 2003

on a European approach towards a culture of network and information security

(2003/C 48/01)

THE COUNCIL OF THE EUROPEAN UNION,

RECALLING:

1. the Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach;

2. the Council Resolution of 30 May 2001 on the "eEurope Action Plan: Information and Network Security";

3. the Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security(1);

4. the eEurope 2005 action plan endorsed by the Seville European Council in June 2002;

5. the opinion of the European Parliament on the European Commission Communication on Network and Information Security: Proposal for a European Policy Approach;

ACCORDINGLY STRESSES THAT:

1. with the development of information society services, network and information security is an increasingly vital issue for the daily life of citizens, businesses and public administrations contributing to the proper functioning of the Internal Market;

2. Member States and the European institutions must further develop a comprehensive European strategy for network and information security and strive towards "a culture of security" taking into account the importance of international cooperation;

3. the OECD Guidelines for the security of Information Systems and Networks are considered a valuable model for developing policies which achieve a culture of security while respecting democratic values and the importance of personal data protection;

4. care must be taken to respect privacy rights. Citizens and enterprises must have confidence that information is handled accurately, confidentially and reliably;

5. in developing a culture of security a significant task will be to clarify the responsibility for the security of networks and information systems for all stakeholders;

6. Europe needs to ensure the development and deployment of an appropriate skillbase in the field of network and information security;

7. there is a need for increased transparency, information exchange and cooperation between Member States, European institutions and the private sector;

8. coherent security policy development at European level requires cross-pillar transparency and cooperation;

9. the ongoing work to fulfil the commitments made in the Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security has to be continued.

THEREFORE INVITES MEMBER STATES TO:

1. promote security as an essential component in public and private governance, in particular by encouraging assignment of responsibilities;

2. provide for appropriate education and vocational training, as well as awareness-raising, particularly among young people, to security issues;

3. take adequate measures to prevent and respond to security incidents, in particular through:

(a) the continuous improvement of the identification and assessment of security problems and the application of appropriate controls;

(b) the establishment of effective ways of communicating the need for action to all stakeholders by reinforcing the dialogue at European and national levels and, where appropriate, international levels in particular with those supplying information society technology and services;

(c) addressing appropriate information exchange corresponding to the needs of society to remain informed on good practices related to security;

4. encourage cooperation and partnerships between academia and enterprises to provide secure technologies and services and to encourage development of recognised standards.

WELCOMES THE INTENTION OF THE COMMISSION TO:

1. apply the open method of coordination in relation to Member States' ongoing actions and to assess their impact on security;

2. set up a temporary interdisciplinary working group in close cooperation with and composed of Member States representatives to conduct preparatory actions with a view to the establishment of a Cyber-Security Task Force as referred to in the Council Resolution of 28 January 2002;

3. further develop, in cooperation with Member States, a dialogue with industry to improve security in the development of hardware and software products and ensure the availability of services and data;

4. establish contacts with relevant international partners and international organisations with a view to cooperation and exchange of information in this area and to report to the Council on a regular basis;

5. establish the Cyber-Security Task Force referred to in point 2.

CALLS UPON:

1. industry to integrate the management of security risks into the mainstream of management thinking and business engineering;

2. all users to take a holistic view of the risks associated with information systems and look at the threats arising from physical events, human failings as well as technological vulnerabilities and deliberate attacks;

3. industry and all users to enter into dialogue with governments in developing a culture of security.

(1) OJ C 43, 16.2.2002, p. 2.