EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 52013SC0032
COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union
COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union
COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union
/* SWD/2013/032 final */
COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union /* SWD/2013/032 final */
TABLE OF CONTENTS IMPACT ASSESSMENT............................................................................................................ 5 1........... Scope............................................................................................................................ 6 2........... Procedural issues and
consultation of interested parties.................................................... 6 2.1........ Identification................................................................................................................... 6 2.2........ Organisation and timing................................................................................................... 6 2.3........ Impact assessment process........................................................................................... 11 3........... Policy context in the area of NIS................................................................................... 12 4........... Problem statement........................................................................................................ 12 4.1........ Problem definition: What is the
problem?....................................................................... 12 4.1.1..... Disruptions to the EU internal
market............................................................................ 12 4.1.2..... Rising number, frequency and
complexity of NIS incidents, and incomplete view of their frequency and gravity 14 4.1.3..... Affecting all actors in the
society and economy.............................................................. 16 4.1.4..... Sectors where the well-functioning
of network and information security is key to preserve the well-functioning of
the internal market........................................................................................................ 17 4.1.5..... What will happen if further
measures are not adopted.................................................... 20 4.1.5.1.. Undermined consumer confidence in
the internal market................................................. 20 4.1.5.2.. Insufficient business investments
in NIS......................................................................... 21 4.1.5.3.. Lack of credibility in the
international scene................................................................... 22 4.2........ Problem drivers: What is the
reason behind the problem?............................................... 23 4.2.1..... Uneven level of capabilities across the EU..................................................................... 23 4.2.1.1.. Preparedness................................................................................................................ 24 4.2.1.2.. Response..................................................................................................................... 25 4.2.2..... Insufficient sharing of
information on incidents, risks and threats...................................... 25 5........... Effectiveness of existing
measures.................................................................................. 26 5.1........ There are loopholes in the
existing regulatory framework................................................ 26 5.2........ The limits of a voluntary
approach................................................................................. 28 5.3........ Approach in other regions of the
world.......................................................................... 29 5.4........ Need of EU intervention,
subsidiarity and proportionality............................................... 32 5.4.1..... The EU right to act – Legal basis................................................................................... 32 5.4.2..... Subsidiarity test............................................................................................................ 33 5.4.3..... Proportionality of the approach..................................................................................... 34 6........... Objectives.................................................................................................................... 35 6.1........ Overview of general, specific and
operational objectives................................................ 35 6.2........ Intervention logic.......................................................................................................... 36 7........... Policy options............................................................................................................... 38 7.1........ Discarded Option......................................................................................................... 38 7.1........ Option 1 – Business as usual
(‘Baseline scenario’)......................................................... 38 7.2........ Option 2 – Regulatory approach................................................................................... 39 7.3........ Option 3 - Mixed approach.......................................................................................... 46 8........... Analysis of impacts....................................................................................................... 47 8.1........ Option 1 – Business as usual
(‘Baseline scenario’)......................................................... 47 8.2........ Option 2 – Regulatory approach................................................................................... 49 8.2.1..... Cost estimations........................................................................................................... 52 8.3........ Option 3 – Mixed approach.......................................................................................... 57 9........... Comparing the options.................................................................................................. 58 9.1........ Overall comparison of the
assessment........................................................................... 58 9.2........ Overall cost-benefit analysis.......................................................................................... 59 10......... Monitoring and evaluation............................................................................................. 61 ANNEX 1: PUBLIC CONSULTATION ON NETWORK AND
INFORMATION SECURITY ACROSS THE EU.................................................................................................................................................. 65 ANNEX 2: ACTION PLANS AND STRATEGIES ADOPTED
SO FAR IN THE FIELD OF NIS IN THE EU 68 ANNEX 3: ASSESSMENT OF NIS RISK MANAGEMENT
COMPLIANCE COSTS FOR PUBLIC ADMINISTRATIONS AND KEY PRIVATE PLAYERS......................................................... 71 ANNEX 4: ASSESSMENT OF COSTS RELATED TO THE
REQUIREMENT TO NOTIFY NIS INCIDENTS WITH A SIGNIFICANT IMPACT AND ASSOCIATED
MECHANISMS/PROCESSES................. 96 ANNEX 5: THE SME TEST.................................................................................................... 100 ANNEX 6: CURRENT STATE OF CAPABILITIES IN THE
EU........................................... 101 ANNEX 7: INTERNATIONAL ORGANISATIONS AND
BODIES DEALING WITH INTERNET/CYBERSECURITY............................................................................................. 117 ANNEX 8: OVERVIEW OF CURRENT REGULATORY
INCENTIVES FOR NIS IN THE SECTORS CONSIDERED FOR THE EXTENSION OF ART 13
TELECOM FWD IN OPTION 4 – REGULATORY APPROACH........................................................................................................................... 122 ANNEX 9: EU EARLY WARNING AND INCIDENT
HANDLING NETWORKS IN OTHER DOMAINS THAN NIS.......................................................................................................................................... 130 ANNEX 10: COOPERATION FRAMEWORKS ESTABLISHED
AT EU LEVEL FOR PREPAREDNESS AND RESPONSE TO CROSS-BORDER THREATS IN SPECIFIC
AREAS................................. 138 ANNEX 11: LEGAL AND REGULATORY ASPECTS OF
INFORMATION SHARING AND CROSS-BORDER COLLABORATION OF NATIONAL/GOVERNMENTAL
CERTS IN EUROPE................ 149 ANNEX 12: INTERNET 2011 IN NUMBERS....................................................................... 153 ANNEX 13: IMPACT ASSESSMENT MATRIX................................................................... 160 ANNEX 14: LIST OF ACRONYMS...................................................................................... 168 COMMISSION
STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the
European Parliament and of the Council Concerning measures to ensure a
high level of network and information security across the Union 1. Scope This impact assessment
covers policy options to improve the security of the Internet and other
networks and information systems underpinning services which support the
functioning of our society (e.g. public administrations, finance and banking,
energy, transport, health and certain Internet services enabling key economic
and societal processes, such as e-commerce platforms and social networks). This
issue is referred to as Network and Information Security (NIS). Under Article
4(c) of Regulation (EC) No 460/2004
establishing the European Network and Information Security Agency (ENISA): "network and information security" means the ability of a network or an information system to resist, at a
given level of confidence, accidental events or unlawful
or malicious actions that compromise the availability,
authenticity, integrity and confidentiality of stored or transmitted data and
the related services offered by or accessible via these networks and systems. This impact
assessment does not cover Member States activities concerning national security
and defense. 2. Procedural
issues and consultation of interested parties 2.1. Identification Lead DG: Communications
Networks, Content and Technology (CONNECT) Directorate General, former Information
Society and Media (INFSO) Directorate-General. Agenda planning: 2012/CNECT/003 2.2. Organisation
and timing The different aspects of the initiative have been discussed with a
wide range of stakeholders. We have adopted an inclusive approach and respected
the principles of participation, openness, accountability, effectiveness and
coherence. The consultation included: ·
Member States representatives responsible for
enhancing the level of NIS and/or Critical Information Infrastructure
Protection (CIIP). Discussions took place in the context of the European Forum
for the Member States (EFMS) as well as in the form of dedicated meetings
organised at the request of individual Member States. DG CONNECT received
written inputs from 7 Member States. A stocktaking exercise on the state of play
of existing NIS capabilities and mechanisms in the Member States was carried
out by Commission Vice-President (VP) Neelie Kroes via a letter sent to
relevant Ministers in the Member States on 28 November 2011. Almost all the
Member States took part in this exercise. A follow-up letter was sent by VP
Kroes to the relevant Ministers following the Telecom, Energy and Transport
Council of 8 June 2012. Five Member States prepared a non-paper
prior to the EU Conference on Cyber-Security that took place in Brussels on 6 July 2012 and that was jointly organised by the European Commission and the
European External Action Service. ·
Private sector
representatives, including: –
Individual electronic communications service and
network providers, Internet service providers, and industry associations (e.g.
ETNO, EuroISPA, EuroIX, etc.); –
suppliers of hardware and software components
for electronic communications networks and
services, and industry associations (e.g. DigitalEurope, which represents large
companies and SMEs); –
providers of products and services for Network
and Information Security; –
representatives from the banking and financial
sector and from the energy sector Discussions
with the private sector took place in the frame of the European Public-Private Partnership for Resilience (EP3R)[1], in the Expert Group on
Security and Resilience of Communications Networks and Information Systems for
Smart Grids[2]
as well as in bilateral meetings. A number of relevant private sector players
sent written contributions to the Commission. ·
The European Parliament, in particular in
the Industry, Research and Energy (ITRE) and Security and Defence (SEDE)
Committees. ·
The European Network and Information Security
Agency (ENISA) and the Computer Emergency Response Team (CERT) for the EU
institutions (CERT-EU). ·
An online public consultation[3] feeding
directly into this impact assessment was open on the European Commission
website from July 23 to October 15 2012[4].
A total of 169 responses were received via the online tool. A further 10
responses were received in writing by the Commission, bringing the total number
of replies to the public consultation to 179. The public consultation focused
on a) the scale of the problem and evidence of its impact b) options for
improving NIS though an EU strategic approach c) options for improving NIS through risk management and reporting of incidents. A summary of the questions
addressed and the answers received to the public consultation is provided in
Annex 1. The total
breakdown by type of respondent is the following: 88 individuals (of which 57 intend
to remain anonymous); 11 public authorities (of which 5 intend to remain anonymous);
80 organisations or institutions such as businesses, research institutions and
NGOs (of which 41 intend to remain anonymous). Amongst the companies that
responded: –
46% were large companies –
20% were Small and Medium Enterprises (SMEs) –
34% were micro enterprises ·
A discussion with the general public was
organised in the context of the 2012 Digital Agenda Assembly[5]. An impact assessment Inter-Service Steering Group was set up. The
following Commission services participated in the group: SG, SJ, DG AGRI, DG
COMM, DG ESTAT, JRC, DG CLIMA, DG COMP, DG ECFIN, DG
EAC, DG EMPL, DG MOVE DG ENER, DG ENTR, DG ENV, DG SANCO, DG MARKT, DG HOME, DG
JUST, DG REGIO, DG RTD, DG TAXUD, DG TRADE, DG BUDG, DG DIGIT, DG HR. The EEAS
also participated in the group. The Inter-Service Steering Group met four times: a kick-off meeting
on 27 April 2012, a second meeting on 15 May 2012, a third meeting on 4 June
2012 to discuss the draft impact assessment report submitted on 13 June. A
fourth meeting took place on 11 October 2012 to discuss the draft impact
assessment report before re-submission on 15 October 2012. Before and after the
meetings, written contributions and comments on the draft impact assessment were
sent by the services. The key questions addressed to the Member States and to the private
sector in the context of all the relevant consultations listed above concerned
the need to improve NIS across the EU. To this end, the Commission consulted on
the need to foster cooperation at EU level; the importance of building up a minimum
common level of national capabilities to enable such cooperation; the pros and
cons of requiring the private sector to share information with the public
sector and to adopt state-of-the-art protection measures; the establishment of
such requirements at EU or national level. Stakeholders'
views on the seriousness of the problem and the options to address it are
reported throughout this impact assessment where appropriate. In general,
the respondents to the public consultation: –
Expressed the view that governments in the EU
should do more to ensure a high level of NIS (82.8% of respondents) –
Expressed the view that users of information and
systems are unaware of the existing NIS threats and incidents (82.8% of
respondents) and that businesses, governments and consumers in the EU are not
sufficiently aware of the behavior to be adopted to minimize the impact of the
NIS risks they face (84%). –
Would in principle be favourable to the introduction
of a regulatory requirement to manage NIS risks (66.3% of respondents) at EU
level (84.8% of those respondents). –
Expressed the view that it would be important to
adopt NIS requirements in particular in the following sectors: banking and
finance (91.1% of respondents), energy (89.4%), transport (81.7%), health (89.4%),
Internet services (89.1%), public administrations (87.5%). –
Expressed the view that requirement
to adopt NIS risk management according to the state of the art would entail for
them no additional significant costs (43.6%) or no additional costs at all (19.8%). –
Expressed the view that if a requirement to
report NIS security breaches to the national competent authority were
introduced, it should be set at EU level (65.1%) and affirmed that also public
administrations should be subject to it (93.5%). –
Affirmed that a requirement to report security
breaches would not cause significant additional costs (52.5%) and 19.8% said
that it would not cause additional costs at all. In the EFMS
and in written inputs to the Commission, the Member States expressed the following
views: –
The Commission should develop current NIS actions and mechanisms (Germany, France) especially by means of targeted binding
measures (France) – The development of cyber-security
capabilities should be accelerated within the Member States, particularly
within the least advanced ones (France) – That NIS protection levels vary across
Europe (Germany) and that there are no mechanisms for engaging in existing
cooperation mechanisms with those Member States who are less active in NIS nor are
there paths for these Member States to get involved (Estonia). – An EU framework establishing mechanisms for cooperation on
preparedness and response amongst the Member States should be set up (France, Romania, Estonia, Germany, and Finland). In particular: ·
Cooperation between the Member States should be
underpinned by confidentiality agreements and mechanisms to exchange sensitive
data (Spain, Romania). ·
Information exchange on good practices and
expertise; early warning and crisis management including via cyber-incident
exercises should be promoted (Germany, Finland). ·
Cooperation should be built on mutual trust (Germany, Finland). ·
A functional and effective network of
national/governmental CERTs in Europe in which information is exchanged
according to the necessary confidentiality standards is needed (France, Romania). ·
An approach focused on preparedness and
prevention should use harmonized requirements regarding minimum security
standards across the EU by maintaining the conditions for fair competition (Germany) Moreover, the Member States: –
Expressed support for considering the extension
of the security provisions in the regulatory framework for electronic
communications to new sectors (France) with the appropriate involvement of the
Member States in the related discussions (such discussions took place already within
the EFMS) –
Expressed support for an EU initiative on NIS covering the ICT sector but also, in a horizontal manner, the ICT component virtually
underpinning all sectors (Germany) –
Expressed support for the development of a risk
management culture in the private sector (Germany). The UK questions the merits of a regulatory intervention on NIS at EU level and favours a voluntary
cooperation approach facilitated by the Commission. It has particular concerns
about the extension of mandatory reporting requirements to sectors other than
telecoms. The European
Parliament Resolution of 12 June 2012 on "Critical Information
Infrastructure Protection: towards global cyber-security[6]" recommends the Commission
to: –
"Propose binding measures via the EU cyber
incident contingency plan for better coordination at EU level of the technical
and steering functions of the national and governmental CERTs"; –
"Propose binding measures designed to
impose minimum standards on security and resilience and improve coordination
among national CERTs" –
"Propose an EU framework for the
notification of security breaches in critical sectors such as energy,
transport, water and food supply, as well as in the ICT and financial services
sectors, to ensure that relevant Member State authorities and users are
notified of cyber incidents, attacks or disruptions" 2.3. Impact
assessment process A first
version of this impact assessment report was submitted on 13 June to the
European Commission Impact Assessment Board and discussed at a meeting convened
on 5 July 2012. A revised version of the impact assessment was submitted on 15
October. This new version took into account the various comments from the Board
, in particular: a better explanation of the relation between the problem and its
cross-border dimension (Chapters 4 and 5); the insufficiency of existing policy
measures to solve the problem; the integration of stakeholders' views on various
aspects of the problem statement and on all key points of the preferred option;
the identification of the sectors and players that would be covered by the
preferred option (Chapter 7) and an estimation of the corresponding costs (Chapter
9 and Annexes 2 and 3) that highlighted with more precision the proportionality
of the preferred option. Following the
opinion of the Board of 24 October, the following further amendments were made to
this impact assessment: ·
Insertion of a table showing the extent to which
existing obligations address NIS issues and the gaps that still need to be
addressed. ·
A better explanation of the lack of motivation
and incentives for companies and the public sector to invest in NIS (Section 4.1.5.2). ·
A description of the nature of the risks in the
sectors covered including the extent to which and how networks and services may
be affected (Section 4.1.4); strengthening the evidence base and better explaining
the rational for the choice of the relevant sectors in the preferred option (Section
4.1.4). ·
Additional details on the content of the preferred
option (Option 2) and in particular on what NIS risk management requirements
would entail in practice (Section 7.2). ·
A better explanation of the reasons for not
considering other combinations of "soft" and "regulatory"
approaches (Section 7.3) ·
Improved assessment of social/employment impact,
on competitiveness in particular for the preferred option, impact on
international cooperation (Section 8 on Assessment of impact of the Options). ·
A description and rough estimate of the benefits
(i.e. decreasing the cost of NIS incidents and the improved level of security)
(Section 9) ·
Insertion of a summary table of all costs and
benefits per option (Section 9). ·
Insertion of a summary of the questions asked
and of the responses received in the public consultation (Annex 1). ·
Inclusion of the views of stakeholders
throughout the text and in the preferred Option. ·
Inclusion of the indication of the tools for
monitoring and evaluation (Section 10). 3. Policy
context in the area of NIS The increasing
importance of NIS for our economies and societies was recognised for the first
time by the Commission in a Communication from 2001[7] . The approach
adopted so far by the European Union in the area of NIS has mainly consisted in
the adoption of a series of action plans and strategies urging the Member
States to increase their NIS capabilities and to cooperate to counter cross
border NIS problems. Annex II provides a description of the "Action plans and strategies
adopted so far in the field of Network and Information Security in the
EU". Companies, with the
exception of telecommunication operators (‘undertakings providing public
communications networks or publicly available electronic communications
services’[8])
and public administrations are not subject to NIS requirements and are not required
to report security incidents[9].
4. Problem
statement 4.1. Problem
definition: What is the problem? The problem can be described as an overall insufficient level
of protection against network and information security incidents, risks and
threats across the EU undermining the proper functioning of the
Internal market. The problem is further detailed in the following sections. 4.1.1. Disruptions
to the EU internal market Given that
networks and information systems are interconnected and given the global nature
of the Internet, many NIS incidents transcend national borders and undermine the
functioning of the internal market. The effects of
an incident originating in a particular country, if not appropriately
contained, may spread quickly to other countries. Even, incidents that are
local by nature may have unforeseen consequences across borders, e.g. the disruption to a major airport's IT systems
may affect air traffic across Europe. Cross-border
services can become unavailable, suspended or interrupted due to security
breaches. eBay has experienced web-based attacks that
have made all or portions of its websites unavailable for periods of time in
2010 and likewise PayPal[10],
thereby affecting e-commerce in the internal market. The case of Diginotar
illustrates the risks posed by not reported security breaches. The Dutch certification
company Diginotar did not report that its systems were hacked and did not
revoke the digital certificates (i.e. the certificates ensuring the security of
communications over the Internet) that were fraudulently issued. This resulted
in a large number invalid certificates circulating online, compromising the
security of Internet services and eventually affecting trust
in the Internet. A report[11]
by the security firm Fox-IT, which investigated the case, found out that there were a number of problems in the security
practices of the company, revealing the need for better risk management and
mitigation practises. It must be borne in mind that in the aftermath of the
Diginotar incident, the Dutch Government acknowledged that "the risk of
security breaches affects the internal market […and] hampers cross-border
services and product supplies". For this reason the Dutch Government is
preparing a system of mandatory security breach notifications for relevant
critical infrastructure and national services[12].
In January 2011,
the Commission had to suspend trading in the Emissions Trading System due to
security breaches at national registries[13]
and companies were prevented from selling and buying emission allowances within
the EU. In the wake of
past incidents Member States are starting to introduce their own regulations. As
already remarked, the Netherlands are considering introducing security breach
notification requirements and Luxembourg[14]
has introduced a disclosure requirement for incidents that can have financial
consequences for the companies concerned. The UK has taken a sector-specific
approach to put in place reporting requirements for critical sectors such as
finance, energy, transport and health. Uncoordinated regulatory interventions
may result in fragmentation and give rise to Internal market barriers
generating compliance costs for companies operating in more than one Member
States. Those businesses
which replied to the public consultation emphasised the role that the EU could
play in creating a truly integrated and harmonised internal market for NIS products and services and the existence of market barriers which undermine
cybersecurity across the EU. 4.1.2. Rising
number, frequency and complexity of NIS incidents, and incomplete view of their frequency and gravity The availability, authenticity, integrity and
confidentiality of information and networks can be compromised due to various
causes, such as natural events, human errors or malicious attacks. The outcome of the public consultation
confirms the seriousness of the problem, in particular: 56.8% of
the respondents reported having experienced over the
last year NIS incidents (caused by human mistakes, natural events, technical
failures or malicious attacks) which have had a serious impact on their
activities. 27.8% of
the respondents to the public consultation affirm that human/technical errors
are very frequently the cause of NIS incidents, and 39.6% affirm that this is
the case quite frequently. 40.8% of
the respondents to the public consultation affirm that malicious attacks are
quite frequently the cause of NIS incidents. 36.1% of
the respondents to the public consultation affirm that software/hardware
failure is quite frequently the cause of NIS incidents. 47.3% of the respondents to the public consultation affirm that third
party/external failure is quite frequently the cause of NIS incidents. The flooding
of the river Elbe in 2002[15]
illustrates how communications systems can be disturbed by a natural disaster. Human
error or ignorance can also be the cause of cyber incidents by leading to
accidental events. In August 2012 a sub-sea cable was mistakenly snapped
between the UK and the Netherlands causing certain Internet Service Providers,
e-commerce service providers and customers to be cut off the Internet for more
than 24 hours[16].
Incidents of this kind (cable cuts) had already happened in the Mediterranean in
2008 and in the Suez canal in 2011. The human
factor is of the utmost importance for NIS. Non-compliance with security requirements
(e.g. by negligence or distraction, using infected USB sticks, opening
unsolicited e-mails, failing to apply security patches or revealing passwords)
can cause an outage or facilitate the intrusion of malicious software. The spread of malicious
software (malware) and malicious attacks have been increasing steadily. Web
based attacks increased by 36% in 2011 compared to 2010 and the total number of
attacks by 81%. Malware can mutate as they spread, and attackers are able to
generate an almost unique version of their malware for each potential victim[17], which makes their detection
ever more challenging. Figure 1 shows the raise in the number of incidents
reported to the US-CERT in 2006-2011. Figure 1: Incidents reported to US-CERT:
Fiscal Years 2006-2011[18] In addition to the elements presented above, there is reason to
believe that a large proportion of attacks go unnoticed. The recent outbreak,
in late May 2012, of the ‘Flame[19]’
cyber-spying software, revealed that malware can be spreading undetected over a
number of years. There is moreover reason to believe that only a fraction of
incidents, when discovered, are disclosed. The
reluctance to disclose comes from the potential significant damages for the organizations
involved, including reputational damages and loss of business opportunities. The lack of
information on incidents slows down the capability to react and take the
appropriate mitigating measures, in particular in cases where the incident has
repercussions outside the organisation and the other parties affected are
unaware of an imminent threat or an incident/intrusion that has already taken
place. The most
serious of these cross-border incidents may be the state-sponsored stealthy
attacks such as ‘Shady Rat’ etc.[20],
where the same techniques are applied in one country then another. Trusted sharing
of information about such attacks could help prevent attacks spreading to further
countries. 4.1.3. Affecting
all actors in the society and economy Over the last
decade, the digital ecosystem has become essential to economic growth and
societal welfare. It has enabled the creation of high-quality jobs and supported
smart and sustainable economic growth. Indeed, the
ICT sector is one of the growth engines of the EU. In Europe, the ICT sector
and investments in ICT deliver around half of our productivity growth. The
World Bank estimates that with 10% increase in high speed Internet connections,
economic growth would increase by 1.3%. The ICT sector alone represents almost
6% of the European GDP[21]. Public administrations, businesses and consumers reap huge economic
and social benefits from the usage of ICT, including online services. Because of the critical role of networks and information systems, possible
failures or attacks could impact all parts of society – Member
States/governments, organisations/business and citizens/consumers. Security incidents are capable of rendering critical
government functions unavailable for several days, as demonstrated by
the cyber-attacks against Estonia in 2007, which severely
affected not only the provisioning of online services such as e-government and
e-banking within the country, but also prevented citizens from accessing online
services across borders. EU institutions have
been the target of attacks in 2011 and 2012. Businesses and other organisations can
be seriously affected if the networks and information systems underpinning
their industrial processes are compromised. In 2009, 16 % of enterprises
in the EU-27 had experienced some kind of NIS incident[22] . Incidents can be costly. The
cyber-attacks targeting Sony in April 2011 cost the company nearly $175 million[23]. An
outage that affected BlackBerry in 2011 cost the company $50 million[24]. Beginning in July 2009, two U.S. stock exchanges
were victims of cyber-attacks[25].
The remote attack temporarily disrupted public websites. In September 2012, six
major US banks were hit by cyber-attacks[26].
The loss of intellectual property, trade secrets and financial data ensuing
from cyber-attacks also result in considerable losses for businesses concerned.
The UK estimates the loss of intellectual property to be largest cost category,
accounting for 30% of total losses, resulting from illegal intrusions and
cyber-crime, with identity theft and loss of customer data accounting for a
much smaller proportion of losses[27].
Consumers can face interrupted e-mailing, instant messaging and browsing services, as it was the
case in October 2011, when BlackBerry
handsets were affected by a network outage at one of its data centres in the UK and almost all of its 70m users worldwide experienced problems at some point during the three
days that the incident lasted[28]. In January 2010, German card holders were suddenly unable to
conduct banking or ATM withdrawals and purchases with their bank cards both at
home and abroad, due to software problems in the microchips. In the EU, nearly
one third of users have already been confronted with a computer virus (or
similar infection). Also, 74% of EU Internet users in 2012 think that the risk
of becoming a victim of cybercrime has increased in the past year[29]. 82.8%
of respondents to the public consultation expressed the view that users of networks
and information systems are not sufficiently aware of the level of NIS threats
and incidents 84% of the respondents affirmed that businesses, governments and
consumers in the EU are not sufficiently aware of the behavior to be adopted to
minimize the impact of the NIS risks they face. 4.1.4. Sectors
where the well-functioning of network and information security is key to
preserve the well-functioning of the internal market While the problem described above affects all actors of society and
economy in the EU, a number of sectors and a number of infrastructure and service
providers in those sectors are particularly vulnerable, due to their high
dependence on correctly functioning network and information systems and due to
their essential role in providing key support services for our economy and
society, including health, safety, security and the economic and social
well-being of people. As a result, the security of their systems is of
particular interest to the functioning of the Internal Market. The public
consultation underlined the importance of ensuring the security of network and
information systems, in particular for the following sectors: · Energy – 89.4% of respondents · Transport - 81.7% of respondents · Banking and finance – 91.1% of respondents · Health – 89.4% of respondents · Internet services – 89.1% of respondents · Public administrations –87.5% of respondents At the same
time, 31% of respondents (both business and consumers) to the public
consultation affirmed to have no process in place to manage NIS risks. Also, 54.2%
affirmed not to have any budget dedicated to NIS. All the
sectors, which provide services which are key for the functioning of our
economies and well-being of our society, rely heavily on network and
information systems. Banking
activities should be secured since banks are the backbone of our financial
system and because they are common targets of fraudsters. Indeed there are
signs that attacks are increasing in this sector. McAfee reported recently[30] that fraudsters, using
malware, and replicating the same scheme in several countries, have attempted
to steal up to €2 billion from accounts in Europe, the United States and Columbia. Consumers and businesses using online banking
have increasingly experienced theft, particularly through viruses infecting
their computers. Especially in this sector, we observe an
increasing usage of third party business applications (such as those used for mobile
banking). These applications, which are often cloud-based, are not part of the
network and systems of the credit institution, which has no control over their
security. The stock
exchange increasingly adopts networks and information systems and
Internet-based commerce systems. Accidental disruptions or malicious attacks
affecting the stock exchange in a country or affecting particularly critical stock
exchanges such as the ones in London, Paris or Milan may have very significant impact
on trade both in the internal market and internationally. In 2010 the London Stock Exchange experienced a serious cyber-attack
at its headquarters, which compromised its trading system[31]. Generation, transmission and distribution of energy are highly
dependent on secure network and information systems. Ensuring the resilience of
utilities is particularly important since virtually all other sectors and the
well-being of our society depend upon them. For
example, many major gas companies suffer increased amounts of cyber-attacks motivated
by commercial and criminal intent. These attacks are posing a great risk to
machinery, which can cost lives, stop production and cause environmental damage.
The same considerations are valid for other network industries, such
as air, maritime transport and railways and for key transport infrastructure,
such as airports, ports, railways, and traffic management systems and logistics.
For example, aviation infrastructure (including
ground and in-flight Air Traffic Management) relies on continuous and
uninterrupted information flows and databases, which cannot be allowed to fail.
Airports and border gateways are dependent on information assurance regarding
data, control systems, networks and protocols that support the effective
functioning of aviation[32].
Both the energy and the transport sector heavily rely on Industrial
Control Systems (ICS), i.e. complex computer and
information systems that can be located either in one site (e.g. power plants)
or distributed over a geographical area (energy and transport networks). There are numerous interconnection
points between ICS, including over the Internet,
and securing them is of the essence. Also, many ICS were designed in the past
without anticipating the security threats posed by technological advancements. For
example, remote controlling of ICS is often done via simple laptops or other
mobile devices which may have a lower level of security than the rest of the
system. The
Expert Group on Security and Resilience of Communications Networks and
Information Systems for Smart Grids recently concluded in its report to the
Commission that "Electricity Critical infrastructures converging with
ICT-infrastructures require scenario-building that includes consideration of
highly unlikely types of events. ICT security considerations need to be
integrated within the wider risk management of the whole grid. ICT is therefore
needed to carry out a risk analysis, and to define high level security
requirements to enhance the security and resilience of ICT for Smart
Grids."[33]
Such risk analysis will build upon the positive results of the Commission-led
Smart Grids Task Force. The Commission supports the work of the Smart Grids
Task Force's Expert Group on Privacy, Data Protection
and Cybersecurity, where stakeholders from the energy and ICT sectors are
developing a cybersecurity assessment framework, which includes the identification of Best Available Techniques (BATs) for smart
metering systems as well as the evaluation of methodologies for a trustworthy
network sharing vulnerabilities and threats analysis of Smart Grid and Smart Metering
systems. Hospitals and clinics are becoming the more and more reliant on sophisticated
ICT systems which need to be secure to ensure continuity of service and avoid fatal
disruptions. The proliferation of electronic medical
devices presents unique challenges in ensuring that only known, authorized
devices are able to connect to the network. Also, personal health and financial information is often target of
cybercrime, particularly as the healthcare
industry continues its conversion process to full patient electronic medical
records. Networks, mobile devices, workstations,
servers and medical devices are particularly critical in this regard and
securing them is of the essence. It is important to ensure the security of Internet companies (e.g.
cloud providers, social networks, e-commerce platforms, search engines), which
provide key inputs enabling important economic and societal processes. This is
essential to preserve trust in the digital ecosystem. It is key to ensure the resilience and reliability of public on-line
services to citizens to build and preserve their trust in e-government. E-Government and e-participation are increasing with citizen demand
for timely and cost- effective services and so are the NIS risks for state and
local administrations. The risk for public online
services to be hindered by NIS problems exist at all levels of government. Finally, there are NIS problems that are common to all the sectors
referred to above. For example, malware is one of the most significant threats
as it may disable security or other software in an organisation and cause a
breach or a gap that can be exploited by external parties. Also, exposure to threats grows as companies and public administrations
invest in technologies like mobile, social, and cloud. Notably, due to the increasing use of mobile devices and
applications, employees in virtually all sectors can now access corporate data
and look at it remotely without necessarily complying with the security
policies and controls of the organisation. Also, in all the sectors identified above, ensuring NIS in large companies and in SMEs is equally critical. Small and
medium businesses have become the low-hanging fruit for cyber criminals and
they need to be secure given that we are as strong as our weakest link. On the
other hand, micro companies are less critical for the overall continuity of the
services given that incidents affecting them may not have a sufficiently wide reaching impact on society as those incidents
affecting larger businesses. 4.1.5. What
will happen if further measures are not adopted 4.1.5.1. Undermined
consumer confidence in the internal market The number of NIS incidents and their negative consequences will continue to increase and this will have
a negative effect on the use of online public and private services, on consumers'
trust in the on-line economy and in the integrity of the Internal Market. The 2012
Eurobarometer on cyber-security found that 38% of users had concerns with the
safety of on-line payments and have changed their behaviour because of concerns
with security issues: 18% are less likely to buy goods on-line and 15% are less
likely to use on-line banking[34].
The perceived lack of security on the Internet is thus having a negative effect
on the functioning and development of the Internal Market. It is estimated
that, by stimulating the development of the digital single market, Europe could gain 4% GDP by 2020[35].
This GDP increase corresponds to a gain of almost €500 billion (€494 billion)
or more than €1.000 for every citizen. In a time of economic downturn, this is
not negligible. Figure 2: Reasons for Internet users not
buying on-line in the EU countries, 2009.
Percentage of individuals with Internet access that did not buy on-line in the
last 12 months 4.1.5.2. Insufficient
business investments in NIS Currently, businesses lack effective
incentives to conduct serious risk management which involves the adoption of
appropriate NIS measures (see also the relevant responses to the public
consultation provided in Section 4.1.3). From an economic perspective security
is an externality leading to a market failure[36],
i.e. market players do not see the economic rationale to bear the full social
costs of increasing the level of security but rather prioritise time-to-market
or a low pricing for their end products. By leaving the decision on the level
of security entirely to market players the societal benefits of a more secure
digital environment would not be fully reached. Often companies consider
NIS a purely technical matter and do not address it as a key component of
their business strategy, as a lynchpin for safeguarding their most precious
assets notably intellectual property, financial information, and their reputation.
Companies are often unaware of the risks faced until significant incidents
occur and hence only adopt a reactive approach when circumstances require it. The
same considerations apply to public administrations which do not yet see the
importance of investing in NIS to ensure the continuity and reliability of the
public services they provide more and more online. According to Eurostat[37], by January 2012, 26 % of
enterprises in the EU-27 had a formally defined ICT security policy with a plan
for regular review; this share rose to over 50 % among those enterprises
whose principal activity was information and communication activities. As shown
in Figure 3, among the Member States, the highest shares of enterprises with a
formally defined ICT security policy were recorded in Sweden and Denmark where more than two fifths of enterprises had such policies. The lowest shares of
enterprises with a formally defined ICT security policy were on the other hand
recorded in Bulgaria, Hungary, Romania, Poland and Estonia. Figure 3 Enterprises
having a formally defined ICT security policy with a plan of regular review,
EU-27, January 2010 (% of enterprises) - Source: Eurostat (isoc_cisce_ra) Businesses are often unaware of the IT
security risks faced and are overconfident about their actual level of
protection; they perceive security costs as too high and see no business case for
the return on investment on security[38].
Indeed, businesses fail to see the potential savings induced by NIS investments. For example, the Ponemon 2011 Cost of Data Breach Studies for France, Germany and the UK showed that by appointing a Chief Information Security Officer (CISO)
businesses could save up to half of the cost of a data breach. The CSI 2007
Computer Crime and Security Survey found that the majority of companies (61%)
allocate 5% or less of their overall IT budget to information security. To counter the increasing number of web-based
attacks, only 20% of business uses a secure protocol for the reception of
orders via Internet[39]. As shown in Figure 4, small and
medium-sized companies in the EU adopt less NIS measures than large companies. Figure 4:
Enterprises using internal security facilities or procedures, EU-27, January
2010
(% of enterprises) - Source: Eurostat (isoc_cisce_fp) 4.1.5.3. Lack
of credibility in the international scene Without further actions at EU level, the
Member States will act individually and will cooperate largely on a bilateral,
multilateral or regional level. This would reduce the credibility of the EU at the
international level, which would lead to the decay of existing cooperation
arrangements, i.e. the EU-US Working Group on Cyber-security and Cybercrime[40] and would hinder discussions
with other international partners. This will represent a lost opportunity to
coordinate activities at global level and to achieve higher efficiency in
addressing the problems. Furthermore, higher credibility in NIS could boost economic potential and support as such the Internal Market. 4.2. Problem
drivers: What is the reason behind the problem? The problem of insufficient
level of protection against network and information security incidents, risks
and threats across the EU undermining the proper functioning of the Internal
market stems from a range of factors. 4.2.1. Uneven level of capabilities across the EU[41] Member States have very different levels of capabilities.
This situation hinders the creation of trust among peers in the Member States
which is an important prerequisite for cooperation and information sharing. While
research[42] suggests that certain Member States have now reached a high level
of spending on NIS, some others have not. According to a market study[43], Member States can be divided
into four groups on the basis of the maturity of their NIS markets: Group 1, the
Champions: Denmark, Finland, the Netherlands, Sweden, the United Kingdom Group 2, the
Pillars: Austria, Belgium, Germany, Luxembourg, France, Ireland These two clusters
account representing together 69% of the EU GDP but 82% of total security
spending. These clusters are characterized by high average security spending, a
strong presence of high profile security business users, and greater adoption
of advanced security solutions. Group 3, the
Runners Up include the Southern European countries: Cyprus, Greece, Italy, Malta, Portugal, and Spain and: Czech Republic, Hungary and Slovenia. This cluster shows
some delay with the advanced clusters but a good potential for growth. They
represent 30% of the EU population, 26% of EU GDP but 16% of the total EU NIS
revenues Group 4, the
Learners: Bulgaria, Estonia, Latvia, Lithuania, Poland, Romania, Slovakia, This cluster
includes the remaining Member States with the lowest level of NIS spending and
maturity. It represents 5% of EU GDP, but only 2% of NIS revenues) and shows a
low number of connected PCs, with very low average security spending per
connected PC. Moreover, important considerations can be
made following the stocktaking exercise that VP Neelie Kroes conducted across
the Member States. The table below summarises the information provided by the
Member States to Vice-President Kroes on their national capabilities. According
to the information received, only group 1 countries and a large majority of
group 2 countries have a level of preparedness which corresponds to the targets
pursued by the Commission since 2009 (CIIP Action plan and CIIP Communication
of 2011). Group of countries || N/G CERTs || CERTs EGC[44] group || NIS Strategy || Contingency/Cooperation Plan 1 - DK, FI, NL, SE, UK || DK, FI, NL, SE, UK || DK, FI, NL, SE, UK || DK*, FI, NL, SE, UK || DK, FI, NL, SE, UK 2 - AT, BE, DE, FR, IE, LU || AT, BE, DE, FR, IE*, LU || AT, DE, FR, || AT, DE, FR, IE, LU || AT, DE, FR, LU 3 - CY, GR, IT, MT, PT, ES, CZ, HU, SL || CY*, GR, IT*, MT, PT*, ES, CZ, HU, SL || ES, HU || CY, EL, ES,CZ, HU || CY, EL 4 - BG, EE, LV, LT, PL, RO, SK || BG, EE, LV, LT, PL, RO, SK || || EE, LV, LT, PL, RO, SK || EE, LV * In the process of adoption 4.2.1.1. Preparedness Public sector players dealing with NIS in the EU include a large variety of ministries, agencies and National Regulatory
Authorities[45].
The existence of a plethora of bodies, each with different competences and
responsibilities, makes it difficult for the Member States to identify their counterparts
with whom to cooperate in other Member States. Not all the Member States have an
operational national/governmental CERT in place to handle NIS incidents and prevent them from happening by monitoring threats. This uneven level of
preparedness hinders cooperation on a European scale, as confirmed by a study
undertaken by ENISA in 2012[46].
The European Government CERTs (EGC) group,
which performs operational tasks, comprises only 10 Member States, which are
the top performers. As indicated in the group's website[47]: "Its members effectively
co-operate on matters of incident response by building upon a fundament of
mutual trust and understanding due to similarities in constituencies and
problem sets". Only some Member States have to date adopted national
cyber security strategies. 4.2.1.2. Response Not all Member States have in place a cyber-incident
contingency/cooperation plan, providing protocols for communications and
coordinated action in crisis situations, and not all the Member States have carried
out or regularly carry out cyber incident exercises, which are major tools
to put in place and test response capabilities. All the Member States, supported by ENISA,
have participated in the first pan-European cyber-incident exercise in 2010
(Cyber Europe 2010[48]).
According to the evaluation report of the exercise, the communication protocols
differ from one Member State to another and there is hence a need for harmonisation
of the existing communication processes, which also need to be made more secure[49]. In any serious crisis situation affecting networks
and information systems, an appropriate response is vital and time critical. When
threats or incidents have potential or actual cross border-nature, they need to
be handled by the Member States in a coordinated and timely manner. 4.2.2. Insufficient
sharing of information on incidents, risks and threats Most security breaches go unreported and
unnoticed mainly due to the reluctance of companies to share this information
because of fear of reputational damages or liability. Often, people responsible
for NIS share related information only with small groups they trust rather than
going through official channels. The insufficient sharing of information on
threats and risks results in sub-optimal preparedness; the insufficient sharing
of information on incidents results in sub-optimal response. The unavailability
of reliable data and information on NIS threats and incidents makes it difficult for governments to conduct evidence-based policy
making and to respond to incidents affecting governments' networks timely. The lack of NIS data and information does not
allow conducting appropriate analysis and compiling statistics that could be
used to raise awareness of the rising threats and to plan appropriate measures
to tackle them. There is currently also no framework for
trusted information sharing on security threats, risks and incidents amongst
the Member States and between the private and the public sector. The UK stressed that mandatory reporting of security breaches may be a disincentive for those
governments and businesses that are highly advanced in terms of NIS and that already pursue voluntary and cooperative arrangements. The UK would also favour a sector-specific approach to NIS given that risks and impact of incidents may
differ from one sector to the other. 38% of respondents
(both business and consumers) to the public consultation considered that
effective sharing of information on threats and incidents would be best
achieved by a requirement to report significant NIS security breaches to the
national competent authority while 37% considered that it would be best
achieved by stronger public-private cooperation mechanisms. 5. Effectiveness
of existing measures 5.1. There
are loopholes in the existing regulatory framework The only sector where companies are currently required under EU law
to take NIS risk management steps and to report serious NIS incidents is the electronic
communications sector[50].
The regulatory framework for electronic communications[51] requires providers of public
electronic communications networks and services to appropriately manage the
risks posed to the security of their networks and services to prevent and
minimise the impact of security incidents on users and interconnected networks.
It requires providers to notify the competent national regulatory authority of
a breach of security or loss of integrity that has had a significant impact on
the operation of networks or services. These provisions had to be transposed at
national level by 25 May 2011. However, all players relying on network and information systems face
security risks. This leads to an uneven playing field since the same incident
affecting for example a telecommunications provider and a company providing
voice over IP services would have to be notified to the national competent
authority in the former case, but not in the latter. Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data[52]
requires controllers of personal data to implement
appropriate technical and organisational measures to protect personal data.
Having regard to the state of the art and the cost of their implementation,
such measures shall ensure a level of security appropriate to the risks
presented by the processing and the nature of the personal data to be
protected. In 2012, the Commission proposed a major reform of the EU legal
framework on the protection of personal data[53].
Article 30 of the proposed General Data Protection Regulation[54] requires the data controller
and the data processor to implement appropriate
technical and organisational
measures to ensure a level of security appropriate to the risks represented by the processing and the
nature of the personal data to be protected, having regard to the state of the
art and the costs of their implementation. The controller and the processor
shall, following an evaluation of the risks, take security
measures to protect personal data against accidental or unlawful destruction or accidental loss and
to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination
or access, or alteration of
personal data. All players
who are data controllers (e.g. a bank or a hospital) are hence already obliged
to put in place security measures that are proportionate to the risks faced. On
the other hand, data controllers would only be required to notify only those
security breaches compromising personal data. A NIS breach affecting the
provision of the service without compromising personal data (e.g. an ICT outage
of a power company which results in a blackout) does not have to be notified. The
co-legislators are currently discussing the Commission proposal for a Directive
on attacks against information systems[55].
The proposed Directive focuses on penalising the exploitation of cybercrime
tools. This proposal covers only the criminalization of specific conducts, but does
not address the prevention of NIS risks and incidents, the response to NIS incidents and the mitigation of their impact. Council
Directive 2008/114/EC on the identification and designation of European
Critical Infrastructures and the assessment of the need to improve their
protection[56]
covers the energy and transport sectors. According to the Directive, the Member
States had to go through a process of identifying potential European Critical
Infrastructures (ECIs), with the help of the Commission if needed. The
Directive also requires operators of identified European Critical
Infrastructures to put in place security plans The Directive does not put
obligations on operators to report significant breaches of security and does
not set up mechanisms for Member States to cooperate and respond to incidents. To
date, only few European Critical Infrastructures have been identified as such
by the Member States. The vast majority of the energy and transport players
(e.g. airports, ports, electricity generators and gas distributors) are not
covered. In sum, the current rules do not require businesses other than
telecommunication companies to adopt security measures and report NIS incidents, which do not affect personal data. The Diginotar case referred above
illustrates the limits of this approach. Another striking example is the BlackBerry
outage in 2011, which caused interruptions in basic communications services
such as e-mail and SMS but did not have to be reported since the company is not
a telecommunications operator and the incident did not compromise personal data.
Annexes 9 and 9 present the outcome of two specific benchmarking
exercises that directly relate to how different aspects of the problem drivers
have been dealt with in other sectors. More precisely, Annex 8 provides an overview of current (regulatory)
incentives for risk assessment and NIS in a number of sectors that strongly
depend on NIS for the supply of their services. It is concluded that, in
general, such incentives are insufficient in sectors other than the telecoms
sector. Annex 9 identifies and analyses a number of EU Early warning and
incident handling networks in sectors other than NIS. These networks are used
to share confidential information at EU level. Annex 8 provides useful insights
on how such networks have been set up in the absence of mechanisms for
effective cooperation at EU level. 5.2. The
limits of a voluntary approach The voluntary
approach followed so far has resulted in an uneven level of preparedness and
limited cooperation, as highlighted above. As a result the effectiveness of NIS capabilities varies considerably across the EU; cooperation takes place only amongst Member States who are well prepared, the others being left out or choosing themselves not
to be involved. The European
Forum for Member States (EFMS) facilitates policy discussions and exchange of
best practices between Member States. The limited remit of EFMS means that the
Member States do not share information on incidents, risks and threats within
the EFMS nor do they cooperate to counter cross border threats. The EFMS
has no power to require its members to have minimum capabilities in place. ENISA provides
support and advice to the Commission and the Member States with a view to improving the overall level of NIS in the EU. ENISA has, however, no operational
powers and, for example, cannot intervene to fix NIS problems. The external
evaluation[57]
of ENISA in 2007 concluded that the value added of ENISA is its ability to
provide an independent platform at the EU level for stakeholders and experts to
discuss and compare problems and solutions regarding NIS and that the consensual
view is that ENISA should be a well-established single European voice for
security but that it should not be given more powers or an operational role. In
addition, it must be borne in mind that there is no guarantee that the mandate
of the Agency will be actually renewed after 2013. The European
Public-Private Partnership for Resilience (EP3R) is a platform which facilitates
the exchange of best practices among the Member States and ICT companies. The
EP3R has no formal standing and cannot require the private sector to report
incidents to the national authorities. A framework for trusted information
sharing and for communicating information on NIS threats, risks and incidents
is absent within the EP3R. It can be reasonably assumed that without providing further
directions to existing voluntary mechanisms, and specifically to the EFMS and
the EP3R, the interest and the added-value in participating will decrease and
this might lead to the possible dissolution of these mechanisms over time. 5.3. Approach
in other regions of the world Other regions
of the world have adopted initiatives to address issues corresponding to the
main problem drivers identified in this impact assessment. In order to
raise the level of security of critical information infrastructures, the US established in 1998 the National Infrastructure Protection Center (NIPC). The National
Cyber-security and Communications Integration Center (NCCIC) is an umbrella
organisation set up in 2009 to coordinate national initiatives to address
threats and incidents, including the US-CERT, National Coordinating Center for Telecommunications (NCC), the National Cyber-security Center (NCSC), and DHS Office
of Intelligence and private sector partners from several ISACs. Along with
setting up dedicated capabilities of this kind, the US launched a series of
Information Sharing and Analysis Centers (ISACs) for critical sectors[58] (including electricity,
finance, health, maritime, ICT, nuclear, water), with the aim to ensure
information sharing on threats and vulnerabilities between public and private
sectors. The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) is the Private/Public center for knowledge sharing regarding
Industrial Control System[59]
(ICS) cybersecurity. The lesson
learnt from these experiences is that their effectiveness depends on the fact
that the private sector shares information with the government and vice versa. The US approach has inspired countries such as the UK, the Netherlands and Australia in setting up NIS capabilities. Although the US was first to establish a CERT already in 1988, the first
government CERTs were established in the late 90’s/early 2000’s in UK, France,
Germany, Netherlands and others and several of these came together to form the
European Government CERTs group (EGC). Regarding the
reporting of security breaches, under US law companies are required to report
security breaches for critical infrastructures does exist (Data Security and
Breach Notification Act of 2012). As a recent development,
the Division of Corporation Finance of the US Securities and Exchange
Commission released in 2011 guidance regarding public companies' disclosure
obligations relating to cybersecurity risks and cyber incidents[60], due to concerns for the
cyber-security risks faced by financial institutions. This shows that the US is now adopting an approach to cyber-security which covers key sectors where protection is
essential, such as finance. In Canada, "Industry Canada" is the lead agency for the Communications and Information
Technology Sector and is responsible for CIP and emergency management. It has
established the sector network – the Canadian Telecommunications Cyber
Protection Working Group (CTCP) – to promote industry-to-industry,
government-to-industry and industry-to-government co-operation in protecting
Canadian networks. Industry Canada and CTCP have also established the Canadian
Network for Security Information Exchange (CNSIE) to promote collaboration
between a larger community of cyber security stakeholders such as the
telecommunications, financial, energy, and vendor communities and government
departments. Regarding operational
cooperation, the Organisation of American States has attempted to establish a
‘hemispheric contact network’ of CERTs but as yet the initiative has not
flourished. In the
Asia-Pacific region, APCERT (Asia Pacific Computer Emergency Response Team) is
a group of 30+ CERTs, mostly government CERTs. Membership is voluntary. Japan's CERT capabilities were set up in 1996. JPCERT/CC coordinates with
network service providers, security vendors, government agencies, as well as
the industry associations and is acting as "CERT of CERTs" in the
Japanese community. JPCERT/CC helped to set up APCERT. Also relevant is the
Japanese Information-technology Security Center (ISEC) established in 1997 as
the public information sharing center for promoting information security in
Japan, and the recently created Cyber Security Information Sharing Partnership
(J-CSIP) providing a platform among critical infrastructures manufacturers. In Australia the "Trusted Information Sharing Network (TISN)" is a forum in which
the owners and operators of critical infrastructures work together, share
information on threats and vulnerabilities and develop strategies and solutions
to mitigate risk. It comprises seven critical infrastructure Sector Groups and
two Expert Advisory Groups, Communities of Interest (CoI) and a Critical
Infrastructure Advisory Council (CIAC). Stakeholders
mentioned the Australian Internet Security Initiative (AISI) as a
cost-effective black-listing of IP addresses that are apparently compromised by
malware and to dispatch that information to relevant ISPs and their customers. 5.4. Need
of EU intervention, subsidiarity and proportionality 5.4.1. The
EU right to act – Legal basis The Union is empowered to adopt measures with the aim of establishing or ensuring the
functioning of the internal market, in accordance with the relevant provisions
of the Treaties (Article 26 Treaty on the Functioning of the European Union - TFEU).
In particular,
Article 114 TFEU (former Article 95 EC) allows for the adoption of
"measures for the approximation of the provisions laid down by law,
regulation or administrative action in Member States which have as their
object the establishment and functioning of the internal market" (emphasis
added). Following the entry into force of the Lisbon treaty, the internal
market is among the areas of "shared competence" between the Union
and the Member States. The ECJ held
in Case C-66/04 that "by the expression ‘measures for the
approximation’ in Article 95 EC the authors of the Treaty intended to confer on
the Community legislature a discretion, depending on the general context and
the specific circumstances of the matter to be harmonised, as regards the
harmonisation technique most appropriate for achieving the desired result, in
particular in fields which are characterised by complex technical features.”
(Paragraph 45). Furthermore,
in the international roaming case C-58/08, the ECJ held that: “32. (…)
the Community legislature may have recourse to (art. 114 TFEU) in particular
where there are differences between national rules which are such as to
obstruct the fundamental freedoms and thus have a direct effect on the
functioning of the internal market (…) or to cause significant distortions of
competition (…). 33.
Recourse to that provision is also possible if the aim is to prevent the
emergence of such obstacles to trade resulting from the divergent development
of national laws. However, the emergence of such obstacles must be likely and
the measure in question must be designed to prevent them (…)." Several EU
legislative acts based on Article 114 TFUE are related to NIS, showing that the
EU legislator has already recognised the need to harmonise NIS rules to ensure
the development of the internal market. This was, in
particular, the case for the ENISA regulation,
[61]
whose the Internal market legal basis was endorsed by the Court of Justice. The
Court recognised[62]
that [it] "was an appropriate means of preventing the emergence of
disparities likely to create obstacles to the smooth functioning of the
internal market in the area"[63];
and "the smooth functioning of the internal market risks being
undermined by a heterogeneous application of the technical requirements"[64]. Regulation
460/2004/EC, establishing ENISA, states in Recital 3 that "the technical
complexity of networks and information systems, the variety of products and
services that are interconnected, and the huge number of private and public
actors that bear their own responsibility risk undermining the smooth
functioning of the internal market". The 2010
Commission's proposal aimed at modernising and strengthening ENISA[65], currently under legislative
procedure, is coherently based on Article 114 TFEU. As remarked in the Impact
Assessment[66]
accompanying the recent proposal for Regulation on ENISA "Uneven national
policies and practices are a clear disruption of the internal market, due to
the clear negative externalities resulting from NIS (inadequate policies
impacting markets in other Member States), but also due to the positive
externalities of good NIS practices (good practices in one Member State positively
impact NIS as a whole, thus creating a clear societal good)". The
disparities resulting from uneven situations across the Member States in terms
of capabilities, planning and level of protection, constitute at the same time
a barrier to the internal market and justify EU action in cases with
cross-border relevance, where coordination at the level of planning and at the
level of response, including assistance, are needed. Furthermore,
information asymmetry and lack of transparency in the NIS market risk undermining
the supply by market operators and manufacturers of networks, services and
products as well as the trust of the users, which is one of the key drivers of
the internal market. Last, but not
least, well-functioning networks and systems are essential for the functioning
of our economy. Disruptions are increasing in frequency and magnitude undermining
achievement of the digital agenda, which would have direct negative consequences
for growth and jobs. 5.4.2. Subsidiarity
test Regulatory
obligations are required to create a level playing field and close some
legislative loopholes. A purely voluntarily approach has resulted in
cooperation taking place only amongst a minority of Member States with a high
level of capabilities. In order to ensure cooperation encompassing all the
Member States it is necessary to make sure that all of them have the required
minimum level of capabilities. European intervention in the area of NIS is justified by the
subsidiarity principle, due to the: Cross-border nature of
the problem Given the cross-border nature of NIS threats and problems, a
complete non-intervention at EU level would lead to a situation where each Member State is left to only guard its own backyard, with disregard of the interdependence
between existing network and information systems. An appropriate degree of
coordination among the Member States, on the other hand, would ensure that NIS risks can be well managed in the cross-border context in which they also arise, and
therefore respects the subsidiarity principle. According to a recent study[67], differences in security regulations represent a (barrier to operating in multiple countries and to achieving global economies of scale. These differences lead to replication costs (up to 27 times) for pan-European operators. Harmonisation could lead to some economies of scale, but these differences are more or less inherent to the level of discretion enjoyed by the individual Member States regarding security and privacy. Harmonising the implementation of regulation aimed at security and consumer protection is seen as an 'avoidable barrier'. Effectiveness of the
actions Action at EU level would improve the effectiveness (and thus add
value) to existing national policies, where they exist, or would facilitate
their development. In addition, it is clear that concerted and collaborative NIS policy actions can have a strong beneficial impact on the effective protection of
fundamental rights, and specifically the right to the protection of personal
data and privacy. European citizens are increasingly entrusting their data to
complex information systems, either out of choice or out of necessity, without
necessarily being able to correctly assess the related data protection risks.
When incidents occur, they will therefore not necessarily be able to take
suitable steps, nor is it certain that the Member States would be able to
effectively address incidents with cross-border dimension in the absence of EU-wide
NIS coordination. For this reason too, further policy action at the EU level
seems to be widely justified. 5.4.3. Proportionality
of the approach The measures in
the preferred option do not go beyond what is needed to achieve the objectives
and do not impose disproportionate costs, as will be illustrated below. The costs (see
Section 8.2) that according to the preferred option would have to be incurred
by those Member States lagging behind to put in place the necessary
capabilities are not significant; for the others the costs will be negligible. The costs for ensuring
systematic cooperation amongst Member States according to the preferred option
would be small when compared to the economic and societal losses and damages
which may be caused by NIS incidents. As to the
private sector, should security requirements be set at EU level, they would
apply only to some sectors for which the public consultation (see Section
4.1.4) underlined the importance of ensuring the security of network and
information systems and markets and in which a serious NIS incident would have
a direct and real-time effect on the EU economy and society. In any event, as
indicated below, the measures proposed to ensure a basic level of protection would
be proportionate to risks faced and hence reasonable and generally
corresponding to the interest of the entities involved in ensuring continuity
and quality of their services. Moreover, many
of these companies, as data controllers (e.g. banks and social networks) are
already required by the current data protection rules to secure the protection
of the personal data they control. For these companies the additional costs of
the security requirements are likely to be marginal. 6. Objectives The general
objective is to increase the level of protection against network and
information security incidents, risks and threats across the EU. 6.1. Overview
of general, specific and operational objectives Specific objectives || Operational objectives 1. To put in place a minimum common level of NIS in the MS and thus increase the overall level of preparedness and response. || – To ensure that all Member States are adequately equipped at national level both in terms of technical and organisational capabilities to prevent, detect, mitigate and respond to NIS risks, threats and incidents. – To ensure that all Member States develop and update national cyber security strategies and national cyber incident contingency/cooperation plans. 2. To improve cooperation on NIS at EU level with a view to counter cross border incidents and threats effectively. || – To ensure that national competent authorities share NIS information and best practices regularly. – To make sure that such bodies can exchange information cross-border in a reliable and confidential manner. 3. To create a culture of risk management and improve the sharing of information between the private and public sectors. || – To make sure that key private sector players and public administrations engage in assessment of the risks and risk management practices. – To ensure that NIS breaches with a significant impact are reported to the national competent authorities. 6.2. Intervention
logic The intervention logic, linking the main
problem and the drivers behind this problem to the specific objectives is
illustrated in the next figure: 7. Policy
options The Policy
options that have been considered in this Impact Assessment are: Business as
usual, Regulatory approach and Mixed approach. 7.1. Discarded
Option The possible
Option consisting of ceasing all EU activities on NIS has been discarded. The Option
would imply to stop pursuing the actions under the CIIP action plan and
dismantling EFMS and EP3R. All efforts
undertaken in the area of NIS would be left entirely in the hands of the Member
States and cooperation would remain limited to a small number of countries,
with no virtually mechanisms in place for increasing trust among all of them. The existing
gap between the highly advanced and the less-advanced Member States would
likely increase and so would the internal market failures associated to the
divergences in the capabilities across the Member States. Such outcomes would
not be consistent with DAE "digital single market" and Europe 2020
"smart and sustainable economy" objectives nor would it be efficient
or effective for the Member States to tackle NIS cross-border problems on their
own. 7.1. Option
1 – Business as usual (‘Baseline scenario’) Under this
Option the Commission, with the assistance of ENISA, would continue with its
voluntary approach. With a view to put in place a minimum common level of NIS in the Member States and thus increase the overall level of preparedness and response,
the Commission would continue issuing Communications addressing the Member
States. Member States would be encouraged to set up well-functioning CERTs and
to adopt a national cyber incident contingency/cooperation plan and a national
cyber security strategy. In order to
improve cooperation on NIS at EU level, the Commission would recommend to the
Member States to establish a network of CERTs across Europe and to adopt a
European cyber incident contingency/cooperation plan. The Commission could also
dedicate specific funds for building up one or more secure communication
network across the EU. The remit of
the EFMS could be expanded to include discussions on the take-up of NIS best practises (e.g. how to best manage risks) by public administrations. The Commission
would also continue to stimulate the creation a culture of risk management and
improve the sharing of information between the private and public sector by
using platforms such as the EP3R. Under this
Option, ENISA would continue offering its support and expertise to the Member
States and to the private sector, for example by issuing technical guidelines
and recommendations on NIS capabilities and cooperation. 7.2. Option
2 – Regulatory approach Under this
Option, in order to reach a minimum common level of NIS across the EU and thus
increase the overall level of preparedness and response, the Commission would propose
to require all the Member States to: · Set up a well-functioning national/governmental CERT, responsible for handling security incidents and risks according to a
well-defined process and complying with essential requirements in terms of mandate and service provided. CERTs would need to have adequate
staff and financial resources to carry out their tasks effectively. · Appoint a national competent authority for NIS which would have a
coordination role for NIS and act as a focal point for cross-border
cooperation. The authority should be given appropriate technical, financial and
human resources and be tasked with the elaboration of the national cyber
security strategy (see below). The Member States may decide to have one single
body acting both as a CERT and as a competent authority. The CERT would act
under the supervision of the competent authority. · Adopt a national contingency/cooperation plan defining protocols for
communication and cooperation among relevant players at national level in case
of NIS incidents of a certain scale. · Adopt a national cyber-security strategy that would outline the strategic
objectives and announce the concrete policy actions that each Member State
intends to undertake to pursue a high level of NIS. The
establishment of such a common and comparable level of capabilities would
be a precondition to enable cooperation across the EU. In order to improve
cooperation on NIS at EU level, the Commission would propose to mandate the national
competent authorities to form a network, together with the Commission, to
cooperate against EU level. ENISA would support the competent authorities in
their cooperation by providing its expertise and advice. Within the
network the competent authorities would exchange information on serious threats
and incidents and would cooperate via coordinated response to counter cross-border
threats and incidents. This would occur in organised fashion according to the European NIS contingency/cooperation plan that the Commission would adopt following consultation with the
Member States via Comitology. The competent authorities would also ensure timely
and regular publication on a common website of non- confidential information on
on-going significant threats and incidents and on the coordinated responses
adopted. To build capacity and knowledge in the Member
States, the competent authorities would within the network exchange best practices
assist each other in building NIS capacities, organise regular peer reviews and
pan-European NIS exercises. The exchange of sensitive and confidential
information between the competent authorities would take place through an
infrastructure ensuring security and confidentiality. The Member States would be able to access this
secure infrastructure following a decision of the Commission to be taken by
means of delegated acts and following assessment that the minimum NIS
capabilities at national level described above are in place. The transposition/implementation
period would allow the necessary delays for the Member States to comply with
the requirements on national NIS capabilities. Under this Option
the Commission would also propose to impose NIS risk management and reporting requirements
on public administrations (e.g. central ministries, local authorities, land
registries) and key private players thus creating a comprehensive framework to
stimulate the creation of a culture of risk management and improve the sharing
of information between the private and public sectors. More specifically, the
Commission would propose that operators in specific critical sectors, i.e.
banking, energy (electricity and natural gas), transport, health, enablers of
key Internet services and the public administration, be required to assess the
risks they face and to adopt appropriate and proportionate measures to dimension
the actual risks. A detailed
list of the entities that would be covered is provided at the end of this
Section. An estimation of the actual number of those operators is provided
along with the cost assessment in Annex 3. Micro companies (i.e.
companies with less than 10 employees[68])
would in any case not be in the scope of these obligations. This requirement
mirrors the one set out in Article 13a&b of the Framework Directive for
electronic communications and would hence contribute to ensure a level playing
field. In order to
give an indication of what this requirement may entail in practice, the ENISA
guidelines on the security measures in Article 13a of the Framework Directive[69] can be taken as a sample. The
activities that could fall under this requirement are: · Regular risk analysis of specific assets
for example information, software, physical assets, services and people. A
number of standard methodologies exist for performing risk assessments, such as
for example the ISO 27005 standard. · Governance and risk management including
establishing and maintaining an appropriate security policy; a governance and
risk management framework to identify and address risks; an appropriate
structure of security roles and responsibilities. · Human resources security, i.e. adopting security
measures to enhance the security of personnel such as employees, contractors
and third-party users. This may include background checks; ensuring that personnel
have sufficient knowledge and follows regular trainings; a process for handling
security breaches committed by employees. · Security of systems and facilities, that
may include establishing and maintaining physical and environmental security of
facilities; security of supplies and supporting facilities such as electric
power, fuel or cooling; appropriate (logical) access controls for access to
network and information systems; appropriate security of network and
information systems. · Operation management, i.e. security of
operation and management of network and information systems. This may include establishing
and maintaining operational procedures and responsibilities and asset
management procedures in order to verify asset availability and status. · Incident management, i.e. establishing
and maintaining standards and procedures for managing incidents. This may
include establishing capabilities for detecting incidents and forwarding them
to the appropriate departments within an appropriate time frame; processes for
incident response and escalation; incident reporting and communication plans. · Business continuity management, i.e. monitoring,
testing and auditing of network and information systems, facilities and
security measures, for example including policies for testing network and
information systems. Moreover, the
entities indicated above would be required to report incidents with a significant
impact on the services provided[70].
This would also be in line with Article 13a&b of the Framework Directive. These entities
would have to report to the national competent authorities those incidents
seriously compromising the operation of networks and information systems and
thus having a significant impact on the continuity of services and supply of
goods which rely on network and information systems. For example,
an incident affecting an e-commerce platform and preventing the conclusion of
on-line transactions over several hours would have to be reported. Likewise, a maintenance
incident of an information system of a power plant, which results in stopping
the distribution of electricity to a small city during several hours, would
also have to be reported. National competent authorities would be empowered to
request information, order security audits, issue instructions and carry out investigations
on the players covered. 44.4% of
respondents to the public consultation expressed the view that a requirement to
notify and report incidents to NIS authorities would
be needed to make private companies and public administrations systematically
report about cyber security incidents. 57.4% of
respondents to the public consultation expressed the view that support from NIS
authorities to respond to incidents would be needed to the same purpose. The reporting
of breaches would be tightly linked to the cooperation among the competent
authorities at EU level, given that the information fed to them would have to be
shared with other competent authorities via the network when it has an actual
or potential cross-border dimension. Also, competent authorities would have to
prepare annually a summary report on the notifications received that would have
to be provided to the Network. Under this
Option, ENISA would continue offering its support and technical expertise to
the Member States and to the private sector, for example by issuing technical
recommendations and guidelines on capabilities, on EU-level cooperation, on risk
management and on the reporting of NIS incidents. Entities that
would be covered by risk management and NIS incidents reporting obligations are
(more detailed indications are provided in Annex 3): · Energy (electricity market and gas
market): –
Main electricity generating companies (i.e.
those dealing with at least 5% of the country’s electricity or gas) –
Electricity retailers for final consumers –
Entities bringing natural gas into the country –
Retailers selling natural gas to final customers
The estimated
total number of businesses affected in this sector would be approximately 4000. · Transport –
Air carriers (Freight and passenger air
transport) –
Maritime carriers (sea and coastal passenger
water transport companies[71]
and the number of sea and coastal freight water transport companies[72]) –
Railways (infrastructure managers[73], integrated companies[74] and railway transport
operators[75]) –
Airports (EU airports with more than 15.000
passenger unit movements per year) –
Ports –
Traffic management control operators –
Auxiliary logistics services (a) warehousing and
storage[76],
b) cargo handling[77]
and c) other transportation support activities[78])
The estimated
total number of businesses affected in this sector would be approximately 14600. · Banking: credit institutions[79] and stock exchanges The estimated
total number of businesses affected in this sector would be approximately 7706
for credit institutions and 25-30 for stock exchanges. · Health sector: Hospitals including
private clinics The estimated
total number of businesses affected in this sector would be approximately 15 000.
· Enablers of Internet services These would
include e-commerce platforms, social networks, search engines, cloud providers
(Table 8 in Annex 2 provides a thorough indication of relevant players that
would be in the scope). Software editors and providers would be excluded. The
estimated total number of businesses affected in this sector would be
approximately 1400. · Public administrations[80],
including local administrations It should be noted that this represent just
an overall indication of the number of businesses that would be in the
scope. Annex 3 provides a detail analysis of the process that led to these
results. The importance of ensuring NIS in these
sectors has already been highlighted in Section 4.1.4 which also provides the
views of the respondents to the public consultation on the importance to set
NIS requirements for those who operate in these domains[81]. The same players should engage in NIS risk
management and report NIS incidents with a significant impact to national
competent authorities. Only those players operating critical
infrastructure and providing vital services relying on ICT significantly would
be subject to these obligations. As explained in section 4.1.4 given their
dependency on network and information systems, these players are particularly
vulnerable to NIS incidents. These sectors are also critical for the economy
and society and a serious NIS incident affecting them may produce significant
negative side costs and often impair the functioning of the internal market. In
many of these sectors a significant "network effect" can be observed,
i.e. energy transmission or key online services are by definition provided over
a network, the energy grid on the first case and the Internet in the latter.
For these reasons the spill-over effects of an incident may be more difficult
to contain. It can be reasonably
presumed that most of the players indicated above are, as data controllers,
already required under the data protection regulatory framework to implement
appropriate technical and organizational security measures to protect the
personal data they handle. The following players are also data controllers: · Energy distributors; · Air, maritime, railway carriers; · Credit institutions; · Hospitals and private clinics; · E-commerce platforms, social networks, booking engines; payment
systems; operators of cloud computing platforms (in many cases) · Public administrations The table
below (Figure 5) shows the extent to which existing obligations address NIS issues
and what gaps would be filled by the preferred option. || Covered by existing EU legislation || Not covered by existing EU legislation Measures to ensure a high level of NIS || Data controllers across all sectors to adopt technical and organizational measures to protect personal data (Article 17, Directive 95/46/EC) || Technical and organisational measures to secure network and information systems beyond the purpose of protecting personal data across all sectors || Providers of electronic communications networks and services to do NIS risk assessment and risk management (Article 13a&b, Directive 2002/21/EC) || || Put in place security plans in European Critical Infrastructure in the European Critical Infrastructure in the energy and transport sector ( around 20 infrastructure identified so far) (Directive 2008/114/EC) || Measures to cooperate at EU level || Where appropriate, the national regulatory authority concerned shall inform the national regulatory authorities in other Member States (Article 13a, Directive 2002/21/EC) || Cooperation at EU level among authorities dealing with NIS or among sector-specific authorities sharing information on NIS risks and incidents || Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in other Member States and ENISA (Article 15, Proposal for Regulation on e-identification and trust services) || Measures to report NIS incidents || Notification of personal data breaches by data controllers across sectors to the supervisory authority and in specific cases to the data subject (Article 31 and 32, Proposal for Regulation on data protection Article 31 and 32) || Notification of security breaches which do not involve breaches of personal data across sectors || Notification of personal data breaches by electronic communications providers to the competent national authority and in specific cases to the individual or subscriber (Article 4(3) of e-Privacy Directive 2002/58/EC) || || Electronic communications operators to notify to the competent authorities breaches of security or loss of integrity with a significant impact on the operation of electronic communications networks and services (Article 13a, Directive 2002/21/EC) || || Trusted service providers to notify to the competent national body breaches of security of loss of integrity with a significant impact on the trust service provided and the personal data maintained therein (Article 15, Proposal for Regulation on e-identification and trust services) || Figure 5: Table on existing regulatory gaps 7.3. Option
3 - Mixed approach Under this
Option, the Commission would combine voluntary initiatives based on the
goodwill of the Member States, aimed at setting up or strengthening Member State
NIS capabilities and at establishing mechanisms for EU-level cooperation, with regulatory
requirements for key private players and public administrations on the adoption
of NIS risk management measures and the notification of NIS incidents with a
significant impact. With a view to
reach a minimum common level of NIS across the EU and thus increase the overall
level of preparedness and response, the Commission would encourage the Member
States, via Communications or Recommendations, to build national capabilities
and particularly CERTs, to appoint a national competent authorities
for NIS, to adopt national cyber incident contingency/cooperation
plans and to adopt a national cyber security strategy. In order to improve
cooperation on NIS at EU level with a view to counter cross border incidents
and threats effectively, the Commission would recommend to the Member States to
establish a network of CERTs across Europe and to adopt a European cyber
incident contingency/cooperation plan. The remit of information
sharing platforms such as EFMS could be further extended to include in
the public policy exchanges taking place therein also public authorities from critical
sectors such as banking, energy, transport or health. These soft
measures would be accompanied by regulatory requirements aimed at closing existing
regulatory loopholes and create a level playing field across the EU. In a view to
stimulate the creation a culture of risk management and improve the sharing of
information between the private and public sector, the Commission would propose
to legally require public administrations and key private players in specific
sectors (banking, energy - electricity and natural gas -, transport, health,
postal services, Internet services and public administrations, see Option 2) to
carry out risk management by assessing the risks they face and adopting
measures appropriate to meet those risks. In addition, public
administrations and key private players will have to report to national
competent authorities those incidents seriously compromising the operation of
networks and information systems and thus having a significant impact on the
continuity of services and supply of goods which rely on network and
information systems. These
regulatory requirements under Option 3 would hence be identical to those
imposed under Option 2 both regarding the targeted entities and for the
substance of the obligations. The remit of
EP3R could be further extended to include operators from additional critical
sectors such as banking, energy, transport or health and continue to be a
platform for the exchange of best practices between the public and the private
sector. Under this
Option, ENISA would provide support and technical expertise to the Commission,
the Member States and the private sector, for example by issuing technical
guidelines and the recommendations on capabilities and EU-level cooperation, as
well as on the take-up of risk management practises and on reporting security
breaches. This Option
could have also been designed in other ways. In particular, it could have
combined a regulatory approach for the Member States NIS capabilities and EU cooperation
and a voluntary approach for the adoption of NIS risk management and for the
reporting of NIS incidents by key private entities and public administrations. The reason why
this alternative combination was not considered is that a voluntary approach to
risk management and incident reporting does not work for the reasons given in
the Problem statement (i.e. insufficient business investments on security and
lack of incentive to share information on NIS risks and incidents despite the
worrying threat landscape). 8. Analysis
of impacts The assessment
covers, in addition to the level of security, the economic and
social impacts of the three options. It covers also the costs
which would be incurred under options 2 and 3. None of the
identified options will have impacts on the environment that can be predicted
with accuracy. 8.1. Option
1 – Business as usual (‘Baseline scenario’) The level
of security Despite the
existing policy initiatives, it is unlikely that all the Member States would
reach comparable levels of national capabilities and preparedness. The mechanisms for cooperation and coordination at EU level
would remain voluntary. In the absence of a minimum level of national
capabilities in all the Member States, there would be no guarantee that
cooperation involving all of them would take place. Lack of a framework and an
infrastructure for sharing trusted information, based on common confidentiality
requirements would also hinder such exchanges at EU level. Cooperation would
continue within closed circles of Member States trusting one another. This
would increase the gap between the high-performing and less-performing Member
States. The
high-performing Member States have the ability to help businesses on their
territories in detecting and responding to security incidents and this fosters
cooperation between the public and private sector. In less-performing Member
States market players' incentive to cooperate with the public sector will
continue to be limited. Only
electronic communication providers would continue to be bound to adopt risk
management practices and report breaches of security with a significant impact,
on the basis of Article 13(a) of the Framework Directive. All other relevant
market operators and public administrations would have no incentive to do so,
other than purely commercial ones for business. A level playing field would not
be achieved and regulatory loopholes would continue to exist. The lack of a comparable level of security and of
cooperation across the Member States may also hinder international cooperation since
it would be more difficult to present a common European position on NIS to
foreign partners. Instead, non-European NIS stakeholders would have to liaise
with the Member States (or just with some of them) on a bilateral basis, with
the risk of adoption of different approaches. This would constitute a
significant weakness in a domain where international cooperation is essential. Economic
impacts The impact would depend on the extent to which the Member
States would follow the Commission's recommendations. Given the voluntary
nature of this approach, the pace of development would vary significantly
across the EU. The insufficient level of security in the less developed Member
States would undermine their competitiveness and growth by discouraging foreign
companies from investing and doing business in these countries. Given the interdependency of European networks and systems
the negative impact of incidents, risks and threats on the EU economy as a
whole (and not only in the less-prepared Member States) would increase
overtime. Incidents related to NIS would become more and more visible to every
business and consumers. This would seriously undermine the confidence in
the digital environment and hinder the completion of the Internal Market. Without
improving the overall security framework in the EU we will not be able to
reverse the trend of increasing security incidents and minimise their impact.
Therefore, this option will come at a cost, which, as indicated in specific
examples in the problem statement, is potentially very high. Social
impacts The
continuation and expected aggravation of incidents, risks and threats would
negatively affect the online confidence of
citizens. The interests
of citizens would be compromised when data are stolen, leaked, abused or
corrupted due to a NIS incident, especially as no effective protection would be
granted when data do not qualify as personal data. As more and
more critical sectors depend on network and information systems (including
health care systems, financial services and significant portions of the public
sector), incidents compromising their resilience would undermine the
availability of the services provided by these critical sector sand this would
cause significant societal harm. Finally, with
no harmonisation of NIS requirements within the Internal Market, employment in
the information security industry will be hampered as it may be economically advantageous
for European companies to tolerate occasional NIS incidents rather than investing
in security, including via hiring and training competent personnel. Employment levels
would hence under this Option remain suboptimal. 8.2. Option
2 – Regulatory approach The level
of security Under this Option,
the protection of EU consumers, business and Governments against NIS incidents,
threats and risks would improve considerably. The
obligations placed on Member States would ensure that
all of them are adequately equipped, both in terms of technical and
organisational capabilities and preparedness. A common minimum set of
requirements would contribute to the creation of a climate of mutual
trust, which is a precondition for any effective cooperation at European level. Secure and
effective cooperation at European level would allow coherent and coordinated
prevention and response to cross-border NIS incidents, risks and threats. The introduction of requirements to carry out NIS risk
management for public administrations and key private players would create a
strong incentive to manage and dimension security risks effectively. The obligation for public administrations and key private
players to report NIS incidents with a significant impact would enhance the
ability to respond to incidents and would foster transparency. The availability
of key data and information on NIS would also empower governments to carry out targeted
analysis and compile statistics and hence to use reliable information on NIS to
set the most adequate priorities in this domain. The regulatory option, by enhancing the level of security,
would enable the EU to demonstrate leadership in the area of NIS and become a
more authoritative and effective player in international fora and in talks with
its main international partners. By doing this, the EU will be better
positioned to export its values and interests, thus also improving the
protection of European citizens, businesses and administrations against threats
originating outside the EU. Economic
impact As a result of the increased level of security across the
EU security problems would be more swiftly remedied and their impact
diminished. The associated financial losses would also be reduced. These benefits would be felt evenly across the EU, as
potential divergences in national policies would be removed thus enabling a
level playing field and supporting the development of the Internal Market. This would improve business and consumers' confidence in
the digital world and the Internet and so create new opportunities for business
and the digital economy. Users will feel more secure on-line and this will
improve their trust in the Internet to the benefit of the Internal Market. In particular, the promotion of a risk management approach and
a security culture would be beneficial to business and public administrations. Carrying
out risk assessment would enable and incentivise them to efficiently allocate
resources to manage NIS risks and would hence increase the value of the
organisation to the public. Also, as businesses in the same sector would be
required to implement similar security measures across the EU, businesses would
compete on an equal footing. Organisations would be better equipped to handle incidents
and attacks, resulting in enhanced availability, reliability and quality of
their services. This would raise the level of trust and satisfaction of those
who use those services, increase profits and foster the development of the
market. This is particularly important in markets requiring a high level of
security for example the one for eHealth applications and the emerging cloud
computing market. The promotion of an enhanced risk management culture would also
stimulate demand for secure ICT products and solutions. This would create new
markets and opportunities in the EU and capitalise on the European research
investments by improving prospects for their commercial exploitation. Social
impact A higher level
of security would improve the on-line confidence of citizens who would be able
to reap the full benefits of the digital world (e.g. social media, eLearning,
eHealth). These crucial
services would become more attractive due to their improved reliability and
availability. This can highly empower citizens in rural or remote regions with
limited access to offline services. Finally, this
Option is very likely to boost employment of NIS personnel in the EU due to the
requirements to conduct NIS risk assessments and adopt appropriate security
measures. It is worth
stressing that according to the "European Social Survey[82]" the EU citizens find it
important that governments ensure the safety of citizens against all threats.
Moreover in 2010, compared to 2008, it was observed an increase in the percentage
of citizens (67.2% against 63.2%) seeing a role for the government to ensure
safety against all threats. Impact on
competitiveness Overall
impact on the EU economy In general, it can be expected that an
enhanced availability, reliability and quality of the services offered in critical
sectors that rely heavily on network and information systems will be benefit
the competitiveness of the EU economy as a whole. For example, the availability
of secure platforms for e-commerce and other web-based services could bring
important economic benefits and allow a broad range of companies to bring new
products and services to the market. Sectoral
competitiveness Referring to the “Competitiveness proofing”
toolkit[83],
a distinction can be made between[84]: · Cost competitiveness: the cost of doing
business, which includes the costs of factors of production (labour, capital
and energy); · Capacity to innovate: the capacity of
the business to produce more and/or better quality products and services that
better meet customers' preferences; · International competitiveness: the above
two aspects could also be assessed in an international comparative perspective,
so that the likely impact of the policy proposal on comparative advantages on
the world markets is taken into account. The impact on the competitiveness of the
market of ICT security products and services can also be assessed. Impact on
competitiveness of sectors within the scope of the obligations The impact in terms of cost
competitiveness has been quantified[85]
in Annex 2 on the compliance costs related to additional risk management
measures and in Annex 3 on the administrative burden related to reporting
significant NIS breaches. It can be concluded that the additional costs in
general remain limited since many measures have already been taken based on existing
regulatory obligations. It may be expected that there will be an
impact on the capacity to innovate of some of the entities within the
scope. In some sectors, e.g. eCommerce platforms, booking engines, operators of
cloud computing platforms, the new requirements could open opportunities to
improve the features of current products or services (cf. ‘capacity for
product innovation’). Finally, regarding international
competitiveness, this Option would not differentiate between domestic and
foreign business operating in the EU. Competition in the internal market
would be improved by creating a level playing field via an enhanced harmonisation
of NIS requirements, improved consistency of NIS risk management measures and
coordinated response to incidents, enabled by a more systematic reporting of
NIS incidents. For EU-based companies, the risk management measures (e.g. which
are likely to result in compliance with international standards) could be
considered as a competitive advantage when exporting products and services
outside the EU (competitive advantage in the external markets). Impact on
competitiveness of ICT security products and service providers A positive impact is finally also expected
for the providers of ICT security products and services. First of all, demand
is expected to increase. Furthermore, the development of specific security
measures for the sectors within the scope, combined with a better harmonised
approach at EU-level, will allow for innovative product development and
economies of scale. 8.2.1. Cost
estimations In order to estimate the costs for the Member
States to set up national NIS capabilities and participate in EU-level
cooperation, it was made use of: 1) indications provided by the Member States during
dedicated interviews 2) comparable initiatives and 3) opinions of NIS experts. In order to estimate the magnitude of the
impact on businesses and public administrations, use was made of comparable
data provided by Eurostat, in Commission reports on regulated markets and
statistics provided by sector-specific federations at European-level. It must be borne in mind that reliable data
on actual investments on NIS is difficult to find, given that companies are
generally reluctant to disclose it given its confidential nature. Statistics on
NIS expenditure of businesses are similarly scarce. It is difficult to assess
how much is spent on NIS since it does not generally represent a separate
budget line. Indications provided by Gartner[86]
were used. (a)
Costs for the Member States associated with
building-up NIS capabilities and cooperation at EU level The costs for NIS capabilities and
cooperation would vary across the Member States, according to the respective current
level of preparedness. For the three Member States that have not yet
established national/governmental CERTs (Cyprus, Ireland and Poland) the
estimated cost of putting in place the related infrastructure and services
based on interviews carried out with CERTs that are already operational would
be approximately 2.5 million EUR per CERT. As regards NIS competent authorities,
it is likely that Member States would choose to designate existing bodies as
competent authorities and assign additional tasks to these bodies. The
corresponding additional costs should be regarded in terms of Full-Time
Equivalents (FTE). Those Member States which have a sufficiently staffed
authority in place would incur no additional costs. Assuming that an average of 6 FTE per Member
State (based on consultations with several national NIS bodies) would be
required to carry out the tasks of a competent authority (i.e. developing and
implementing a cyber-incident contingency/cooperation plan and a national
cyber security strategy) the average cost would be 360 000 EUR per
Member State. The total theoretical maximum cost would be 9.72 million
EUR across the EU and de facto lower, since a few Member States already
have co-ordinating cyber security centres or bodies in place. As regards pan-European cyber-incident
exercises, the first Cyber Europe exercise coordinated by ENISA in 2010
created an operational cost of 150 000 EUR for ENISA, with future exercises
being expected to cost around 300 000 EUR. A total of 150 experts from the
Member States were involved in 2010. Assuming that each expert dedicated two
fulltime months on average to the exercise, the exercise would have required
the equivalent of 25 FTE or a total of 1.5 million EUR for all the Member
States per pan-European exercise and 750 000 EUR for all the Member States per
year, assuming that a pan-European exercise takes place every two years. This
would mean a cost per Member State of 55 555 EUR per exercise. The costs related to the cooperation among
the competent authorities within the network would be limited to travel and
subsistence expenses, only when travelling would be required. Assuming two
participants per Member State and three meetings per year with an average cost
of 1000 EUR for travel and subsistence, the cost per Member State would
stand at approximately 6000 EUR per year. The costs related to the common website where
the competent authorities would timely and regularly publish non-confidential information
on threats, incidents and response adopted would amount to a setup cost of
5000 EUR (estimating that it would take 25 days and 2/3 technician and 1/3
project manager to setup the website including meetings, specifications, visual
design, implementation, going online). This would be an EU-average manpower
cost[87].
On a recurrent basis, the cost would be 200 EUR/month[88] and hence 2400 EUR/year
for the EU (this would cover among the others hosting and domain name). The costs for carrying out tasks linked to this
website, e.g. providing content and promoting the website, would be covered by
the costs for the competent authorities that have been illustrated above. The costs for establishing the physical
infrastructure necessary for the sharing of information in the Network of
competent authorities and CERTs would depend on whether the Member States would
decide to use an existing infrastructure or to set up a dedicated one. The cost of the physical
infrastructure would depend on whether the Member States would choose to use
and adapt an existing infrastructure (e.g. sTESTA[89]) or
to establish a new one. In the former case it has been estimated that the cost
would be about 1 million EUR (based on the cost for the
adaptation of the system that was developed by the JRC for the early warning
and response system in public health) and can be
borne by the EU budget, budget line 09.03.02 (to promote the
interconnection and interoperability of national public services on-line as
well as access to such networks - Chapter 09.03, Connecting Europe Facility –
telecommunications networks) on condition that funds
are available under the Connecting Europe Facility (CEF); alternatively, the
related costs would have to be shared among the Member States. In the latter
case (setting up of a new infrastructure) the related cost has been estimated
to be 10 million EUR per year for the EU as a whole (this is the
cost currently incurred by the Commission in relation to sTESTA, which is
provided by the French network operator Orange) and
would have to be shared among the Member States. (b)
Compliance costs for public administrations and
key private players The additional NIS
spending that would be required has been calculated as the difference between
the target level of spending according to current best practices and the
current actual spending in the various relevant sectors (taking into account the
estimated annual natural increase in spending due to rising NIS threats). The target level adjusted
by the natural increase in spending is 6.61% of a company's total IT spending. The total additional
NIS compliance costs would hence be in the range from 1 to 2 billion EUR. This estimation takes
into account that most of the entities affected are already supposed to be
compliant with existing security requirements, namely the obligation for data
controllers to take technical and organisational measures to secure personal
data, including NIS measures. Thus, the present Option would primarily entail
new efforts and costs for entities which do not qualify as data controllers. The costs have been hence
reduced by a certain factor to take into account existing spending on security.
Given that the magnitude
of this reduction is hard to estimate with precision, different scenarios are
taken into account, namely the numbers in bold in table 5 indicate the total additional
costs when a 70% cut is applied (left column) and when a 40% cut is applied
(right column), respectively. Table 5: Estimated additional
spending for compliance with NIS risk management obligations As regards SMEs[90]
, they are the back-bone of the European economy as they constitute more than
99% of all European businesses. A considerable number of
these companies are micro-enterprises, i.e. companies which employ less than 10
people. They have been excluded from the scope since they do not have the scale nor do they provide the
services that would fall within the scope of the requirements. Also, NIS
incidents affecting micro enterprises and a consequent discontinuity
of the services offered by these companies may not have a sufficiently wide reaching impact
on society as those incidents affecting business of larger size. For this
reason, regulatory measures on these players would not be justified. However, there are small
(up to 50 employees) and medium enterprises (from 50 to 250 employees) to which
the requirements would apply. Starting from the total compliance
costs for the private sector (see Table 5), which range from 360 to 720 million
EUR, the compliance cost per small and medium enterprise would fall in
the range of 2500 and 5000 EUR. In carrying out the calculation, it has
been assumed that small and medium enterprises account for 20% of the turnover
of the private companies concerned by the regulation and represent 68% of all
the companies affected or just over 28 000 enterprises. This is the estimated
average cost per SME for achieving the current level for 'best in class' in
terms of NIS protection. As technologies evolve the risks on the one hand and
the protection measures on the other hand will continue to evolve as well.
Continuous investments to keep up with the state of the art will thus be
required but it is very difficult at this stage to foresee what the costs
involved in keeping up with technological developments will be. These
investments will, however, ensure that both large and small enterprises and the
European economy will be well positioned to reap the benefits of the global cyber security market, which is projected to be among the fastest
growing segments of the Information Technology (IT) sector in the next 3 to 5;
the cyber security market was in 2011 worth
$63.7 billion, and is expected to grow to between $80 and $120.1 billion by
2017[91]. Annex 3 provides a
detailed indication of the entities involved, their turnover or operating
expenditure, and the additional costs that would have to be borne. Regarding costs that
would have to be borne by SMEs, Annex 4 provides the SME-test. (c)
Costs for public administrations and key private
players associated with reporting NIS incidents with a significant impact In order to value the
costs for reporting serious NIS incidents, an estimation of the notifications
that would be done over one year has been extrapolated from existing data on
the implementation of Article 13a of the framework directive for electronic
communications. On this basis, the number of NIS incidents notifications
expected would amount to approximately 1700 per year. Assuming that one
employee would have to devote 0.5 working day for the notification, and that
the notification as such would have a negligible costs (e.g. it would be done
via an e-mail) the expected cost per breach notification would be 125 EUR,
leading to a total cost for notifying breaches on an annual basis of 212 500
EUR at the EU level. Regarding possible
investigations that can be initiated by the NIS competent authorities on the
compliance with risk management and NIS incidents notification obligations, it
is not possible at this stage to estimate if and how many investigations could
be initiated. It can however be reasonably assumed that 10 to 20% of the NIS
incidents notifications might be followed by an investigation, corresponding to
an absolute value of 170 to 340 expected investigations per year. Taking into account the
standard salary cost, the maximum cost for the entity affected would be maximum
25 000 EUR per investigation or 4.25 million to 8.5 million EUR per year
across the EU. The costs for the annual
reporting on notifications that the competent authorities would have to prepare
and deliver to the Network would already be included in the costs indicated
above for the Member States to adequately staff and equip the competent
authorities. A detailed analysis of
the process that led to these estimations is provided in Annex 4. 8.3. Option
3 – Mixed approach The level of security Under this Option, it is unlikely that all the Member
States would reach comparable levels of national capabilities and preparedness
via voluntary initiatives. As a consequence, in the absence of a minimum level of
national capabilities in all the Member States, there would be no guarantee
that cooperation involving all of them would take place. Given that also mechanisms for cooperation and coordination
at EU level would remain voluntary, cooperation would continue within closed
circles of Member States trusting one another. Lack of a framework and an infrastructure
for sharing trusted information, based on common confidentiality requirements
would also hinder exchanges at EU level. This would increase the gap between
the high-performing and less-performing Member States. On the other hand, the introduction of security
requirements for public administrations and key private players would create a
strong incentive for those players to manage and dimension security risks
effectively. These mechanisms would however be ineffective in those Member
States who would not follow the Commission recommendations on the setting up of
NIS capabilities. For example, without a national competent authority being
appointed, there would be no organisation or body to which NIS incidents could
be reported. Also, it is unlikely that public administrations would be
able to carry out appropriate NIS risk management in those Member States where
NIS capabilities would not be in place at the level of the central government
(e.g. CERT or national competent authority). Overall, under this Option the EU would miss an opportunity
to increase the general level of NIS, as progress would still be patchy. The lack of a comparable level of security and of
cooperation across the Member States would harm the effectiveness of
international cooperation as described in the assessment of Option 1. This
would constitute a significant weakness in a domain where international
cooperation is essential. Under this Option, the EU as a whole would not demonstrate leadership
in the area of NIS and not be well position to export its values and interests.
Economic impacts Given the voluntary nature of this approach, the pace of
development would vary significantly across the Member States. The insufficient
level of security in the less developed Member States would undermine their
competitiveness and growth by discouraging foreign companies from investing and
doing business in these countries. Also, the less performing Member States
would be more exposed to the negative impact of incidents, risks and threats. The public administrations and the private sector would
adopt measures to remedy problems more swiftly and to dimension their impact.
However, given the continuing weakness of certain Member States, the overall
level of security in the EU would remain low and hence the impact of incidents,
risks and threats on the EU economy would increase overtime. Without securing the weakest link, incidents would become
more and more visible to business and consumers. This would undermine the
confidence in the digital environment and hinder the completion of the Internal
Market. The regulatory requirements on public administrations and
key private players would however stimulate demand for secure ICT products and
solutions. This would also create new markets and opportunities in the EU and
capitalise on the European research investments by improving prospects for
their commercial exploitation. Social impacts The continuation and expected aggravation of incidents,
risks and threats would negatively affect online confidence, especially
in those Member States which do not regard NIS as a priority. Although the NIS requirements for key private players and
public administrations could generate the social benefits described in the
assessment of Option 2 in terms of increased use of digital technologies,
citizens' empowerment and boost of employment, the likely disparities in the
Member States' approach to NIS would generally hinder such benefits. Finally, this Option is very likely to promote employment of
NIS specialised personnel in the EU due to the requirements to conduct NIS risk
assessments and to adopt appropriate security measures in a number of sectors. Costs The costs for
setting-up national NIS capabilities and for the cooperation at EU level will
depend on the extent to which the Member States would conduct these activities
on a voluntary basis. The compliance costs for public administrations and market
operators will be identical to those described above under Option 2. 9. Comparing
the options 9.1. Overall
comparison of the assessment The previous
chapters presented a detailed assessment of the three selected policy options. Given the
urgency to enhance the level of protection against NIS incidents, threats and
vulnerabilities as described above, and the need to implement the policy
objectives that are proposed in this impact assessment to address the problem
drivers, it must be concluded that Option 1 and 3 are not to be considered
viable for reaching the policy objectives and are therefore not recommended, given
that their effectiveness would depend on whether the voluntary approach would
actually deliver a minimum level of NIS and, regarding Option 3, it would
depend on the good will of the Member States to set up capabilities and
cooperate cross-border. Option 2 is
the preferred one given that under this Option the protection of EU consumers,
business and Governments against NIS incidents, threats and risks would improve
considerably. In particular, the obligations on Member States would ensure
adequate preparedness at national level; the setting up of coordinated
mechanisms at EU level would deliver EU-wide coherent and coordinated
prevention and response; the establishment of common NIS requirements for public
administrations and key private players would foster a strong culture of risk
management and would curb information asymmetry in the market. Moreover, by
putting its own house in order the EU would be able to extend its international
reach and become an even more credible partner for cooperation at bilateral and
multilateral level. The EU would hence also be better placed to promote
fundamental rights and EU core values abroad. Annex 13 specifies
the extent to which each policy option contributes to the achievement of the
objectives. The assessment of the impacts under each of the options was done by
analysing the magnitude of the expected impact, as well as the likelihood
that the impact will actually occur as a result of the proposed policy
option. According to these criteria Policy Option 2 has scored the highest in achieving
the objectives. 9.2. Overall
cost-benefit analysis The table
below (Figure 6) provides an overview of the costs related to each of the 3
policy options. The Table shows that Option 2 would entail the highest costs as
a consequence of the regulatory approach. Costs stemming from Option 3 would be
slightly lower as the Member States' spending for NIS capabilities and for
participating in EU cooperation will depend on the goodwill of each Member
State. The table also shows benefits for each option, as explained in the
assessment of the options presented in the previous Section. Figure 6: Comparative table of costs for the three
Policy options An overall
cost-benefit analysis would require a quantification of the possible benefits of
compulsory measures to ensure a high level of NIS across the EU. Some of these
benefits can be directly linked to fact that NIS incidents would have no or
little impact when NIS measures are in place. Other benefits are more general
and relate for example to the effects of increased confidence in the digital
economy. Assessing the
magnitude of the possible benefits in this particular context is extremely
difficult for a number of reasons and in particular given that: · There is an incomplete view of the frequency and gravity of NIS
incidents; · There are general indications that the number, frequency and
complexity of NIS incidents are on the rise. However, there is no information
on the pace of this increase nor are there sufficient quantitative elements available
on how the situation is today so to estimate the absolute magnitude of this
increase; · It is difficult to assess to what extent enhanced NIS would mitigate
the negative impact of security incidents. Some of the
measures proposed (especially those on the reporting of NIS incidents) are
meant, at least to some extent, to address this lack of data. Beside the
positive effects on trust in the digital economy and the internal market, the
main benefits of this option will stem from the likely contribution to decreasing
the costs of security incidents, including malicious attacks. The following
estimates indicate the scale of these actual or potential costs: · According to the World Economic Forum, in the next ten years there
is a 10% likelihood of a major Critical Information Infrastructure breakdown
with potential economic damages of over $250 billion. · The global consumer cybercrime is estimated at 100 billion US $
worldwide (per year); there are moreover clear indications that cybercrime
is starting to focus their efforts on the increasingly popular platforms such
as social networks and mobile devices[92]. · The cost of cyber-crime in the UK, related to Intellectual Property
(IP) theft and industrial espionage, was estimated by Detica[93] at 21 billion £ per year.
The cost of cyber-crime for government was estimated at 2.2 billion £ per
year (total cost of tax and benefits fraud, local government and central
government fraud, national health services (NHS) fraud and pension fraud). The
study furthermore stresses that the full economic impact goes beyond the direct
costs that were identified in the study. 10. Monitoring
and evaluation This Section proposes measures to monitor and evaluate the impact of
the preferred option, on the basis of the three specific objectives that such
Option aims at achieving. First of all, the Commission would periodically review the
functioning of the legislation particularly on the basis of technological and
market developments and would provide a report to the European Parliament and
the Council every three years. The review process would also be supported by targeted studies,
information received from the Member States, expert discussions, workshops,
Eurobarometer statistics, etc. The core
indicators and tools in the table below provide a general framework for monitoring
and evaluation. Core indicators of progress towards
meeting the objectives: Specific objectives || Monitoring indicators || Tools 1. To put in place a minimum common level of NIS in the MS and thus increase the overall level of preparedness. || · Number of Member States having appointed a NIS competent authority which is adequately staffed and equipped to carry out EU-level cooperation · Number of Member States having established national/governmental CERTs which meet the pre-defined minimum baseline requirements · Number of Member States having adopted a national cyber-security strategy · Number of Member States having adopted a national Cyber incident contingency/cooperation plan || · Surveys of competent authorities · Comparative implementation reports on national cyber security strategies, the role of competent authorities, functioning of CERTs and national cyber security contingency/cooperation plans 2. To improve cooperation on NIS at EU level with a view to counter cross border incidents and threats effectively. || · Number of competent authorities cooperating via the network · Number of competent authorities participating in the secure information exchange · Information exchange among the competent authorities on NIS incidents, risks and threats · Implementation of the European cyber incident contingency/cooperation plan · Reduced divergence of Member States’ approaches to NIS · Number of NIS cyber incident exercises at EU level · Number of conferences/meetings between Member States to define commonly agreed goals for NIS · Capacity building activities involving the Member States · EU-wide NIS practices · Collection of comparable data on NIS by the competent authorities · Regular and timely publication of non-confidential information on threats, incidents and response on a common website || · Surveys of competent authorities · Progress report on the implementation of the European cyber incident contingency/cooperation plan · Assessment of the outcome of capacity building activities involving the Member States (e.g. based on country case studies) 3. To create a culture of risk management and improve the sharing of information between the private and public sectors. || · Regular NIS risk assessment by public administrations and key private players · Level of investments in NIS by public administrations and key private players · Number of notifications of NIS incidents with a significant impact to the competent authorities (the sum of this number and the number of public administrations and companies which have failed to notify security breaches should be decreasing over time) · Governments' access to information and data on actual NIS incidents (on the basis of the notifications received) and possibility to carry out analysis and compile statistics and to set priorities on NIS accordingly || · Survey of players within the scope of NIS requirements to assess the level of NIS investments and the best practices adopted to ensure NIS · Surveys of competent authorities to evaluate the incidents notifications received (incl. e.g. case studies and peer reviews assessing in more detail the reporting obligations put in place in the Member States · Comparative implementation report on the criteria applied for defining a significant breach ANNEX 1: PUBLIC
CONSULTATION ON NETWORK AND INFORMATION SECURITY ACROSS THE EU SUMMARY
OF ANSWERS RECEIVED An online public consultation ran from 23
July to 15 October 2012. The total number of respondents which
submitted replies through the on-line tool was 169 and the breakdown of the
related answers is reflected in the statistics provided below. A further 11 organisations submitted written
replies outside the on-line tool, bringing the total number of replies to the
public consultation to 180; these 11 are not reflected in the statistics but
their written contributions will be published online. The total breakdown by type of respondent is
the following: 88 individuals (of which 57 asked to remain anonymous); 12
public authorities (of which 5 asked to remain anonymous); 80 organisations or
institutions such as businesses, research institutions and NGOs (of which 41
intend to remain anonymous). Type of respondent || Not anonymous || Anonymous || Outside the on-line tool (not included in statistics) || Total Individuals || 31 || 57 || - || 88 Public authorities || 4 || 5 || 3 || 12 Other organisations (businesses, research institutions, NGOs etc.) || 31 || 41 || 8 || 80 Total anonymous/not anonymous || 66 || 103 || 11 || 180 Total replies through on-line tool [66+103] || 169 || Total replies incl. outside on-line tool [169+11] || 180 The questions
posed in the online public consultation focused on: · Scale of the problem and evidence on impact, to assess whether the respondents had experienced
significant incidents and what are in their opinion the most frequent causes of
NIS incidents. · Improving NIS through an EU strategic approach, to assess whether the respondents believe that there is
sufficient awareness of threats and incidents in the EU, that governments do
enough in this field and what incentives can be set to ensure reporting of
incidents and to raise user awareness. · Improving NIS in the EU through risk management and reporting of
incidents, to assess whether the respondents
conduct risk management; for which sectors of activity they believe it
would be important to have NIS requirements; whether they would in principle agree
with the introduction of regulatory requirements to manage NIS risks and what
additional costs a requirement of this kind would entail for them. To assess
also how effective information sharing could be achieved; to whom and at what
level a requirement to report NIS incidents should be set; and what additional
costs a reporting requirement would imply. Regarding the
Scale of the problem and evidence on impact, most of the respondents
(56.8%) affirmed having experienced over the last year NIS incidents with a
serious impact on their activities. The
respondents expressed the view that the most frequent cases of NIS incidents
are third party/external failure (47.3%), malicious attacks (40.8%),
software/hardware failure (36.1%) and human/technical errors (27.8%). Regarding Improving
NIS through an EU strategic approach, a very large majority (82.8%) of the
respondents expressed the view that consumers are in general not aware of
existing NIS risks. A comparable high majority (82.8%) of the respondents also
affirmed that governments in the EU should do more to ensure a high level of
NIS. When asked
what kind of incentives would be needed to make companies and public
administrations systematically report about NIS incidents, a large number of
respondents affirmed that those could entail support from NIS authorities to
respond to incidents (57.4%), notification and report to NIS authorities
(44.4%) and publicity of incidents and establishment of performance ranking
(44.4%). Only 8.9% of the respondents affirmed that no incentives are needed in
this regard. Regarding the
reporting of NIS incidents that may also constitute cybercrime to law
enforcement, many respondents suggested that this objective could be achieved
at EU level by establishing a legal requirement for NIS authorities, CERTs and
affected users (39.6%) or only NIS authorities and CERTs (24.9%). On the other
hand, 35.5% of the respondents said that nobody should be legally required to
report to law enforcement incidents that may constitute cybercrime, but that
everybody should be strongly encouraged to do so. Avery large
majority of respondents (84%) affirmed that businesses, governments and
consumers in the EU are not sufficiently aware of the behaviour to be adopted
to minimise the impact of the NIS risks they face. The respondents suggest that
the best ways to achieve this objective would be in particular to give guidance
at EU level to enable consumers to differentiate good security products and
services (30.2%), to define compulsory security standards for goods and
services at EU level (30.2%) or to stimulate the development of industry-led
standards (18.3%). Regarding Improving
NIS in the EU through risk management and reporting of incidents, 31% of
the respondents affirmed that they do not have a process for managing risks in
place and 54.2% of the respondents said that they do not have a budget
dedicated to NIS. 30% of the respondents also affirmed that they did not have
sufficient resources in place to counter and minimise the effects of NIS
incidents that have affected them. The large
majority of respondents expressed the view that the adoption of NIS
requirements would be important or very important in specific sectors in
particular banking and finance (91.1%), energy (89.4%), transport (81.7%),
health (89.4%), Internet services (89.1%) and public administrations (87.5%). The majority
of respondents would also in principle be favourable to the introduction of a
regulatory requirement to manage NIS risks (66.3%) at EU level (84.8% of those
respondents). 70.5% of those respondents also suggested that this requirements
entail a general obligation to adopt state of the art measures proportionate to
the risks identified. Some of those
respondents indicated that those who should be subject to these requirements
are all business and consumers providing or using network and information
systems (41.5%) whereas others (41.5%) said that only business providing or
using network and information systems underpinning vital services for society
(i.e. transport, energy, finance, health, Internet services of general
interest, water) should be subject to this requirement. The
respondents stressed that a requirement to adopt NIS
risk management according to the state of the art would entail for them no
additional significant costs (43.6%) or no additional costs at all (19.8%).
36.5% of the respondents said that this would entail significant additional
costs for them. Regarding
incentives for effective information sharing on threats and incidents, the
respondents suggest to establish a requirement to report significant NIS
breaches to the national competent authority (37.9%) or to establish stronger
public-private cooperation mechanisms (37.3%). The majority
of the respondents (65%) eexpressed the view that if a
requirement to report NIS security breaches to the national competent authority
were introduced it should be set at EU level and affirmed that also public
administrations should be subject to it (93.5%). If this
requirement were to be introduced at EU level, respondents mainly suggested
that this should apply only to business providing or using network and
information systems underpinning services which are vital for the functioning
of the society (43.8%) or to all business and consumers providing or using network
and information systems (34.9%). The majority
of the respondents (52.5%) also affirmed that a requirement to report security
breaches would not cause significant additional costs for them and 19.8% said
that it would not cause additional costs at all for them. ANNEX 2: ACTION
PLANS AND STRATEGIES ADOPTED SO FAR IN THE FIELD OF NIS IN THE EU In its
Communication "Network and Information Security: Proposal for A European
Policy Approach" of 2001, the Commission outlined the increasing
importance of NIS for our economies and societies[94]. As part of its response to
security threats, the European Community decided in 2004 to establish the
European Network and Information Security Agency (ENISA)[95] to ensure a high and effective
level of NIS in the EU. The role of ENISA is to contribute to the development
of a culture of NIS for the benefit of citizens, consumers, enterprises and
public sector organisations in the European Union and to provide advice to the
European Commission to this effect. A Commission proposal to update and extend
ENISA's mandate is under discussion in the Council and European Parliament[96]. In 2006, a
Strategy for a Secure Information Society[97]
was adopted in response to the urgent need to coordinate efforts for building
up trust and confidence of stakeholders in electronic communications and
services. Already the 2006 Strategy ambitioned to further develop a dynamic,
global strategy in Europe based on a culture of security and founded on
dialogue, partnership and empowerment. The main elements of this strategy were
endorsed in a Council Resolution[98].
The Commission
adopted, also in 2006, its proposal for a "European Programme for Critical
Infrastructure Protection (EPCIP)"[99]
which sets forth the overall “umbrella” approach to the protection of critical
infrastructures in the EU. One of the EPCIP implementation actions is Council
Directive 2008/114/EC on the identification and designation of European
Critical Infrastructures and the assessment of the need to improve their
protection[100]
that covers the energy and transport sectors. The Safer
Internet Programme[101]
2009-2013 was launched in 2008 and provides a strong foundation to promote
safer use of the Internet and other communication technologies, particularly
for children, and to fight against illegal content and harmful conduct online. After an
intensive process of consultation with all relevant stakeholders, the
Commission adopted, on 30 March 2009, a Communication on Critical Information
Infrastructure protection (CIIP)[102]
focusing on the protection of Europe from cyber-attacks and cyber disruptions
by enhancing preparedness, security and resilience. The Communication launched
an action plan with five pillars of actions: preparedness and prevention;
detection and response; mitigation and recovery; international cooperation;
criteria for the ICT sector. The CIIP Action Plan put forward, for the ICT
sector, the necessary sector-specific policies complementing the overall
European Programme for Critical Infrastructure Protection (EPCIP). The Action plan
was endorsed in the Presidency Conclusions of the Ministerial conference on
CIIP in Tallinn in 2009. These commitments were further advanced by the Council
Resolution on "A collaborative European approach to network and
information security"[103]
adopted on 18 December 2009. The revised
regulatory framework for electronic communications[104] in force since November 2009
set new security provisions including on security breaches notifications (Art.
13a&b of the Framework Directive), that were to be transposed at national
level by 25 May 2011. Security and
resilience issues are notably addressed under the Trust and Security chapter of
the Digital Agenda for Europe[105],
one of the flagship initiatives of the EU2020 Strategy. In particular, Key
action 6 of the Digital Agenda for Europe calls for measures aimed at a
reinforced and high level NIS policy. The Digital
Agenda for Europe is complementary to other initiatives such as the Stockholm
Programme for Freedom, Security and Justice and the Internal Security Strategy in
action (ISS)[106].
The Stockholm Programme/Action Plan[107]
and the ISS underline the Commission's commitment to building a digital
environment where every European can fully express his or her economic and
social potential. More recently,
the Commission second Communication on CIIP of March 2011 on "Achievements
and next steps: towards global cyber-security"[108] took stock of the results
achieved since the adoption of the CIIP action plan in 2009 and described the
next priorities planned under each action both at EU and at the international
level. Council Conclusions on CIIP were adopted on 27 May 2011[109]. The 2011 CIIP Communication
contains a number of actions in which the Commission calls upon the Member
States to set up NIS capabilities and cross-border cooperation. Most of these
actions should have been completed by 2012, but as highlighted in Section
4.2.1, they have not been yet implemented. Discussions
are also on going as regards the Commission proposal for a Directive on attacks
against information systems[110]
which aims at harmonising the criminalisation of specific conducts. Recently, the
Commission adopted a Communication[111]
on the establishment of a European Cybercrime Centre (EC3), which would be part
of Europol and act as the focal point in the fight against cybercrime in the
EU. EC3 is intended to pool European cybercrime expertise to support Members
States in capacity building, provide support to Member States' cybercrime
investigations and become the collective voice of European cybercrime
investigators across law enforcement and the judiciary. At the
international level, since the 2010 EU-US Summit[112], a joint EU-US Working Group
on Cyber-security and Cybercrime has been established. The EU is also
active in relevant international multilateral fora, such as the Organisation
for Economic Co-operation and Development (OECD), the United Nations General
Assembly (UNGA), the International Telecommunication Union (ITU), the
Organisation for Security and Co-operation in Europe (OSCE), the World Summit
on the Information Society (WSIS) and the Internet Governance Forum (IGF). The
EU also actively participates to the London process on cyberspace. A revised CIP
policy package is foreseen for adoption in the coming months. The objective is
to review EPCIP, including Council Directive 2008/114/EC on the identification
and designation of European Critical Infrastructures and the assessment of the
need to improve their protection. ANNEX 3:
ASSESSMENT OF NIS RISK MANAGEMENT COMPLIANCE COSTS FOR PUBLIC ADMINISTRATIONS
AND KEY PRIVATE PLAYERS Introduction Assumption
taken regarding the scope of relevant costs All public
administrations and key private players would under Option 2 and 3 be required
to conduct risk assessment and to put in place risk management measures proportionate
to the risks faced. As in the
electronic communications sector, the threshold for significance could be
defined in relation to the impact that the breach may have on the operation of
networks or services. A very important aspect in this regard is the perspective
of the consumers or citizens that could be affected, and this is something
that will vary from sector to sector. For example, for hospitals, this
threshold would not relate to the number of patients that could be affected
(size of the hospital), but to the seriousness of a possible breakdown of the
network and information systems for a single patient, e.g. in case a crucial
medical system goes down during surgery. Taking into account this criterion and
for each of the sectors presented below, an assessment is provided of the
number of companies affected and the financial impact on them. Micro-companies
would be excluded. Methodology
for the cost assessment · Step 1:
Identification of relevant sectors (based on Scope of Options 2 and 3) incl. estimation
of their revenues/turnover · Step 2:
Identification of the cost related to ICT security spending that is currently
not yet made ‘naturally’ by the organisations and which can be considered as
‘underinvestment’ · Step 3:
Assessment of the additional cost for risk management that could be caused by
NIS risk management obligations . STEP 1: Identification of relevant sectors and entities,
incl. turnover In the
following, an estimation is made of the number of entities that are expected to
be impacted by the risk assessment obligations, as well as of their turnover
(so as to be able to make further calculations in the following steps). The
exercise is done for each of the following sectors separately: · Energy market (electricity market and
gas market) · Transport sector (operators of air
transport, rail transport and maritime transport; incl. auxiliary logistic
services) · Financial sector (all credit
institutions and stock exchanges) · Health sector (hospitals) · Enablers of Internet services (excl.
telecom operators already within the scope of the Telecom Framework Directive) · Public administrations It should be
noted that results presented below should be treated with caution, i.e. the
goal is to obtain an overall idea of the type and number of entities and
subsequently of the order of magnitude of the impact. Energy market The energy
market can be further subdivided in the electricity and gas market. More
precisely, the actors within the scope of the risk management requirements are: · Electricity generating companies · Electricity Transmission and Distribution System Operators (TSO and
DSO) · Entities bringing natural gas into the country · Gas Transmission and Distribution System Operators (TSO and DSO) Recent data on
the number of these companies in the EU is not yet available in the Eurostat
dissemination database, but can be found at: http://epp.eurostat.ec.europa.eu/statistics_explained/index.php/Electricity_market_indicators http://epp.eurostat.ec.europa.eu/statistics_explained/index.php/Natural_gas_market_indicators Furthermore,
the DG ENERGY ‘Report on progress in creating the Internal Gas and Electricity
Market’ (2009-2010) also gives some indications of the number of Transmission
System Operators (TSOs) and Distribution System Operators (DSOs): http://ec.europa.eu/energy/gas_electricity/legislation/doc/20100609_internal_market_report_2009_2010_annex.pdf.
As for the
generating companies, only the ‘main’ companies (those dealing with at least 5%
of the country’s electricity or gas) are considered to be particularly
critical. Possible problems in energy supply by smaller generators due to NIS
breaches will easily be tackled by other companies, thus not resulting in a
significant impact. For retailers, the situation is different, as a breach in
NIS for one company can have a direct significant impact on its customers,
regardless of the size of the company. Therefore, all electricity and gas
transmission and distribution operators are assumed to be relevant for
inclusion. This leads to a total number of businesses affected, equal to
approximately 4000: Table 1: Overview of number of affected businesses
in the electricity and gas sector per MS To estimate the revenues of these businesses,
an extrapolation is made with the help of another data source, namely Eurostat structural
business statistics. Whereas this source provides for information at the level
of the much broader ‘electricity, gas and water supply sector’[113], it is useful to derive a
unitary value for the average turnover of a company in the sector, which can
then be extrapolated to the volumes presented above. More precisely, with the
help of the Eurostat figures an average turnover per business is derived by
dividing the total[114]
sector turnover by the number of enterprises in the sector: Table 2: Estimation of average company turnover (based on
NACE_R1 Code E) This average
turnover per business resulting from the Eurostat data is then combined with
the total number of businesses as presented in the table above (i.e. 3959
companies), leading to a total turnover at the EU level of 876 billion EUR
(visible in summary Table 11). Transport
sector The relevant
activities within the transport sector relate to those for which a significant
NIS incident would have some kind of ‘network effect’ impacting other actors in
the sector, resulting easily in a wide spread impact, incl. cross border, and
thus impacting an important number of customers (citizens as well as
businesses). Based on this
criterion, operators in the air, rail and maritime transport sector are
considered to be key operators that would fall within the scope of the obligations
(both infrastructure owners and operators/service providers over these
infrastructures), and this for both passenger and freight transport. As for
freight transport, next to the transport companies stricto sensu, also
companies providing auxiliary logistics services (such as warehouse operating
and cargo handling), irrespective of the mode of transport, should be included
in this scope, as they are an equally vital part in the time-critical transport
flow of goods. To define the number of companies active in each of these
subsectors in the EU, the following sources were used: Air
transport: · In terms of infrastructure, Eurostat provides for statistics on the
number of main airports in the EU (with more than 15 000 passenger unit
movements per year): http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=avia_if_arp&lang=en
· As for airlines, Eurostat also has information on the number of
companies active in passenger air transport[115]
and freight air transport[116],
but for passenger air transport these figures do not only include commercial
airlines, but also e.g. operators of scenic and sightseeing flights, thus
resulting in a very high overall figure that is not representative for the EU
market targeted. The Eurostat figures per Member State are therefore only taken
into account for freight air transport, and for passenger air transport use is
made of a general indication of the size of the market by DG TREN (see
factsheet on the sector http://ec.europa.eu/transport/air/doc/03_2009_facts_figures.pdf),
and the number of passenger air operators at the EU level that is provided by
them is further distributed over the individual Member States according to the
distribution of freight air transport companies. · Traffic control for air transport is usually not provided by the
operator/owner of the infrastructure, so that these types of companies form a
separate category for the air transport subsector. Information on the number of
companies could not be found, but revenue data is reprised below. Railway transport: · Number of railway operators in the EU can be found in Eurostat
(total of infrastructure managers[117],
integrated companies[118]
and railway transport operators[119]):
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=rail_ec_ent&lang=en
Maritime
transport: · For the number of ‘operators’ on the market, Eurostat provides
information on the number of sea and coastal passenger water transport
companies[120]
and the number of sea and coastal freight water transport companies[121] per Member State. · As for the infrastructure, i.e. the ports, DG MOVE states there are about
1 200 ports in the EU[122],
and by lack of readily available data per Member State, this total is
distributed over the individual Member States according to the distribution of
freight maritime transport companies (this does not influence results for the
EU total, but has as a consequence that the data at Member State level should
be treated with caution). Auxiliary
logistics services: · The EU statistical system has a separate section on ‘warehousing and
support activities for transportation’, of which a) warehousing and storage[123], b) cargo handling[124] and c) other transportation
support activities[125]
seem most relevant, i.e. excluded are support activities to land, water and air
transportation as they contain elements that are already reprised in the
subsectors for specific modes of transport above (e.g. harbour operation),
whereas others do not comply with the criteria for inclusion with respect to
the proposed measures. It should be noted that for this subsector, the
relevancy of companies for inclusion in the scope highly depends on the size of
the company, i.e. only NIS incidents in large companies in this type of
business are expected to be able to have a significant impact in terms of
creating blockings or other problems in the network. Detailed data on the
number of large companies for b) and c) are not available, but volumes can be
estimated by taking into account the percentage of large companies in the
overall subsector ‘support activities for transportation’[126]. The scope of
companies presented above, leads to a total estimated number of businesses
equal to ± 14 600 that are considered as relevant in the transport sector: Table
3: Overview of number of actors
affected in the transport market For air transport, turnover information
was collected through different sources, i.e. whereas for freight air transport
Eurostat gives detailed turnover information per Member State that can directly
be used, this is not the case for airports and passenger air transport. For
these two categories, the overall indication in the abovementioned DG TREN
factsheet that airlines and airports account for 135 billion EUR of business in
the EU is used, i.e. it is divided by the total number of airports and
passenger air transport companies (commercial airlines)[127], so as to obtain a unitary
value for the average turnover of a company in these two segments of the air
transport sector (168 million EUR). This unitary value can then be applied to
the number of companies per Member State so as to obtain raw indications of
total turnover on a country level. Finally, for traffic control, the ‘Annual
Analyses of the EU Air Transport Market 2010’-report[128] gives an overall figure of
8630 million EUR Gate-to-Gate Air Navigation Service (ANS) costs, which can
serve as a general indication of the turnover for this sector, since providers generate their revenues from charging for en-route ANS as
well as for air traffic control services at airports. For the railway sector, a similar
approach as for the energy sector was taken, i.e. combining information on the
turnover of the sector and the number of companies in the sector[129] as available in the Eurostat structural
business statistics[130],
so as to have an indication of the average turnover per company (108 million
EUR) that can then be applied to the number of railway operators identified
above. For the maritime sector, Eurostat
gives detailed turnover information per Member State both for passenger and
freight transport which can directly be used. Information on the turnover of
ports could however not be found. Finally, for auxiliary logistics services,
information on the turnover for large companies is available for warehousing
and storage, whereas for cargo handling and other transportation support
activities this can be derived by combining the total turnover of these
subsectors (all sizes of companies) with the relative importance of turnover of
large companies in the overall turnover of the ‘overall support activities for
transportation’-class. This leads to the following results for
turnover: Table 4: Estimation of total turnover for the
transport sector[131]
Financial sector In the financial services sector, all credit
institutions, irrespective of their size, are esteemed to be a possible victim
of a significant security breach and this because of the nature of their
activities. Unlike credit institutions, insurance companies are not considered
to be relevant for inclusion in the scope of the envisaged measures. Indeed,
the activities of the insurance sector are not comparable to those of credit
institutions, and this for several reasons, most importantly the lesser
importance of real-time availability, and also the difference in type of
information dealt with. Eurostat indicates a total number of
credit institutions of 7706 for 2007. The order of magnitude of this figure
is confirmed by the European Central Bank (ECB), which indicates that there
were around 8200 credit institutions in the EU at the beginning of 2011[132]. In the table at the end of this section, the
number of credit institutions per Member State is further combined with the
total number of persons employed in credit institutions as well as the total
production value[133]
of the credit institutions, so as to obtain a general indication of the average
size of a credit institution. A second category of actors relevant for
inclusion in the scope of risk management measures are operators of stock
exchanges. Whereas the MiFiD Directive[134]
categorises the systems available for third-party buying and selling interests
in financial instruments, e.g. identifying regulated markets and Multilateral
Trading Facilities (MTFs), the volume of these systems, as e.g. available in
the MiFiD-database[135]
of the European Securities and Markets Authority (ESMA), is not an adequate
basis for identifying the number of actors active on the EU market. For
instance, the list of regulated markets published by the EC in 2010[136] contains more than 100
regulated markets, whereas according to the same list the number of operating
entities behind these is around 55. This clearly indicates that several
regulated markets are often operated by the same entity, and this observation
can be extended to MTFs. The Wiener Börse AG for instance operates the
regulated markets Official Market (Amtlicher Handel) and Second Regulated
Market (Geregelter Freiverkehr), but also the Third Market (Wiener Börse AG
Dritter Markt) as a MTF. As it can be assumed that measures for risk management
will be taken at the level of the market operator, it would not be correct to
make calculations at the level of the individual systems they operate.
Moreover, it should be noted that European exchanges have undergone a period of
consolidation, whereby several market operators are now grouped (for instance
in Euronext and OMX), which means that IT security decisions can also be
expected to at least partially be centralised. With the remarks above in mind, different
lists[137]
of stock exchanges in the EU were analysed, and based on these it was concluded
that the relevant number of affected actors in the EU (at a consolidated
level) is expected to lie in the ranges of 25 to 30. Turnover and other
financial information on the majority of European exchanges is available in the
Federation of European Securities Exchanges’ (FESE) “European Exchange Report”[138]. The turnover figures associated to each of
the exchanges in this report was, in the table below, allocated to the MS of
incorporation or where it has its headquarters[139]. Whereas not all stock
exchanges are member of FESE, this provides for a good indication of the total
market size, since it covers all main actors, with the exception maybe of the
London Stock Exchange (LSE), but revenue figures for this exchange were added
to the table below, so as to obtain a figure as accurate as possible. Table 5: Overview of turnover, employment and number of
persons employed in credit institutions in the EU 27 (based on NACE_R1 codes
J6512_J6552) & Overview of turnover of stock exchanges (source: FESE and
LSE Annual Report 2011) Health sector In the health sector, relevant actors
consist most importantly of hospitals providing care. Whereas trustworthy data
on the number of hospitals per Member State is not readily available, based on
the rule that on average there are 3 hospitals per 100 000 inhabitants[140], an estimation of the number
of actors per MS, equal to approximately 15 000, can be made. Furthermore, Eurostat provides information
on the health care expenditure of a Member State per type of provider, and
hospitals are considered as a specific category of providers in these
statistics[141].
These health care expenditure values can be considered as equivalent to the
revenues of companies in other sectors. Table 6: Overview number of hospitals[142] and total
turnover[143] Enablers of Internet services We consider
relevant those actors whose services, delivered through the Internet, are
empowering key economic and social activities and which have a significant
impact in case their activities are suspended for a couple of hours. A distinction
can be made between services: · at the wholesale level: intermediary
service providers that are not visible to the end-users (i.e. back-office
internet services, providing essential inputs for the provision of retail
internet services) · at the retail level: provided directly
to end-users (businesses or citizens) As the sector
of Internet based services is evolving very quickly[144], very few statistics are
available on the numbers of actors for the subsectors that would be within the
scope of the obligations. The figures presented below are therefore based on
sector expert opinions, sector specific company rankings, etc. They take into
account that for some activities, mainly large actors are relevant (e.g. for
the public cloud computing services) and for others, also smaller players can
be relevant (e.g. local eCommerce platform providers). We believe they provide
a good estimate of the order of magnitude of the number of actors concerned. As for VoIP
providers, abstraction was made of those that already fall within the scope of
Art.13a of the Framework Directive for electronic communications. Indeed, many
VoIP providers[145]
can be classified as providers of publicly available electronic communications
services (or of the subset of publicly available telephone services), and thus
should currently already take the necessary measures to manage the risks posed
to the security of their services. This is however not the case for VoIP
services that offer machine-to-machine communications essentially only
consisting of the provision of a product (in casu a software program), without
having a genuine function in the transport of IP packets between its users.
Indeed, these “do not consist wholly or mainly in the conveyance of signals
on electronic communication networks”, and are thus not considered to be an
electronic communications service. These services correspond to the first of
the three categories of VoIP identified in the Commission Staff Working
Document on the treatment of VoIP under the EU Regulatory Framework[146]. In practice, this means that
only a small part of the about 1.200 VoIP providers in the EU[147] are relevant for inclusion in
the scope of the proposed measures. The scope as
defined above leads to an estimated number of actors affected today, equal to approximately
1400: Table 7: Overview of number of actors affected in the ICT
sector (excl. actors falling within the scope of the Telecom FWD) For estimating the turnover related to the
actors and activities presented in the table above, the best possible
indication was found in the Eurostat structural business statistics on
‘Information and Communication’, NACE Rev2 Code 63[148]. In total, this subsector
includes over 2500 companies with 20 or more persons employed: Table
8: Estimation of average
company turnover (based on NACE Rev2 Code 63) If the assumption is taken that the companies
within our scope are the largest players, a global indication can be obtained
of a total relevant turnover of approximately 30 billion EUR[149]. Public administrations For the public sector, all Member State
institutions at all levels (national, regional, local, etc.) have been
considered within the scope of the obligations as they are all contributing to
the smooth functioning of economy and society as a whole. No attempt was made
however for estimating the number of individual public institutions since the
objective of the cost assessment is to make a global estimate of the total cost
for the public sector. Furthermore, contrary to the other sectors,
statistics for the public administration relate to the operating costs.
Indeed, as explained in section 2, ICT spending in the public sector is
typically expressed as a % of the operating expenditure instead of revenues (or
‘Turnover’). The operating costs of governmental
institutions are composed of intermediary consumption, compensation of
employees and taxes paid on production[150].
Information on these public operating cost categories can be found in Eurostat[151] for each of the 27 EU member
states. The operating costs for the general government[152] of each individual member
state are presented in the table below: Table 9: Overview of operating cost of the general government
(figures for 2011) Summary for all relevant sectors An overview of the number of companies per
sector expected to be in the scope of the proposed measures, is presented in
the table below, along with the corresponding turnover figures (operating
expense for public administration). Table 10: Estimated number of businesses expected to be in the
scope of the proposed measures, incl. corresponding turnover – per sector and
total operating costs of governmental institutions STEP 2: Identification
of the current underinvestment in ICT security spending Statistics on
what businesses currently are doing in terms of NIS expenditure are very
scarce, not in the least because it is difficult to assess how much is spent,
as security generally does not represent a separate budget line, and a number
of costs might be “hidden” outside the IT budget[153]. However, Gartner[154] for instance is providing
sector specific indications of the level of actual ICT security spending
as a percentage of total IT spending in 2011. These values can further be
updated for 2012 based on the indication in a recent press release by Gartner[155] that security spending in
2012 will rise with 8.4% compared to 2011. The
percentages obtained as such can be compared to the values of the businesses
that are ‘best in class’ (and considered to be the ‘Target spending’).
Best business in class is the utilities sector which has an estimated
percentage of ICT security spending of 6.61% for 2012. The comparison for each
sector of the current ICT security spending level with the target spending
level provides an indication of what additional ICT security spending is
required. This can first of all be expressed as a percentage of the total
IT spending per sector. Combining this percentage with the sector specific
global level of IT spending (as a percentage of total turnover[156]) furthermore allows to relate
the additional ICT security spending required to the total turnover of
the sectors within the scope of the Regulation. The elements
presented above lead, for each of the individual sectors within the scope of
the regulation, to the following indication of additional required ICT security
spending: Table 11: Estimation of additional ICT security spending
required per sector (in % of total revenues) Combining these
percentages per sector with the total relevant turnover per sector, leads to
the following total absolute costs per sector and per company: Table 12: Estimation of additional ICT security spending
required per sector (in mill EUR) and per company (in EUR) Since energy
is a utility, the methodology leads automatically to the conclusion that the
energy sector is currently already sufficiently performing in terms of risk
management, so no additional spending is required. The total cost
for additional ICT security spending for all of the over 42 000 businesses and
the whole public sector together is estimated at 3.1 billion EUR. STEP 3: Assessment of
the additional cost for risk management that could be caused by the Regulation
on Network and information security (NIS) – Compliance cost of the NIS
Regulation In the
assessment of what part of the additional costs for risk management is indeed
caused by a NIS Regulation, the following two characteristics of the affected
actors are of major importance: · Some of the actors operate critical infrastructure (European
or national); · Many of the actors are ‘data controllers’ (as defined in the
Data Protection Regulation[157]). The following
table indicates in more detail to what extent each of the actors within the
scope of the NIS regulation can quality for being a critical infrastructure
operator or a data controller: For European critical infrastructures,
defined as critical infrastructure with cross-border relevance in transport and
energy sectors) risk assessment and mitigation plans are mandatory under
Directive 2008/114/EC[158].
Several MS have similar obligations for national critical
infrastructure. The risk assessment and risk management plans are generally all-hazard
plans, therefore including network and information security (NIS). Furthermore, the proposal
for the General Data Protection Regulation[159]
obliges the controller and the processor to implement appropriate measures for
the security of processing (Article 30), based on Article 17(1) of Directive
95/46/EC, extending that obligation to processors, irrespective of the contract
with the controller. Articles 31 and 32 introduce an obligation to notify
personal data breaches, building on the personal data breach notification in
Article 4(3) of the e-privacy Directive 2002/58/EC. Depending on the precise
ICT security measures and requirements that will be defined for the
implementation of the NIS Regulation, there could be quite some overlap with
the measures already foreseen for the Critical Infrastructure (CI) operators
and data controllers. Given that there is currently no indication that there
would be significant differences in the future security requirements, it can be
assumed that only little additional ICT security costs[160] would be
caused by the NIS Regulation. Furthermore, the extent
to which additional costs could be required will also depend upon the exact overlaps
in scope. The degree of overlaps could vary e.g. in function of the precise
network and information systems that fall indeed within the scope of critical
infrastructure obligations or that are handling personal data compared to all
the network and information systems targeted by the NIS Regulation. Again, it
is expected that the scope of the NIS Regulation will largely be overlapping
with the network and information systems within the scope of CI and personal
data protection measures. Given the elements
presented above, it can be assumed that an important part of the additional ICT
spending required is still needed in order to fully comply with other
regulations than the Network and Information Security regulation or would be
made ‘naturally’ (i.e. because of commercial or good governance reasons) by the
actors within the scope of this assessment. As such, only part of the
additional cost presented in Table 13 will possibly be caused by NIS Regulation
and, by consequence, be considered as a compliance cost caused by it. The assumption that
between 40% and 70% of the additional required ICT security spending will not
be caused by the NIS Regulation leads to the conclusion that its compliance
cost can be estimated between approximately 1 and 2 billion EUR. Over
half of this amount (i.e. between ± 577 and 1.155 million EUR) relates to
additional ICT security measures that need to be taken by the public sector. The estimates for each
individual private sector are presented in Table 14 below: Table 13: Estimated compliance cost of the NIS
Regulation As regards SMEs[161]
, they are the back-bone of the European economy as they constitute more than
99% of all European businesses. A considerable number of these companies are
micro-enterprises, i.e. companies which employ less than 10 people and they
have been excluded from the scope since they do not have the scale nor do they
provide the services that would fall within the scope of the requirements. However, there are small
(up to 50 employees) and medium enterprises (from 50 to 250 employees) to which
the requirements would apply. Starting from the total
compliance costs for the private sector (see Table 13), which range from 360 to
720 million EUR, the compliance cost per small and medium enterprise
would fall in the range of 2500 and 5000 EUR. In carrying out the
calculation, it has been assumed that small and medium enterprises account for
20% of the turnover of the private companies concerned by the regulation and
represent 68% of all the companies affected or just over 28,000 enterprises.
This extrapolation is based on Table 2 of this Annex, which sets out the
turnover (20%) and number (68%) of small and medium enterprises as opposed to
the turnover and number of large enterprises in the energy sector. These values
have then been applied to the other sectors concerned. The result is however to
be considered as an absolute maximum given that for example the number
of affected hospitals have been calculated on the basis of the assumption that on average there are 3 hospitals per 100 000 inhabitants and that
many small credit institutions are actually part of a larger group. ANNEX 4: ASSESSMENT OF COSTS RELATED TO THE REQUIREMENT TO NOTIFY
NIS INCIDENTS WITH A SIGNIFICANT IMPACT AND ASSOCIATED MECHANISMS/PROCESSES Introduction This Annex focuses on: · Costs related to the notification of security breaches to the competent
authority; · Costs related to cooperating with the competent authority in case of
specific investigations No specific cost
calculation is made for the (one-time) setting up of the necessary internal
business organisation, e.g. defining internal reporting chains etc. This is
because the costs associated to this setting up is considered to already be
included in the costs for putting in place an adequate risk management
approach. Thus, in the following only the marginal costs linked to specific
recurring activities (notifying and cooperating with investigations) are
considered to be additional factors to be estimated. Unlike for the assessment
of the costs linked to the implementation of NIS risk management measures, in the
quantification presented below it is assumed that such costs would not differ across
sectors. Scope of the obligation The entities that could
possibly encounter (and thus need to report) a significant NIS incident would
be the same as for the NIS risk management obligations. Assumptions taken regarding salary costs Estimates of the costs
caused by regulation are often expressed by stakeholders in terms of additional
time (number of hours, man/days, etc.) that is required on a yearly basis.
These indications will systematically be translated into a yearly cost by using
information that was collected as part of the 'Action Programme Reducing
Administrative Burdens in Europe[162]. More precisely, the salary cost per MS relating to the
category 'Professionals' has been taken into account. These costs are
furthermore increased by 25%[163] to take into account overhead costs. This leads
to an average yearly gross salary cost per FTE[164] of 60 000 EUR for the EU 27. Costs related to the
notification of security breaches to the regulatory authority In line with the
provisions currently in place in the electronic communications sector, only
breaches that have a ‘significant impact’ would need to be notified to the
competent authority. Assuming that the threshold for what constitutes a
‘significant impact’ would not be specified in detail in the legislative
initiative to be adopted under Option 2, the only hypothesis that can be taken
at this stage is that these thresholds would be set at a comparable level[165] as is the case currently under Art.13 a and b
of the 2009 revised regulatory framework for electronic communications. Following this, it can be
assumed that the frequency of incidents, and thus of reporting, can also be
extrapolated from that in the electronic communications sector. As the
provisions of the Directive have only recently been implemented in several
Member States (or are only in the process of implementation), there is only
limited information available on the reporting that derives from the Art.13
obligations. The first ENISA annual analysis of the Art.13a incident reports[166] provides for an analysis of all significant
incidents that were reported for the year 2011, and their number amounts to 51.
In this report, ENISA estimates that the number of incidents that will be
reported for 2012, will account for an increase by a factor of 10, i.e. about
510 reports on significant incidents are expected for the electronic
communications sector (e.g. because many countries implemented Art.13a only
late in 2011, thus not yet having received reports on significant breaches
during that year). This total yearly amount
of notifications can be extrapolated to the sectors relevant for inclusion in
the scope of the proposed measures. More precisely, in the electronic communications
sector an average of 510 notifications is made on a total of about 12 000[167] providers (i.e. around 4%), and if this ratio
is applied to the 42 633 companies identified as being in the scope of the
proposed new measures[168], the number of additional breach notifications
expected would amount to about 1700 on an annual basis. In line with the level of
thresholds, it can also be assumed that the level/degree of detail of reporting
necessary would be comparable to that under the current art. 13a, resulting in
the assessment that the time needed for a business in case it would need to
notify a breach, is not expected to be more than some hours (cf.
examples of notification reports for Art. 13 in some MS). An important factor
in this regard is the presumption that following a breach, no specific
additional analyses or investigations would be necessary within the
organisation so as to be able to report the information that is requested,
which may off course not prove to be correct if implementation of the proposed
measures would go far beyond what is currently applicable in the electronic
communications sector. This can however not be foreseen at the moment, and
further assessments would in this case need to be made at the time of
contemplating imposition of such measures. Assuming a duration of 0.5 working
day, the expected cost per breach notification would be 125 EUR, leading to
a total cost for notifying breaches on an annual basis of 212 500 EUR at the EU
level[169], in other words the combination of the
relatively low volume of cases and limited cost per case, leads to the
conclusion that the costs related to notifying breaches would be very low for
the stakeholders concerned. Moreover, it is not
excluded that part of this cost represents tasks that are currently already
executed to comply with other requirements. Whereas for critical
infrastructures, there is no reporting at the EU level foreseen[170], the same cannot be said for the proposed new
data protection measures. Indeed, breaches of personal data security would need
to be reported to the Data Protection Authority (DPA), and in case of incidents
representing an NIS and data protection breach at the same time, it cannot be
excluded that there will at least be some level of coordination that avoids
duplication of activities (and costs), e.g. through establishing principles of
unique breach identification. However, in view of the differences between
personal data breaches and NIS breaches, it will in any case not suffice to
only report in line with the rules of 1 of both types, as not all information
to be provided will be similar[171], e.g. in both cases the number of persons affected are
relevant, but only in case of an NIS breach will it make sense to report
information on the duration of the breach. In any case, as the implementing
measures are currently not yet defined, it is impossible to quantify the
possible saving/economy that can be made, and this is moreover not crucial
given the low overall level of costs (see previous paragraph). Finally, it should be
noted that costs could be higher in case the threshold for breaches that would
actually be set by the EU for other sectors than electronic communications
would imply that the number of breaches that would have to be notified would be
of another order of magnitude than what is currently the case under Art. 13.
However, there is currently no indication that suchlike provisions would be
relevant at the EU level. Again, in case it would be considered in the future
to implement these kinds of strict thresholds through delegating acts, then the
costs linked to this should be analysed prior to implementation of suchlike
rules. Costs related to
cooperating with the regulatory authority in case of specific investigations
regarding the respect of Art 13a As an extension of
art.13b, competent authorities would be given the possibility to investigate
cases of non-compliance and the effects thereof on the security of networks and
information systems. Whereas it is not necessarily always the case, this
opportunity is expected to mostly be taken following the notification of a
breach, so that the number of breach notifications expected (1700 per year, see
above) can be taken as a starting point for the number of investigations
expected. More precisely, it is estimated that between 10% and 20% of this
total number of notifications will lead to an in-depth investigation,
corresponding to an absolute value of 170 to 340 expected investigations per
year. In case of an
investigation, cooperation of the entity that is under investigation will be
necessary. Unlike for the notification of a breach, the individual cost of such
an investigation might be significant. The importance of this depends on
several factors. For instance, the methodology decided upon by the MS to
execute investigations might influence the cost and workload for the entity,
e.g. would the investigation be handled internally by the competent authority,
or would it oblige the business to be audited by an independent expert?
Secondly, the level of complexity of the breach, of the sector, of the
structure and specificities of the business and of the root cause[172] would be influencing factors for the magnitude
of investigation costs for industry. For instance, in the underlying IA of the
UK on the implementation of Art. 13[173], it is supposed that an investigation would on average
take about 5 months, and that the electronic communications provider would need
to foresee 1 FTE for this entire period. Whereas this order of magnitude might
be representative for some cases, it should be noted that the size of the
businesses in the electronic communications sector that are likely to be
reporting a breach, in combination with the underlying complexity of their
systems and networks, would make this to be an example at the high end of the expected
range of costs for an individual business in case of an investigation. Taking
into account the standard salary cost defined above, this worst case
scenario would amount up to a cost for business of maximum 25 000 EUR per
investigation, or 4.25 million to 8.5 million EUR[174] per year across the EU. ANNEX 5: THE SME
TEST (1) Consultation with SMEs representatives || Consultations with SMEs took place via the following process: Public consultation which ended on 15.10.2012 – this gave the opportunity to SMEs to respond. Regular bilateral meetings with specific SMEs. Feedback from SMEs: Individual SMEs gave a favourable opinion. They share the concerns for the rising NIS problems and the need to adopt NIS requirements in specific critical sectors such as banking, energy, transport, Internet services, public administrations. (2) Preliminary assessment of businesses likely to be affected || See Annex 2 (3) Measurement of the impact on SMEs || Micro companies are excluded from the scope of the preferred Option. NIS compliance requirements would apply also to SMEs in all sectors covered. Starting from the compliance costs for the private sector, which range from 360 to 720 million EUR, it has been estimated that compliance costs per SME would fall in the range of 2500 and 5000 EUR. (4) Assess alternative options and mitigating measures || For SMEs, the preferred Option would bolster a culture of risk management and would foster more effective mitigation in case of incidents. More security would hence favour the business climate and consumers' confidence. This is something that SMEs stand to benefit from. Micro companies are excluded from the scope of the preferred Option. Consequently, there is no element showing the need for SME specific measures in order to ensure compliance with the proportionality principle. ANNEX 6:
CURRENT STATE OF CAPABILITIES IN THE EU PREPAREDNESS National
Cyber Security Strategies in the Member States Member States
are responding to the evolving threats and the multitude of actors that need to
co-operate in order to respond to the threats by adopting national cyber
security strategies. National cyber
security strategies must, however, not become documents without operational
actions. Far from all MS that have adopted a national cyber security strategy
have included a national cyber incident contingency plan in it (Czech Republic,
Lithuania, Romania, Slovakia have not). One MS (Denmark) without a national strategy has nevertheless put a national contingency plan for
cyber-incidents in place. The number of
strategies still shows progress since the first stock-taking exercise initiated
by the Commission at the Ministerial Conference on CIIP in Balatonfüred, when
only 9 had adopted national strategies. ENISA has in
2012 conducted an analysis of existing strategies[175] and issued an implementation
guide for national cyber security strategies[176]. Competent bodies for Internet/cyber
security matters in the Member States At MS level
the public sector actors involved in NIS matters include a large variety of
ministries and agencies, National/Governmental CERTs, National Regulatory
Authorities[177].
The responsibilities for ICT/Internet issues is spread across different
Ministries depending on the topic: responsibility for NIS for businesses (most
frequently in a category that spells Ministries of
Economics/Industry/Enterprise/Transport/Telecommunications) for government
networks (though some have it separated under the Ministry of Finance/Public
Administration). A considerable number of Member States group information and
network security together with national security and critical infrastructure
protection under the Ministry of Interior. A handful of MS have allocated
responsibility for awareness raising or fighting cyber-crime to specialised
bodies and agencies. An overview identifying at national level all relevant
authorities (stakeholders) and their tasks, existing policy initiatives and
regulatory provisions, exchange of information between authorities and
providers, national risk management processes, and preparedness and recovery
measures has been done by ENISA[178]. Baseline functions for competent bodies The baseline
functions for competent bodies regulating security of networks and services in
the telecom sector are: · Enforcing compliance to the appropriate security measures that have
to be taken to prevent security incidents. · Collecting incident reports and notifying about incidents across
borders and to ENISA and the Commission. These two core
functions are central in the EU-wide security legislation for the telecom
sector (Article 13a of the revised telecom framework) and ENISA has developed
technical guidance for the MS in implementing these functions. ENISA has set up
a working group (the Article 13 a working group) of competent bodies and
reached consensus about two guidelines; a guideline on incident reporting for
incidents that significantly affect the continuity of electronic communications,
and a guideline on minimum security measures that should guarantee the security
and the integrity of the electronic communications networks and services
(telephone, internet, etc.) across the EU. It is important to stress that both
guidelines (described further below) have been drafted in an open discussion
and consensus with the competent bodies, and that ENISA continues to work with competent
bodies to elaborate this guidance and provide the necessary technical guidance
to ensure that providers of electronic communications face similar technical
procedures and security requirements across the EU. Current EU-level cooperation between
national bodies - EFMS The European
Forum for Member States - EFMS - was established in 2009 as a follow-up to the
policy initiative on Critical Information Infrastructure Protection (CIIP)
adopted by the European Commission on 30 March 2009[179]. EFMS provides a flexible,
informal, responsive and continuous platform dedicated to representatives from
national public authorities to foster the exchange of good practices and
experiences on public policy matters relevant to CIIP. It does not address
technical and operational issues. These informal discussions may complement and
support formal decision-making processes (e.g. in Council Working Group). EFMS fosters
awareness and common understanding of EU challenges; stimulating discussions on
common policy objectives and priorities; reinforcing collaboration between
Member States and promoting a better integration of national policies in a
European and global dimension. It is open to all interested officials from national
competent authorities of the Member States of the
European Union (EU) and of the European Free Trade Association
(EFTA) in charge of NIS and
CIIP. EFMS's meeting
are convened and chaired by the European Commission, DG
CONNECT, with the support of ENISA, on a quarterly
basis. Member States' participation to EFMS' meeting is flexible and depends on
the topics under the agenda of each meeting. It is left to the discretion of
Member States to decide who should attend an EFMS meeting. Twelve EFMS meetings[180] have been organised so far. The following
topics are or have been regularly discussed: (1) the definition of criteria to
identify European ICT infrastructures in support to the implementation of the
Directive on the Identification and Designation of European Critical
Infrastructures[181],
(2) the definition of priorities, principles and guidelines for Internet
resilience and stability, (3) the long term strategy on the development of
pan-European exercises on large scale security incidents, (4), since January
2011, International cooperation including, in particular, developments with
regards the "EU-US Working Group on Cyber-security and Cyber-crime"[182], and (5), since December
2011, the European Strategy for Cyber Security. To ensure the
transparency of the process, the EFMS has been registered, in January 2011, within
the Register of Commission expert group with the task to ensure "coordination
with Member States and exchange of views"[183]. The Register indicates in
particular which national competent authorities are represented at the EFMS. Rules
of procedures have been adopted. ENISA has set-up a web
portal with limited access for all EFMS' documents (including minutes of
meetings): 133 officials from the 27 EU Member States plus Iceland, Norway and
Switzerland are registered. EFMS received strong
support from Member States at the Tallinn Ministerial CIIP conference of April
2009[184] and in the Council Resolution 2009/C 321/01[185] adopted in December 2009. It
is acknowledged by the MS to be an important platform for discussions and
exchange of good policy practices. The UK government reply[186] to the fifth report from the
House of Lords European Union Committee on the CIIP Action Plan states that the
EFMS "has been a success and has tapped into a real needed for policy
makers to have an opportunity to exchange experience". Need for strategic and operational
cooperation, coordination, early warning and mutual assistance The increasing
sophistication of threats and the global interconnectedness call for a much
tighter cooperation and collaboration between Governments, as well as between
public and private sectors. There is an increasing need to put in place
appropriate coordination mechanisms and structures at national level, which
would help ensure better cooperation and coordination at EU level amongst
competent national authorities, as well as with the private sector, in
cooperation with and benefiting from the support of relevant EU institutions,
agencies and bodies. Cooperation needs to be established both at the technical
level (CERTs), and at the strategic level (competent authorities). Cooperation between public and private
sector Co-operation
between public and private sector at MS level can contribute to a holistic
national risk management process, with the aim of ensuring security of supply and
network security. The approach, if applied throughout the process of risk
identification, risk assessment and risk treatment, can feed into national
strategies and contingency plans. At EU level
the European Public Private Partnership (EP3R) has been set-up in 2009 as a
follow-up to the policy initiative on Critical Information Infrastructure
Protection (CIIP). Good practices for building
Public-Private Partnerships Public-Private
Partnerships (PPPs) are essential for the Security and Resilience of Critical
Information Infrastructures (CII), since a large part of them belongs to
private sector stakeholders. This cooperation in the form of PPPs has evolved
in many Member States depending on the environment, culture and legal
framework. The need for a European view is demonstrated by the European Public
Private Partnership for Resilience (EP3R) that is engaging with National PPPs and
other stakeholders to address Critical Information Infrastructure Protection
(CIIP) issues at European level. Recognizing the importance of such
cooperation, ENISA has conducted a Study in order to collect from the
experiences of existing PPPs and to identify best practices to support those
countries who are establishing a well-formed partnership for the first time or
are experiencing barriers and looking for an advice. At the initial
phase of the ENISA researching activity, data from both public and private
stakeholders were collected across 20 countries, in order to understand the
current use of co-operative models for effective Public Private Partnerships.
The initial findings were presented in a Desktop Research Report[187] revealing five main components addressing the Why, Who, How, What
and When questions associated when creating and maintaining PPPs. Following the
Desktop Research Report, ENISA has published a Good Practice Guide[188] to help stakeholders to easily choose those aspects that will add
value to their endeavours in setting up and running PPPs. The Guide identifies
a list of issues which existing PPPs have addressed and the Good Practice
observed in addressing these issues. To this end, 36 recommendations are
included in the Guide on how to build successfully Public Private Partnerships
for resilient IT security. Despite the
large number and apparent diversity, there are three main approaches taken by
PPPs in addressing the problems of security and resilience of e-communication
networks and systems. These have been termed: · Prevention focused PPPs · Response Focused PPPs · Umbrella PPPs The overall
conclusions reached are that diversity in approach of PPPs is supported by a
core set of principles and it is recognition of these common principles which
paves the way for a greater cooperation between PPPs in the future. CERT capabilities In line with
the target set by the Digital Agenda Europe flagship initiative, Member States
are in the process of establishing or appointing national / governmental Computer
Emergency Response Teams (CERTs) and Computer Security Incident Response Teams
(CSIRTs) [189]. Almost all
(24) MS now have a national/governmental CERT in place. Baseline capabilities for CERTs The baseline
capabilities of national/ governmental CERTs introduced by ENISA are the first
attempt in defining a minimum set of capabilities that a Computer Emergency
Response Team (CERT) should possess to take part and contribute to a
sustainable cross-border information sharing and cooperation and are aligned
with communications from the European Council and Commission that address the
challenges and priorities for NIS and the critical information infrastructure
protection (CIIP). These are formulated in four areas: mandate and strategy,
service portfolio, operation and cooperation. Many EU Member
States (MS) have recognised the need to strengthen national cyber-security
including the protection of critical information infrastructure (CII) from
cyber-based and other threats. Some countries have developed national
cyber-security strategies and CII protection programmes. As a rule, such
strategies and programmes include requirements to reduce the vulnerability of
critical networks to cyber-attacks, respond effectively when such attacks
occur, and establish and maintain cooperative relationships with the national
and international partners needed to operate effectively in the cyber domain. These
are all areas of activity in which these teams play an important part. It is
essential therefore that the activities of national / governmental CERTs (and
those CERTs which by default have assumed a national / governmental role) are
consistent with the objectives of such national strategies and programmes and
complement the structures and other arrangements in order to deliver them. This
requirement has a number of implications for the mandates of CERTs. The service
portfolio of a national / governmental CERT will be determined by its mandate
and its place as part of or alongside other structures responsible for
delivering the national cyber-security strategy or CII protection programme.
Generally speaking, however, CERT services should reduce the vulnerability of
its constituency’s critical networks to cyber-attacks and support effective
responses to such attacks when they do occur. The role and
responsibility mandated for a national / governmental CERT and its service
portfolio create particular requirements for its effective operation. One
factor is that cyber-security incidents happen on a global scale, meaning that
the team must be able to respond to incidents developing across international
time zones. Another is that, both in dealing with its constituency and in its
relationships with other CERTs, the national / governmental CERT must enjoy a
reputation for contact ability and competence in order to have the credibility
which underpins its operational effectiveness. Threats to
cyber-security and cyber-attacks on critical information infrastructures
respect no organisational and territorial boundaries. For that reason,
effective cooperation between CERTs at all levels is required to facilitate the
exchange of the information and knowledge needed to reduce vulnerability and
provide effective responses to cyber incidents. This includes CERTs within
particular business sectors which might be affected by large-scale incidents,
other CERTs within a country serving other communities, other national / governmental
CERTs and internationally recognised research and development organisations.
Because of the often sensitive nature of the information shared, effective
cooperation of this nature requires trust and mutual respect between the bodies
involved. It is thus inevitable that a national / governmental CERT must invest
time and resources in building relationships with other CERTs and equivalent
bodies on both a bilateral and multilateral basis. Because of the nature of
threats to cyber-security and cyber incidents, there might be a need for a
national / governmental CERT to develop particular relations with certain
communities. These include ISPs and telecom providers because of their role in
operating critical information networks, military and national security
agencies that might have access to relevant threat intelligence, and law
enforcement agencies where criminal activity needs to be countered. Special
arrangements might be needed to facilitate sensitive relationships, such as
detailed memoranda of understanding, the ability to handle classified
information or agreements on the initial response to reported incidents. EU
Member States may have to formulate policy on such matters where they affect
legal or regulatory matters or ensure that such issues are captured at a
strategic level. ENISA is
regularly updating its status reports on national / governmental CERTs and
identifies shortcomings that need to be addressed in order to meet the
recommendations on baseline capabilities[190]. Overview of EU level actors Within the EU
institutions responsibilities on issues relevant to NIS are dealt with by
various institutions and departments, as is the case for MS. Within the
European Commission, the main Directorates General involved include: · Directorate General for Communications Networks, Content and
Technology (CONNECT), former Directorate General Information Society and Media
(INFSO), in charge of policy activities on NIS and on Critical Information
Infrastructure Protection (CIIP), Electronic Signature Directive, eGovernment,
the ICT trust and security thematic of the 7th Framework for
Research and Technological Development (FP7) and the EU Regulatory Framework
for Electronic Communications; · Directorate General Home Affairs (HOME) leading policies on fighting
cybercrime and on the European Programme for Critical Infrastructures
Protection (EPCIP); · Secretariat General (SG) leading activities on crisis management; · Directorate General for Informatics (DIGIT) in charge of the IT
Strategy of the European Commission and of promoting and facilitating the
deployment of pan-European e-Government services for citizens and
enterprises; · Directorate General Human Resources and Security
(HR) laying down the European Commission policy on security and hosting
a Cyber Attack Response Team
(CART); · Directorate General Justice (JUST) in charge of the EU Personal Data
Protection framework; · Directorate General Enterprise and Industry (ENTR) in charge of EU
industrial policy, satellite navigation, standardisation and the security
thematic of FP7; · Directorate General Internal Market (MARKT) is responsible for the
Electronic Commerce Directive and for European legal frameworks in the areas of
regulated professions, services, company law and corporate governance, public
procurement, intellectual, industrial property and financial services; · Directorate General Mobility and Transport (MOVE); · Directorate General Energy (ENER); · The European Commission Joint Research Center (JRC) provides
scientific and technical support to the policy making in the area of cyber
security and data protection. The European
External Action Service (EEAS) is also actively involved in international
aspects related to cyber security and cybercrime. The
Inter-Service Group on cyber security/crime is coordinating and streamlining
the activities of the various Commission and EEAS services in this field. It's
a platform for a structured exchange on new developments with regard to
cybercrime and cyber security with the aim to improve consistency in the
overall EU institutional approach towards security in cyberspace. In the
Council, the various aspects of cyber-security are discussed in different
Council configurations, such as Council Working Party on Transatlantic
Relations (COTRA), Council Working Party on Civil
Protection (PROCIV), COTER[191], EU Military Committee
(EUMC), Council Working Party on Telecommunications and Information Society
(TTE) and the Political and Security Committee (PSC) /
Council standing committee on internal security (COSI),
Justice and Home Affairs External Working Group (JAIEX) etc. The Secretariat
General of the Council (SGC) of the EU is involved in coordinating EU policy on
civil protection. Its Directorate General Security, Safety and Communication
and Information Systems is in charge of the security of SGC communications and
information systems. In November 2012 a Friends of the Presidency Group (FoP)
on Cyber Issues was set up, first as a pilot for one year, to provide a comprehensive cross-cutting forum for coordination between
relevant Council configurations. In the
European Parliament, the situation is similar. Various committees (e.g. the
ones for Industry, Research and Energy (ITRE), Civil
Liberties, Justice and Home Affairs (LIBE), Internal Market and Consumer
Protection (IMCO), Foreign Affairs (AFET)/Security and Defence (SEDE), etc.)
have an interest in certain aspects of this topic. The fact that there is not a
single platform for discussion on these issues was recognised as a limitation
during a roundtable on Internet security which took place at the European
Parliament on 30 November 2011. It was suggested to explore the possibility of
setting up an (European Parliament) intergroup on cyber-issues to
institutionalise the issue. It was also suggested to establish at EU level the
equivalent of the US Cyber Tzar even though it is unclear to which line of
responsibility this position would be reporting to. Further to
that a number of EU bodies also deal with these issues from different
perspectives: the ENISA, EUROPOL, the (future) European Cybercrime Centre
(EC3), the European Defence Agency (EDA). At EU
inter-institutional level, the pre-configuration team of the Computer Emergency
Response Team for the EU Institutions and bodies, established in June 2011,
aims at supporting the European Institutions and bodies to protect themselves
against intentional and malicious attacks on their IT assets. Its scope of
activities covers Announcements, Alerts and Incident Response Coordination. CERT-EU was
established on a permanent basis in 2012. The major players
in the private sector are Internet Service Providers, Critical Infrastructure
operators, financial institutions, the ICT industry, security companies etc. Cyber Incident Contingency Planning Less than half
of the Member States have adopted national cyber incident contingency plans. In
a cyber-environment these have a key role in defining the interdependencies
between networks in the different sectors, connected through the Internet and
communications networks, and interdependencies between the different parts of
the Internet architecture itself. Devising contingency plans requires good
knowledge of network architectures and the contact points between sectorial
networks, to identify in advance the likely repercussions of a network
disruption. The role of
the contingency plan is to link together actors that need to act in a crisis
situation in order to minimise the repercussions of the incident or problem. It
should also outline the various possible back-up plans in case the spread of
the disruption cannot be prevented. Good practices for national contingency
plans National
Contingency Plans (NCPs) are the interim structures and measures to respond and
recover CII services following an incident that leads to a crisis. CIIs are the
Information and Communication Technology systems, services, networks and other
infrastructures which form a vital part of European economy and society. Since
European society and economy are increasingly dependent on CIIs, making them
more resilient to cyber crises and strengthening their security is of the
utmost importance. The development of a NCP will help nations achieve these
goals. ENISA‘s Good
Practice Guide on National Contingency Plans[192]
aims to enable to develop, test, improve and maintain good and well-functioning
NCP. The guide covers the elements of an NCP and its life cycle. Elements of
National Contingency Plans A crucial part
of the NCP is the definition of the cyber crisis. Though it is highly dependent
on the policy of each nation it usually relates to the incident that actually
or potentially exposes the confidentiality, integrity, reliability or
availability of a CII with high impact. A NCP is the blueprint for responding
to such a crisis, that is the plan which describes the organized and
coordinated set of steps to be taken and the concrete roles and
responsibilities of the crisis responders involved. It is
important to note that the national contingency plan focuses on the national
coordination of crisis. There are many incidents in CII that occur on a
daily basis and are mitigated promptly at an operational level, without
necessary leading to a crisis situation. There are four
basic sections that should be included in every NCP: a) introduction, b) key
definitions and activation criteria, c) structures, roles and responsibilities,
and d) processes and actions. · Introduction. As the first section
should include the purpose and aims of the NCP, the scope, which clearly
defines the parameters for contingency and the relation of the NCP with other
already existing (contingency and response) plans and policies concerning to
national crisis management in other sectors (aviation, transport, physical
disasters, etc). · Key definitions and Activation Criteria.
This section lists and explains the criteria under which a situation occurred
after an incident is considered being a crisis or not. That means when a
particular situation requires the activation of this NCP in a nationally
coordinated manner. · Structure Roles and Responsibilities. A
crisis situation related to ICT infrastructures will almost certainly involve
both private and public parties and might have an international component as
well, a coordinated response can only take place if every stakeholder involved
knows exactly which part to play. It is important to note that the roles and
responsibilities in the case of an ICT-related crisis might differ from those
in other situations or crises. · Processes and Actions. This section in
the NCP should explain clearly what needs to be done during a (cyber) crisis: –
coordination of the crisis response; –
information management; –
define a set of actions related to public
affairs; –
crisis mitigation and separate steps of
detecting, analysing, responding, resolving, and terminating the crisis. The
National Contingency Plan Life Cycle For the
development and maintenance of a NCP a life cycle has to be defined. In essence
a life cycle is a quality assurance and management cycle for the plans. An
essential prerequisite to an effective NCP is the existence of National
Cyber Security Strategy. By following the steps within the cycle, a nation
is guided through the process of development and continuous improvement of the
NCP. The steps below are guidelines for a NCP life cycle: · understand the scenario’s and threats to be prepared for; · to design objectives, structure, roles and responsibilities of the
response; · to deploy the NCP with planning, resources and processes; · to maintain processes and procedures; · to test the plans underlying technology, tools and infrastructure; · to train the people involved; · to perform exercises and; · to organise review and auditing; · and improve the plan through continuous improvement. There is scope for better alignment of national strategies through an umbrella EU strategy outlining the main, minimum features for national strategies and their common objectives. A European Cyber Incident
Contingency Plan The CIIP Action Plan invites Member States to develop national
contingency plans and organise regular exercises for large scale networks
security incident response and disaster recovery, as a step towards closer
pan-European coordination in response to cyber incidents. A European cyber
incident contingency plan building upon and interlinking with national
contingency plans is to be developed by Member States with the support of ENISA
by 2012. Such a plan should provide the baseline
mechanisms and procedure for communications between Member States in and
response to cyber incidents, risks and threats. · A small Working Group of
Member States (BE, DE, EE, ES, FR, HU, NL, PT, SE, UK) was established to develop the
framework to be applied to respond to cyber crisis
involving several European Member States. The group is supported by ENISA. A
first draft of the European Cyber Crisis Cooperation Framework was developed
and presented at the EFMS meeting of 07 March 2012. It was opened for comments
and a finalised version was presented at the EFMS meeting of 12 December 2012. EU
Emergency and Crisis Coordination arrangements · Cross-sector Crisis Coordination arrangements (CCA) were approved in
2006 and are currently under review. The current and future CCA are
arrangements for political coordination at EU level supporting the Council
Decision making. They do not replace sectoral mechanisms. CCA concern major
emergencies or crises with a cross sectoral nature. RESPONSE Member States having carried out or
planned national Cyber Incident exercises At national
level, 15 Member States organized their national exercises and 17 in total have
plans to conduct one in the future. Looking at the 12 MS that have not carried
out any exercise, 8 of them have plans to do so. The lack of
contingency plans has not prevented some MS from proceeding to cyber-incident
exercises, as in the case of Greece, Hungary, Latvia, Slovakia and Spain. Pan-European Cyber Incident exercise All EU Member
States took part in the first-ever pan-European cyber exercise Cyber Europe
2010 and the second exercise Cyber Europe 2012. The lack of contingency plans and low number of cyber incident exercises carried out to date is a factor for increased vulnerability of Internet infrastructure located in or operated from the EU. In particular as the cross-border elements of them are very weak. Cooperation
between National/Governmental CERTs The 2009 CIIP
Action Plan stresses that a strong European early warning and incident response
capability has to rely on well-functioning National/Governmental Computer
Emergency Response Teams (CERTs). To that end, the 'preparedness and
prevention' pillar of the CIIP Action Plan invited Member States and concerned
stakeholders to: · Define, with the support of ENISA, a minimum level of capabilities
and services for National/Governmental CERTs and incident response operations
in support to pan-European cooperation. · Make sure National/Governmental CERTs act as the key component of
national capability for preparedness, information sharing, coordination and
response. The 'detection
and response' pillar of the CIIP Action Plan addresses the development and
deployment of a European Information Sharing and Alert System (EISAS), reaching
out to citizens and SMEs and being based on national and private sector
information and alert sharing systems. The emphasis on citizens and Small and
Medium Enterprises (SMEs) is because they constitute the largest group of
Internet users in the EU. IT systems owned and operated by these users are
popular victims of targeted attacks: their computers are generally less
protected and they often lack expertise on NIS. In that respect, the
development of well-functioning National/Governmental CERTs (Computer Emergency
Response Team) and a reinforced cooperation between them is also essential to
reach out to citizens and SMEs. The Commission
has financially supported two complementary projects: NEISAS (www.neisas.eu)
and FISHA (www.fisha-project.eu) that have developed prototype platforms for
the exchange of security related information. ENISA has produced a roadmap[193] for further development and
deployment of EISAS taking stock of the results of these projects and other
national initiatives. EISAS will both benefit and add value to the European
network of well-functioning National/Governmental CERTs. As of 1st January 2012, the
EU-funded project on Network for Information Sharing and Alerting (NISHA)[194] has started. NISHA is a follow up to the
EU-funded FISHA project. The objective of NISHA is to further develop the
existing prototype of the European Information Sharing and Alert System (EISAS)
achieved under FISHA into a pilot version of the system. The
transnational nature of the Internet, as well as the cross-border impact of
threats and disruptions, brings the need for National/governmental CERTs to
cooperate and build long-term relationships, based on trust, with other CERTs
and CERT communities. Some of the
most important CERT communities include: The
European Government CERTs (EGC) group The EGC group
forms an informal association of governmental CERTs in Europe. Its members
effectively co-operate on matters of incident response by building upon a
fundament of mutual trust and understanding due to similarities in
constituencies and problem sets. EGC is an
operational group with a technical focus. It does not determine policy, which
is the responsibility of other agencies within the members' national domain.
EGC members generally speak for themselves and on their own behalf. To date, 10 EU
Member States, as well as Norway and Switzerland participate in the EGC. 4
other Member States have applied for membership (Belgium, Ireland, Latvia and Luxembourg). TF-CSIRT TF-CSIRT is a
task force that promotes collaboration between CSIRTs (Computer Security
Incident Response Teams) at the European level, and liaises with similar groups
in other regions. TF-CSIRT
provides a forum where members of the CSIRT community can exchange experiences
and knowledge in a trusted environment. Participants in TF-CSIRT are actively
involved in establishing and operating CSIRT services in Europe and
neighbouring countries. The task force
promotes the use of common standards and procedures for responding to computer
security incidents. Common standards have great potential for reducing the time
needed to recognise and analyse incidents, and then taking appropriate
countermeasures. The task force
also assists with the establishment of new teams, and trains members of
existing teams in the newest incident handling tools and techniques. Secretarial
support for this task force is provided by TERENA with funding from the GN3
project. Whereas most
of the appointed national/government CERTs participate on a voluntary basis in
the informal CERT communities FIRST and TF-CSIRT some do not: Italy is
not participating, whereas Portugal that does not have formally appointed
national/government CERTs does participate. Cyprus participates as an observer
and Ireland has made an application to become a member. The weak and disparate participation in communities that could act in times of crises is a serious shortcoming for the preparedness against NIS attacks or technical failures with cross-border implications or requiring assistance from other MS. The voluntary nature of the communities weakens their role even further. In order to raise the level of preparedness of national/governmental CERTs a formal network, with clearly defined tasks and mandate, is being proposed as part of the legislative instrument. The level of confidentiality in data exchanges between national/government CERTs will have to be formally established as well. Secure communications STESTA[195]
constitutes the European Community's own private network, isolated from the
Internet and allows officials from different Ministries to communicate at a
trans-European level (up to EU restricted) in a safe and prompt way. EXCHANGE OF
INFORMATION AND BEST PRACTICES The European
Strategy for Cyber Security intends to extend, through the legislative
initiative which is part of it, to other sectors the obligations to ensure the
appropriate management of information security risks and the notification of
security breaches (extension of article 13a & 13b of e-communications Framework
Directive – (FWD) 2002/21/EC amended in 2009. The lessons learned from the
process of implementing the security provisions under Art.13a & 13b may
feed into the discussion on the NIS legislative proposal. However, it
must be noted that the implementation process of Art.13a has not finished yet
and the full picture of the challenges related to the reporting obligation
under Art.13a will not be known before the results of the bottom-up approach
involving the Member States and ENISA will be translated into practice. Implementation at national level of
Article 13a and 13b on security and integrity of networks and services The extent to which the actual
implementation of Article 13a and 13b has been achieved varies a lot among
Member States. Several countries are facing delays in the transposition of the
Regulatory Package. A few Member States have the provisions on security breach
notification already in force. Most Member States indicated that they would not
be ready with secondary legislation with clear instructions to their providers on
Article 13a before the end of 2012 at best. In terms of reporting network security breaches, competent
NRAs have been invited to send the Commission and ENISA a summary report of the
notifications received in 2011 not later than 30 April 2012 (Commission
proposal made via internal COCOM
working document referenced COCOM12-11[196]). The incoming reports
have been summarised by ENISA in the first annual summary of incidents reported[197] Starting from
2013, the annual summary report to the Commission and ENISA is to be submitted
no later than the end of February of each calendar year, covering the
notifications received in the previous calendar year (from 1st January to 31
December). Competent NRAs are encouraged to use the template of the report
provided in the technical guideline on reporting incidents[198] published by ENISA. Technical guidelines on minimum security
measures and reporting Technical guideline on minimum security
measures The guideline[199] on minimum security measures
describes on a high level the minimum security measures that providers of
electronic communications should take to be able to comply to Article 13a, and
in particular to assess the security and integrity of public electronic
communication networks. The security measures in this document are categorized
in different domains; Governance and risk management, Human resources security,
Security of systems and facilities, Operations management, Incident management,
Business continuity management, Monitoring, auditing and testing. Each domain
consists of 3-4 security measures, allowing regulators to use it as a checklist
for assessing compliance. These security measures have been derived from a
number of leading international standards that are commonly used to ensure security
and integrity. The minimum security measures provide a framework for checking
the telecom providers and provide a starting point for assessing the maturity
of telecom providers in countering cyber security incidents. The guideline
lists the minimum security measures NRAs should take into account when
evaluating the compliance of public communications network providers with
paragraph 1 and 2 of Article 13a. Good practices in the area of security
breach notification (Technical Guidelines on Incident Reporting) The technical
guideline on incident reporting[200]
defines how to notify other MS about cross-border incidents and how to provide
ENISA and the commission with annual summary reports about the notifications
received and the relevant actions taken. Although this work does not (yet)
directly address how to set up national incident reporting schemes, it does
provide a baseline. The good practice guide on incident reporting[201] sets the reporting in a
policy and incident life-cycle context. In particular,
the guideline makes a practical interpretation and suggests thresholds for
reporting to ENISA and the Commission (when an incident is ‘significant’) and
it provides a categorization of root causes of incidents, which will allow
ENISA and the Commission to assess the total impact – across the EU - of common
threats, like power cuts, natural disasters or cyber-attacks. For example, the
guideline specifies that an incident is significant if more than 10% of
citizens are affected for more than 8 hours. Based on four parameters, namely
the number of users affected, duration of the incident, geographic spread and
impact on emergency calls, and the thresholds set, the NRAs will report to
ENISA and the EC a yearly summary of notifications received. A reporting
template is also included in the guidelines to achieve harmonisation on the
information gathered. Good practices in the area of personal
data breach notification In
continuation to the previous paragraph it should be noted that the two
guidelines addresses only the incidents affecting security and continuity of
electronic communication networks and services – personal data breach
notifications are a different matter and MS, ENISA, the Article 29 working
party are working to implement the data protection provisions of the updated
telecom regulatory framework (Article 4 of ePrivacy Directive). Regarding data
protection, ENISA published an extensive overview of the capabilities and
activities of data protection authorities across the EU in 2010[202]. In 2010 only a few countries
had implemented data breach notification legislation, but currently many
countries are adopting data breach notification schemes, as it is part of the
updated telecom regulatory package which had to be transposed in May 2011. Extending the security breach notification
to other sectors There are [none or] very few binding national provisions for
reporting security breaches in other sectors. Responsibility for resilience is
quite often linked to critical infrastructure protection, or at least divided
between national responsible bodies, according to sector. The same phenomenon
is visible within industry, where sector-specific approaches are emerging
unless a strategic approach is taken to bring industries that rely on the same
technologies (e.g. SCADA systems) under the same regulatory framework. ENISA has issued recommendations to come to terms with the
shortcomings namely through a) preparedness measures, in the area of risk and
vulnerability analysis and b) procedures related to the reporting of security
incidents, and also to come up with clear, downstream
responsibilities to different organizational units of a competent entity
covering a wide-ranging set of tasks from preparation of regulation to
enforcement, oversight and cooperation with the market stakeholders[203]. Member States
would be free to appoint the existing competent authority under Art 13 or
another appropriate body as competent authority under the legislative
instrument of the European Strategy for Cyber Security. ANNEX 7: INTERNATIONAL ORGANISATIONS AND BODIES DEALING WITH
INTERNET/CYBERSECURITY A number of
international organisations and fora deal with the issues of
Internet/cybersecurity and cybercrime. The
involvement of G8 in the field of cybercrime dates back to the late
ninety, when the G8 created a mechanism to expedite contacts between countries,
the so-called "G8 24/7 network of contact points". In May 2003, the
G8 adopted the G8 Principles for Protecting Critical Information
Infrastructures on the fight against crimes and terrorist acts committed
using or against network and information systems ("cyber-crime" and
"cyber-terrorism"). The G8 Justice and Home Affairs Ministers adopted
in May 2004 the Best Practices for Network Security, Incident Response and
Reporting to Law Enforcement and in May 2009 a significant part of the
Final Declaration was devoted to cybercrime and cybersecurity, focusing on collaboration
between service providers and law enforcement and on the strengthening
of international cooperation. The OECD
Working Party on Information Security and Privacy (WPISP) is an
intergovernmental forum that works under the OECD direction of
the "Committee for Information, Computer and Communications
Policy" (ICCP). It is supported by the OECD Secretariat within the
Directorate for Science, Technology and Industry. The OECD WPISP main goal is
to develop, by consensus, guidance and policy
options to sustain trust in the Internet Economy and the global networked
society in working in areas such as Critical Information Infrastructure (CII);
Digital Identity Management (IDM); Cybersecurity Policies; Malware;
Radio-Frequency Identification (RFID); sensor networks, privacy protection and
protection of children online. OECD WPISP Participants are delegates from OECD
member countries. Business, civil society, other international organisations
and non-members are also sitting at the table. The OECD Working
Party on Information Security and Privacy develops policy options to
sustain trust in the global networked society; addresses information security
and privacy as complementary issues; maintains a network of experts from
government, business and civil society and serves as a platform to monitor
trends, share and test experiences, analyse the impact of technology on
information security and privacy and develop policy guidance. The Organisation for Security and
Cooperation in Europe (OSCE) addresses a
wide range of security-related concerns, including arms control, confidence-
and security-building measures, human rights, national minorities, democratization,
policing strategies, counter-terrorism and economic and environmental
activities. Enhancing cyber security has become a cross-dimensional topic and
endeavour in the OSCE. Under the
hospice of the Council of Europe, the Budapest Convention on Cybercrime
was adopted on 8 November 2001 as the first international treaty addressing
crimes committed using or against network and information systems (computers).
It entered into force on 1 July 2004. As of April 2012, 32 countries had
ratified/accesses to the Budapest Convention[204].
Still 9 EU Member States have not ratified it. It is important to note that the
Budapest Convention is open for ratification/accession by States which are not
members of the Council of Europe. The United
Nations has been the host of a number of activities related to
cyber-security and cyber-crime in the past few years[205]. In 2003, through the
resolution 58/32, the General Assembly requested the Secretary-General to
consider threats to information security and possible cooperative measures. To
this end a Group of Governmental Experts (GGE) was established in 2004 but
consensus was not reached on a final report. The same theme was
discussed by a "Group of Governmental Experts", appointed in 2009 in
pursuance of UN General Assembly resolution 60/45 of 8 December 2005. The Group
produced a report on 16 July 2010 which recommends, among other things, "further
dialogue among States to discuss norms pertaining to State use of ICTs, to
reduce collective risk and protect critical national and international
infrastructures". In
preparation of the 12th United Nations Congress on Crime Prevention
and Criminal Justice[206]
(Salvador, Brazil, 12-19 April 2010) the Secretariat of the UN Office on Drugs
and Crime (UNODC) prepared a working paper in which it recommended that "the
development of a global convention against cybercrime should be given careful
and favourable consideration". While some countries where supporting
such development, others strongly opposed highlighting the existence of
the Budapest Convention and the need to focus on capacity-building rather than on
law-making. Lastly a proposal for a UN General Assembly resolution on an
International code of conduct for information security[207] was put forward by China, the Russian federation, Tajikistan and Uzbekistan in September 2011. "The text, similar to the one
tabled in past years, called on Member States to promote further at
multilateral levels the consideration of existing and potential threats in the
field of information security, as well as possible strategies to address the
threats emerging in this field, consistent with the need to preserve the free
flow of information. New to the draft this year, […] was a provision seeking
continuation of study by a group of governmental experts to be established in
2012 of existing and potential threats in the sphere of international security
and possible cooperation measures to address them, including norms, rules or
principles of responsible behaviour of States and confidence-building measures
in information science."[208] The Internet
Governance Forum, which is a forum closely related to United Nations, was created in 2005. It is convened under
the auspices of the Secretary-General of the UN. It was established to (among others): Discuss public policy issues related to key
elements of Internet governance in order to foster the sustainability,
robustness, security, stability and development of the Internet; Discuss […]
issues relating to critical Internet resources; Help to find solutions to the
issues arising from the use of the Internet, of particular concern to everyday
users. The Internet Corporation for Assigned Names and Numbers
(ICANN) is a non-profit corporation headquartered in California, United States. It was created in September 1998. ICANN coordinates the Domain Name System
(DNS), Internet Protocol (IP) addresses, space allocation, protocol identifier
assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name
system management, and root server system management functions. Besides
providing technical operations of DNS resources, ICANN also defines policies
for how the "names and numbers" of the Internet should run. The Security and Stability Advisory Committee (SSAC) advises the
ICANN community and Board on matters relating to the security and integrity of
the Internet's naming and address allocation systems. The International
Telecommunication Union is the specialized agency
of the United Nations which is responsible for Information and Communication
technologies. Cybersecurity is considered in the "C5" World Summit on
Information Society (WSIS) Action Line of the Geneva Action Plan on building
confidence and security in the use of ICT. ITU was proposed as
moderator/facilitator in implementing concrete projects and initiatives along
this action. ITU deals also with adopting international standards to ensure
seamless global communications and interoperability for next generation
networks; building confidence and security in the use of ICTs; emergency
communications to develop early warning systems and to provide access to
communications during and after disasters, etc. NATO has recently
acknowledged the need to focus on cyber defence. In the 2010 Strategic Concept
adopted in Lisbon, NATO Allies recognised the need for NATO to develop further
the ability to prevent, detect, defend against and recover from cyber-attacks,
including by using the NATO planning process to enhance and coordinate national
cyber-defence capabilities, bringing all NATO bodies under centralized cyber
protection, and better integrating NATO cyber awareness, warning and response
with member nations. The
Cooperative Cyber Defence Centre of Excellence (CCD-COE) was created in 2006.
Its mission is to enhance the capability, cooperation and information sharing
among NATO, NATO nations and Partners in cyber defence by virtue of education,
research and development, lessons learned and consultation. The CCD-COE is
located in Tallinn, Estonia. The London
Conference on Cyberspace (1-2 November 2011) was meant to build on the
debate on developing norms of behaviour in cyberspace, as a follow-up to the
speech given by UK Foreign Minister Hague at the Munich Security Conference in
February 2011 which set out a number of "principles" that should
underpin acceptable behaviour on cyberspace. Follow-up Conferences are planned
to be hosted by Hungary (2012) and South Korea (2013). –
Forum for Incident Response and Security Teams
(FIRST) FIRST is the
premier organization and recognized global leader in incident response.
Membership in FIRST enables incident response teams to more effectively respond
to security incidents reactively as well as proactively. FIRST brings
together a variety of computer security incident response teams from
government, commercial, and educational organizations. FIRST aims to foster
cooperation and coordination in incident prevention, to stimulate rapid
reaction to incidents, and to promote information sharing among members and the
community at large. Currently
FIRST has more than 200 members, spread over Africa, the Americas, Asia, Europe and Oceania. 16 EU Member
States are represented, out of which 11 participate with their
national/governmental CERTs. –
The "Meridian Process" The so-called
"Meridian process[209]" includes annual Conferences and interim activities primarily
dealing with matters related to Critical Information
Infrastructure Protection (CIIP), in place since 2005. The goal of the
"Meridian process" is to provide
Governments worldwide with instruments for policy discussions on CIIP also
enabling them to explore possibilities of cooperation with the private sector
in the area. The Meridian
process began to be formalised after the first Meridian Conference in 2005,
launched by the UK's NISCC (now UK Centre for the Protection of Critical
Infrastructure –CPNI -) and was further strengthened after the annual
Conferences that followed. The Meridian annual
Conference represents the main activity under the Meridian process; since its inception
in London in 2005, the Meridian Conference has been an annual forum for
policy-level discussion on CIIP open to all countries and mainly designed for
governmental policy makers and international organisations. All Meridian activities represent an effort aimed at
sharing experiences and best practices according to a Traffic Light Information
Sharing Protocol. Several
Meridian Conferences[210]
have been held in different corners of the world. The permanent Meridian
website[211]
was launched after the 2007 Stockholm Conference; it is hosted by Sweden. At the 2006
Meridian Conference in Budapest it was decided[212] (with the approval of the
Meridian PC and the G8 High Tech Crime Sub-Committee) to confer the Meridian
branding to the International CIIP Directory. The Directory initiative was undertaken
at the G8 "CIIP Expert Conference" held in Paris in March 2003, to
build upon the High Tech Crime 24x7 contact list. The Directory is maintained
by the UK's Centre for the Protection for National Infrastructure[213]. Not all the EU
Member States are referred to in the International CIIP Directory, nor are
International organisations (such as the European Union or the United Nations).
–
Standardisation organisations Key
international and regional ICT security standards development
organizations are listed in part 1 of the joint ENISA, ITU and NISSG initiative
on ICT security standards roadmap[214]. ANNEX 8: OVERVIEW OF CURRENT REGULATORY INCENTIVES FOR NIS IN THE
SECTORS CONSIDERED FOR THE EXTENSION OF ART 13 TELECOM FWD IN OPTION 4 –
REGULATORY APPROACH Introduction The policy
options assessed in the IA aim at creating a culture of risk assessment (risk
management and associated measures) in sectors for which NIS are an essential
input for providing their services and for the businesses with a significant
impact on EU economy and society. Currently, such incentives (including
enforceable notifications of breaches with a significant impact on the
operation of networks and services) for risk assessment only exist for the
telecom sector. The present
document aims at providing for the sectors targeted by the possible extension
of the current security breach notification Directive 2009/140/EC - art. 13a&b[215] and an overview of currently
existing security incentives when existing. These incentives can be either with
or without a NIS dimension. They can be structured in different groups: · Provisions regarding risk assessments and risk management · Obligations to report NIS incidents to the competent authorities · Sharing of information on NIS Next to the
different types of incentives, potential issues are highlighted on the
identification of individual actors which will fall under the extension of the
internet security breach notification. These elements will become relevant when
determining the criteria for selecting those businesses to which the extension
of Art. 13 would apply. Overview of the regulatory context
regarding NIS incentives of sectors included in the extension of Article 13. Sectors included in Extension of Article 13 (Option 3 – Regulatory option) || Current provisions regarding general risk assessment and risk management, including provisions on NIS risk assessment || Obligations to report NIS incidents || Sharing of information on NIS || Issues related to the identification of individual actors to which the incentives/obligations apply Information society services providers – as defined by Directives 98/34/EC and 98/48/EC[216] including web certification and cloud providers || Nothing at EU level || Not at EU level || No mandatory information sharing on NIS. Business as usual[217] implies that at least large providers with an important dependence on NIS will at least participate in voluntary, informal information sharing on NIS || Players providing key inputs to important economic and societal processes (among which there are many Information society services providers) should be considered for the introduction of NIS requirements Regulated markets whose function is underpinned by NIS[218]: Banking || European stress tests for systemic banks, being a risk assessment on financial stability. No direct link to NIS in these risk assessments. || Not at EU level || No mandatory information sharing on NIS. Business as usual[219] implies that banks will at least participate in voluntary, informal and specific information sharing on NIS since security breaches can lead to substantial financial losses for the bank and its customers[220]. || Finance sector – as defined by Directive 2011/89/EU[221] containing the banking sector, insurance sector and investment services sector || Nothing at EU level. Since these businesses strongly depend on NIS, business as usual[222] should imply that most operators take measures already for financial and commercial reasons. However, risks might be under evaluated leading to insufficient protective measures. || Not at EU level || || Energy sector || Not at EU level Indirectly at MS level for gas, if a NIS incident leads to a disruption of gas transport, the cause of the incident must be reported to the competent authority (Regulation EU/994/2010) || Thematic Network on Critical Energy Infrastructure Protection (TNCEIP) for private companies on a voluntary basis, which includes a workgroup on cybersecurity[223] || The regulation must avoid putting a disproportional burden on small actors since the energy sector also contains thousands of small enterprises (NACE code 40 – Energy contains 22.000 EU companies) which would be targeted by the extension of article 13a Transport || Not at EU level || || The transport sector is a very large sector with road, air, maritime, railroad and waterways. These sectors contain a large number of small actors, therefore the regulation must avoid a disproportional burden with the extension of article 13a Operators of national critical infrastructure European critical infrastructure (Directive 2008/114/EC -EPCIP) is defined as critical infrastructure with cross-border relevance in transport and energy sectors[224] National critical infrastructure includes all critical infrastructure in transport and energy sectors. National authorities can further extend the scope of critical infrastructure (e.g. Belgium: financial and ICT sector[225]; Netherlands: 15 sectors- food, health, financial, ICT, transport, energy, water, chemical/nuclear, law/justice …[226] ) || For European critical infrastructure risk assessments and mitigation, plans are mandatory under Directive 2008/114/EC. Several MS have a similar obligation for national critical infrastructure. The risk assessment and risk management plans are generally all-hazard plans, therefore including NIS breaches. || Not at EU level. Indirectly at MS level: if a NIS incident leads to physical safety risks, thereby compromising the physical integrity of the critical infrastructure, the cause of the incident must be reported to the competent authority. NIS incidents that do not result in compromising the physical integrity will however not automatically lead to a notification. || || MS already know individual actors providers of European CI (EU CI) because the European critical infrastructure regulation obliged MS to identify these. There is no European regulation that obliges the MS to identify national critical infrastructure (NCI).which might lead to issues. It remains however very plausible that national authorities identify NCI based on existing national regulation. For both EC CI and NIC however, the competent authority is not necessarily the same as the competent NIS breaches authority, therefore confidentiality issues might arise, prohibiting the easy identification of relevant actors by the notification authority Conclusions
regarding the NIS incentives in sectors included in the extension of Article 13a The conclusions
regarding the NIS incentives are summarized both per type of incentive and per
category of sectors. In this way a clear understanding of the impact per type
of incentive and the implications on the sectors of these incentives is
obtained. Per consequence, some conclusions might be partially restated in both
paragraphs. Conclusions
per type of incentive 1. For a lot
of sectors to which the extension would apply there are no sector wide risk
assessments at EU level. Some regulated sectors have specific, national
regulated, risk assessments which will not include an extensive assessment of NIS risks. For European critical infrastructure an extensive risk assessment is mandatory
for all hazards, therefore including NIS risks. For national critical infrastructure,
the involved sectors differ in each MS, but a similar extensive risk assessment
can be expected, including NIS risks. 2. Currently,
no obligations at EU level exist to notify NIS breaches in the sectors to which
the extension would apply. In case of serious incidents compromising the
physical integrity of critical infrastructure, the competent authorities will
be informed. These incidents are however reported in detail only to the
competent national authorities, not to a NIS authority and are only summarised
to EU authorities in case of European critical infrastructure. 3. Sharing of
information on NIS can be assumed to happen for large companies and for sectors
with a high (financial) dependence on NIS. Business as usual would imply that
certain minimal security standards and in-sector cooperation are assumed to be
widespread, since the non-compliance to these common good practices results in
reputational, commercial and financial losses. Common business sense is
therefore to adopt these minimal NIS standards and participate in voluntary
sector based risk coordination and communication. 4. The
information society services sector and the regulated markets (banking,
finance, energy and transport) all contain a large number of operators. The
regulation must therefore avoid a disproportional burden on small actors in
these sectors, in light of the proportionality principle. Critical
infrastructures are expected to be operated by a more limited number of
operators with a high risk profile, thereby reducing the risk of a
disproportional burden. Issues may however arise on the confidentiality, even
within MS, of the communication on NIS breaches, e.g. between different
regulators or authorities. Conclusions
per category of sectors 1. Information
society services providers have very limited incentives (other than
reputational, commercial and financial losses in case of serious security
breaches) under current legislation to perform risk assessment and to invest
sufficiently in NIS measures. When imposing a new regulation on the information
society services providers, attention must be made to avoid a disproportionate
burden on the thousands of small eCommerce enterprises in the sector. 2. For some of
the sectors within ‘the regulated markets’ (banking, finance, energy and
transport) and in some MS the obligation to perform risk assessments and risk
management already exists. This does however not, or very limited, entail an
intensive assessment of NIS risks. There are also no mandatory EU NIS breach
notifications. The only actual incentive is the business need to perform
according to business standards, business as usual. Business as usual would
imply that certain minimal security standards and in-sector cooperation are
assumed to be widespread, since the non-compliance to these common good
practices results in reputational, commercial and financial losses. Common
business sense is therefore to adopt these minimal NIS standards and
participate in voluntary sector based risk coordination and communication. When imposing
a new regulation on the regulated markets, attention must be made to avoid a
disproportionate burden on the thousands of small enterprises in these
regulated markets. 3. The
critical infrastructure sector already has very high incentives to perform
intensive risk assessments and risk management. EU legislation and presumably
also the national legislation obliges the operators of (European or national)
critical infrastructure to set up adequate safety measures, including reporting
of NIS breaches. Notifications and information sharing could be a politically
sensitive issue with regards to the national interests on security and
confidentiality of their national critical infrastructures. Even within the MS,
information sharing between different national authorities might prove
difficult. ANNEX 9: EU EARLY WARNING AND INCIDENT HANDLING NETWORKS IN OTHER
DOMAINS THAN NIS Scope of
the benchmarking information collected The problem
statement in chapter 4 of the present report underlines the lack of mechanisms
for effective cooperation and collaboration at EU level in the area of NIS. The transnational nature of the Internet, as well as the cross-border impact of
threats and disruptions, brings the need for National/governmental CERTs/competent
authorities to cooperate and build long-term relationships, based on trust,
with other CERTs/competent authorities and CERT communities. Currently, such
cooperation is limited to a number of Member States which are well-advanced in
the area of NIS and which have developed the necessary mutual trust. One of the
measures to improve effective cooperation and collaboration at EU level taken in
other sectors is the implementation of EU early warning and incident handling
systems. The current NIS national early warning and incident handling systems
differ significantly across Member States, while no EU system exists. There is
a need for EU policy instruments identifying network and information security
risks and vulnerabilities, setting out appropriate response mechanisms, and
ensuring that these response mechanisms are known and applied by the
stakeholders. The EU NIS early warning and incident handling system should
support coordination among the competent authorities on cross-border network
and information security risks, incidents and problems. In addition relevant
information needs to be exchanged via a physical network infrastructure according
to appropriate confidentiality standards. In order to
support the development of policy instruments on a EU early warning and incident
handling system, a benchmark on EU early warning and incident handling systems
across sectors could provide valuable information. The benchmark presented
below aims at answering the following questions which are likely to be critical
issues in an NIS EU early warning and response system (EU EWRS): 1.
In what regulated sectors, impacted by a
possible extension of the security breach notification, is there already an EU
EWRS, and on what legal basis? 2.
What kind of information is shared on the EU
EWRS? Does this information contain confidential information? If yes, how does
the system handle this confidential information? 3.
Who manages the system, who contributes to
information provision and who can access the information? 4.
Does membership to the system imply a mandatory
or a voluntary sharing of information? What are the criteria based on which the
information is found mandatory to share? To provide the
necessary feedback on the goals of this benchmark a selection of sectors has
been made: · The sectors possibly impacted by the extension of the security
breach notification: –
Energy sector (gas, nuclear); –
Financial sector (banking); –
Transport sector (maritime sector); · Sectors where an EWRS has been operational for several years already
and that are linked to public safety –
Public health sector (communicable diseases,
food and feed); –
Civil protection sector; · The sectors that are already impacted by the security breach
notification –
E-communications sector. So far the
information to answer the questions was found solely on desk research.
Currently interviews are scheduled with the early warning network owners to
complete the benchmarking analysis. The information sources are mentioned
sector by sector at the end of the benchmark table in paragraph 2. Overview of
EU EWRS benchmarking info per sector An overview of
the information gathered is presented in the following table which summarises
the results on the 4 main questions. From this table conclusions are drawn to
support the outline of some aspects of the NIS early warning and system. In the gas
supply sector, the banking sector and the e-communications sector, no EU early
warning systems are operational at this moment. There are cooperation and
coordination mechanisms at EU level with regards to incident handling and policy
alignment, but these mechanisms do not include a continuous information sharing
network[227].
Sector || Nuclear security || Public health threats and communicable diseases || Food and feed sector || Maritime sector || Civil protection sector Continuous EU information sharing system || Yes – European Radiological Data Exchange Platform (EURDEP) || Yes – Early Warning and Response System (EWRS) for prevention and control of diseases || Yes – Rapid Alert System for Food and Feed (RASFF) || Yes – SafeSeaNet Community vessel traffic monitoring and information system to enhance the maritime traffic safety and improve the response of authorities to incidents || Yes –Common Emergency Communication and Information System (CECIS) Legal instrument || Council Decision 87/600/Euratom and the Recommendation 2000/473/Euratom || Commission Decision 96/2000/EC || Regulation 2002/178/EC || Directive 2002/59/EC || Council Decision 2001/792/EC, Euratom Which information is shared || Real-time environmental monitoring of radioactivity in the air, water and soil || Events of communicable diseases with (potential) relevance to more than one MS || MS notify the Commission if MS withdraws or recalls food or feed products from the market COM analyses the information (legality, completeness, classification, translation) and then forwards the incident to all the MS and to relevant third countries || - Continuous monitoring of all vessels through ship notifications: ships continuously send automatic messages on identification, course, speed, and cargo which are captured by authorities and injected in the SafeSeaNet -Port notification on arrival of ships in ports -Hazmat notification on dangerous loads -Incident reports || In the event of a major emergency within the Community, or imminent threat thereof, which causes or is capable of causing trans boundary effects or which may result in a call for assistance from one or several Member States, the Member State in which the emergency has occurred shall, without delay, notify the Commission and relevant Member States Who is involved || The Institute for Trans uranium Elements (ITE) of the Joint Research Centre (JRC) manages the EURDEP system National authorities transmit information and can access all information || European Centre for Disease Prevention and Control (ECDC) manages the EWRS system MS Public health authorities consult the network and disseminate information || European Food Safety Authority receives the alert from the RASFF system National competent authorities transmit information to RASFF National competent authorities receive information from border control, market control, media and business/consumers || The European Maritime Safety Agency (EMSA) manages the SafeSeaNet system National Competent Authorities (SPOC for COM) transmit information and can access the information Local Competent Authorities which are authorized by a national authority to access the system (e.g. port authority) - Other EU bodies and Member State institutional users can apply for membership to the network and access to the information || The European Humanitarian Aid & Civil Protection agency MIC (Monitoring and Information Centre) manages the CECIS system The MS National Contact points use the network and disseminate information Legal obligation to share information || Mandatory || Mandatory on potential cross-border threats || Mandatory || Mandatory || Mandatory on potential cross-border threats How is confidential information handled || -Access to real time data on EURDEP is restricted only to JRC and MS competent authorities. -Public receives similar information with a delay of 0 to 999 hours, decided per country by national authorities || -Access to EWRS is restricted only to COM and MS competent authorities || -Regulation EC/178/2002 art. 52. All information in the network is publicly available. To handle confidentiality members are not allowed to disclose information to the network which is covered by professional secrecy || - Access to SafeSeaNet is restricted to only to the EMSA, the national authorities, the local authorities and the approved users - Regulation EC/17/2009 Article 24 on Confidentiality of information: “Member States shall, in accordance with Community or national legislation, take the necessary measures to ensure the confidentiality of information sent to them pursuant to this Directive, and shall only use such information in compliance with this Directive.” || -Access to CECIS is restricted only to the MIC and the National Contact points Information sources || http://eurdep.jrc.ec.europa.eu/Basic/Pages/Public/Home/Default.aspx http://ec.europa.eu/energy/nuclear/safety/safety_en.htm Council Decision 87/600 Recommendation 2000/473/Euratom || https://ewrs.ecdc.europa.eu/ http://ec.europa.eu/health/index_en.htm Commission decision EC/96/2000 || http://ec.europa.eu/food/food/rapidalert/index_en.htm http://ec.europa.eu/health/index_en.htm Regulation EC/178/2002 || http://www.emsa.europa.eu/ http://www.emsa.europa.eu/operations/maritime-surveillance/safeseanet.html Directive 2002/59/EC amended by directive 2009/17/EC Regulation 1406/2002/EC || http://ec.europa.eu/echo/policies/disaster_response/cecis_en.htm Council decision 2001/792/EC, Euratom Conclusions
based on the benchmarking analysis (1)
In what regulated sectors, impacted by a
possible extension of the security breach notification, is there already an EU
EWRS, and on what legal basis? There are
already existing EU EWRS in several sectors impacted by a possible extension of
the security breach notification. The maritime transport sector has an
information exchange system on vessel locations and incidents. The nuclear
sector, which is linked to the energy sector and to the critical infrastructure
sector, has a real-time monitoring system on the dispersion of radioactivity.
The banking and gas sector have no continuous, real-time, early warning system.
Cooperation in these sectors is only done on a case by case basis when
incidents occur. (2)
What kind of information is shared on the EU
EWRS? Does this information contain confidential information? If yes, how does
the system handle this confidential information? In general, two
types of information are shared on the examined EU early warning systems: · Real-time monitoring data (environmental measures in EURDEP, vessel
location in SafeSeaNet) · Incident reports (events of communicable diseases, events of product
recalls, vessel incidents, public security incidents) which might imply
cross-border implications The shared
information can and does contain some degree of confidentiality in most cases.
All information sharing networks take preventive measures to handle this issue.
In general four types of measures are taken: · Restriction on the access of the
information to the competent authorities, the Commission and the operating EU
Agency. This can be extended to authorised local authorities and private
members; · Restriction on the input of the
information in the network, by only emitting information which is not
considered confidential; · Information sharing to the public can be
an important aspect of the EWRS. To respect confidentiality, information made
public contains no confidential information or the information is shared with a
delay to reduce impact; · EU Legislation establishing the EWRS
contains an article on the obligation to respect national and EU laws on
confidentiality. (3)
Who manages the system, who contributes
information and who can access the information? The system is
always managed by a European agency or European authority. Within the governing
board of the network, the competent national authorities are represented. This
ensures a direct link to the National and European authorities and allows a
better cooperation and coordination. In general, the information in the system
is contributed through the competent national authority which acts as the
single point of contact for the European Network. The national authority
receives the information from the national information sharing network. A
prerequisite for a well-functioning European network is therefore to have
well-functioning national networks and a single point of contact within each Member State. (4)
Does membership to the system imply a mandatory
or a voluntary sharing of information? What are the criteria based on which the
information is found mandatory to share? Membership to
the system implies a mandatory sharing of information which might imply
cross-border threats. All systems are based on the fact that the threats are by
nature potentially cross-border, and therefore require a European approach. The
sectors which have an EU EWRS are all sectors where threats (communicable
diseases, food incidents, nuclear safety, and civil protection incidents) have
an important cross-border dimension and which imply public health safety. ANNEX 10:
COOPERATION FRAMEWORKS ESTABLISHED AT EU LEVEL FOR PREPAREDNESS AND RESPONSE TO
CROSS-BORDER THREATS IN SPECIFIC AREAS Security of gas supply Legal basis and pre-existing legal framework and mechanisms || Governance structure || Main obligations / Cooperation mechanisms Security of gas supply is a key aspect of the internal market in natural gas, implemented since Directive 98/30/EC, which already specific that security of gas supply is a "public service obligation". Legal basis: Art 194(2) TFEU (internal market for energy) for Regulation 994/2010 concerning measures to safeguard security of gas supply Ex Art. 47(2), 55 and 95 TEC for Directive 2009/73/EC concerning common rules for the internal market in natural gas || a) Competent authorities (Each MS to designate one and notify it to COM) b) COM: where appropriate, coordinates Competent authorities inter alia via Gas Coordination Group or crisis management group particularly in case of Union's emergency c) Gas Coordination Group (Composed of Competent authorities' representatives, Agency for the Cooperation of Energy Regulators, industry representative bodies). Role: facilitate coordination of measures. COM chairs and decides on composition of the Group, which shall be consulted on: – Security and emergencies – Best practises and guidelines – Level of security, benchmark and assessment methodologies – Testing level of preparedness – Assessment of Action plans – Coordination of measures to deal with emergencies – Assistance needed by the most affected countries d) Crisis management Group: COM can convene it in case of Union or regional emergency, relevant MS participate. e) Agency for Cooperation of Energy Regulators, Regulation 713/2009 (legal basis: former Art. 95 TEC). In specific cases, the Agency may decide upon regulatory issues of competence of Competent authorities, which may include the terms and conditions for access and operational security. e) Monitoring task force: COM, after consultation with Gas Coordination Group, shall establish permanent reserve list for this task force of industry experts and COM representatives. The Task force shall monitor and report on gas flows into the Union, in cooperation with relevant third countries. f) COM Civil Protection Monitoring and Information Centre (Council Decision 2007/779/EC – legal basis Article 308 TEC): Competent authorities to give information or ask for assistance. || a) Risk assessment: by the given deadline, Competent authorities (after consulting private sector stakeholders) to make full assessment of the risks affecting the security of gas supply in the MS b) Prevention Action plans and Emergency plans: · Preventive Action plan and Emergency plan (compulsory): to be adopted at national level by Competent authorities after consulting private sector stakeholders, NRAs (where appropriate), other MS and COM. To be adopted by deadline, made public and notified to COM. COM, after consulting Gas Coordination Group, may recommend amendments (detailed procedure). To be updated every two years or less. · Joint Preventive action plan and joint Emergency plan at regional level (voluntary): to be adopted by Competent authorities. To be made public and notified to COM. To be updated every two years or less. Content of plans: – Roles and responsibilities of undertakings and interaction with Competent authorities – Roles and responsibilities of Competent authorities – Measures and actions to mitigate potential impact of disruptions – Designate crisis manager or team and define its role – Identify contribution of market and non-market-based measures – Mechanisms to cooperate with other Member States – List of predefined actions to make gas available in case of emergency Annex II and III of Regulation provide indicative and non-exhaustive list of market-based and non-market based measures that could be included in Preventive and Emergency action plan. c) Union and regional emergency responses: – Relevance at national level: Competent authorities to inform Commission – Call for assistance: Competent authority to notify COM Civil Protection monitoring and Information Centre – Follow the plan(s) except specific cases – COM may declare Union or regional emergency: COM to convene Gas Coordination Group which will be consulted and COM to coordinate actions of Competent authorities d) Infrastructure standard: Each MS to ensure by given deadline that remaining infrastructure has capacity to satisfy total gas demand e) Information exchange: · Undertakings concerned to make available during emergencies to Competent authorities on a daily basis information on demand/supply and gas flows. · Union or regional emergency: COM may require Competent authorities to provide information on mitigation measures undertaken or planned · Follow-up of emergency: Competent authority to provide detailed assessment to COM f) Monitoring by the Commission: COM to carry out continuous monitoring and reporting on security of gas supply measures through annual assessment of inter alia annual reports from MS monitoring activities (Directive 2009/73/EC). g) Regional solidarity: (Directive 2009/73/EC): COM and other MS to be kept informed of cooperation between MS on regional or bilateral basis. The Commission may adopt Guidelines (implementing measures) for regional cooperation in a spirit of solidarity. h) Safeguard measures (Directive 2009/73/EC): In the event of a sudden crisis in the energy market or where the physical safety or security of persons, apparatus or installations or system integrity is threatened, a Member State may temporarily take the necessary safeguard measures. MS to notify other MS and COM. Public Health Threats Legal basis and pre-existing legal framework and mechanisms || Governance || Main obligations / cooperation mechanisms EU legal framework to address communicable diseases is in place since 1998. Legal basis: Ex Article 129 TEC (Public health) for Decision 2119/98/EC setting up a network for the epidemiological surveillance and control of communicable diseases in the Community Commission Decision 2000/57/EC on the EWRS Commission Decision 2000/96/EC on communicable diseases to be progressively covered (amended by further Commission Decisions) Ex Art. 152(4) TEC - public health) for Regulation 851/2004 establishing a European Centre for disease prevention and control 2005: International Health Regulations (HIR): MS must notify the WHO public health emergencies of international concern. Art. 168(4)(c) and (5) for Proposal for a Decision on serious cross-border threats to health (COM(2011) 866) || a) Community network for communicable diseases: – Network for epidemiological surveillance: Brings into permanent communication by technical means COM and MS authorities charged with collecting information. Procedures for dissemination of data at Community level are established. – Early Warning and response system (EWRS) for prevention and control of diseases: brings into permanent communications by appropriate means COM and public health authorities in MS responsible for determining measures which may be required to protect public health. b) COM to provide coordination of the network in collaboration with MS. c) Network Committee: COM to be assisted by a Committee of MS representatives and chaired by COM to define scope of activity, nature and data and information to be collected and transmitted, guidelines on protective measures to be taken, technical means and procedures by which data are disseminated and analysed at Community level. (Commission Decision 2000/96/EC and further Decisions have been adopted following opinion of this Committee). d) European Centre for Disease Prevention and Control (ECDC): Mission: identify, assess and communicate current and emerging threats to human health from communicable diseases. The ECDC has taken over the epidemiological surveillance of communicable diseases and the operation of the EWRS from the Community network. e) Health Security Committee: informal group of high level representatives from MS established on the basis of the Presidency Conclusions of 15 November 2001 on bioterrorism. 2011 proposal for a Decision on serious cross-border threats to health aims at formalising the Committee, as current MS involvement is voluntary and responses are not sufficiently coordinated. || a) Commission Decision No 2119/98/EC: – Defines prevention and control of communicable diseases as a range of measures, including epidemiological investigation, taken by competent public health authorities in MS to prevent and stop the spread of communicable diseases. These measures and relevant information to be forwarded by MS competent public health authorities to all other MS and COM. – MS intending to undertake measures in principle informs in advance Community network on nature and scope and consults and coordinates actions with other MS in liaison with COM. – Annex: categories of communicable diseases covered by the network (amended via Commission decision adopted following opinion of the Network committee ) b) Commission Decision 2000/57/EC: – Defines events to be communicated by MS competent public health authorities to EWRS; the events listed have (also potentially) relevance to more than one MS or the whole Community. – General procedures for information exchange on those events – MS competent public health authorities to collect and exchange all necessary information on events c) Commission Decision no 2000/96/EC: – Lists in Annex diseases and health issues to be covered by epidemiological surveillance and the criteria for selecting them. – Community network to be put in place by modifying and integrating as appropriate existing Community-supported surveillance networks and building up new networks for diseases not yet covered by surveillance networks. d) Commission Decision 2003/542/EC amending Decision 2000/96/EC as regards the operation of dedicated surveillance networks – MS, through their designated structures and/or authorities, to specify a contact point for each dedicated surveillance network, delegated to be their national representative to provide data and information – Each dedicated surveillance network to collect relevant surveillance data and information, ensure coordination within its structure and without delay communicate them to the Community network. – Dedicated surveillance network to provide the Community network with its operating procedures, addressing at least the topics listed in Annex III – Replaces Annexes addressing communicable diseases and special health issues and adds an Annex on "topics to be addressed by operating procedures of dedicated surveillance networks to be submitted to the Community network" e) Proposal for a Decision on serious cross-border threats to health (COM(2011) 866) – Preparedness planning: coordination of MS efforts in terms of improved preparedness and capacity building. COM to ensure coordination between national planning and between key sectors such as transport, energy and civil protection, and to support MS in setting up a joint procurement mechanism for medical countermeasures. – Information and data for risk assessment and monitoring of emerging threats: ad hoc network to be set up in situations where an MS has raised an alert on a serious threat other than a communicable disease. Communicable diseases will continue to be monitored as previously. – Expansion of use of the existing EWRS: to cover all serious threats to health, and not only communicable diseases. – Coordinated development of national or European public health risk assessments: for threats of biological, chemical, environmental or unknown origin in a crisis situation. – Coherent framework for the EU response to a public health crisis: formalisation of Health Security Committee to allow the EU to better coordinate national crisis responses in a public health emergency. – Common temporary public health measures: if coordination of responses is insufficient, COM may complement action of MS through adoption (via delegated act) of common temporary health measures to be implemented by MS. – Recognition of emergency situations: COM in exceptional circumstances may formally recognise the emergency by means of implementing acts that will trigger applicability of Article 2(2) Regulation No 507/2006. – International agreements: Union may conclude agreements on cooperation on cross-border threats to health covering aspects such as information sharing and collaboration on response coordination. Financial services Legal basis and pre-existing legal framework and mechanisms || Governance structure || Main obligations / Cooperation mechanisms Single market for financial services under development since 1976. Following financial crisis in 2007 and 2008, De Larosiere Report COM(2009) 114 "Driving European recovery" COM(2009) 252 "European financial supervision" Legal basis: Article 50, 53(1), 62 (Freedom of establishment) and 114 TFEU for Directive 2010/78/EU "Omnibus directive" Article 114 TFEU for Regulation (EU) No 1095/2010 and No 1093/2010 establishing ESAs Article 114 TFEU for Regulation (EU) No 1092/2010 establishing a European Systemic Risk Board || a) European system of financial supervisors (ESFS), consisting of three European Supervisory Authorities – a European Banking Authority, a European Securities and Markets Authority, and a European Insurance and Occupational Pensions Authority, Union bodies with legal personality. ESAs role is to help restore confidence; contribute to the development of a single rulebook; solve problems with cross-border firms; prevent the build-up of risks that threaten the stability of the overall financial system. ESAs were established on the basis of ECJ reasoning as in Case C-217/04 (on ENISA). b) European Systemic Risk Board (ESRB) established as of 1 January 2011 as an independent body with no legal personality, to monitor and assess potential threats to financial stability that arise from macro-economic developments and from developments within the financial system as a whole ("macro-prudential supervision"). ESRB's role is to analyse information and identify risks, provide an early warning of system-wide risks and where necessary issue recommendations for remedial action. ESRB has been established on the basis of ECJ reasoning as in Case C-217/04 (on ENISA). c) Joint Committees: among the others, European Banking Authority (EBA) and the new European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) are required to form a Joint Committee to oversee cooperation and coordination between national supervisors in the case of financial conglomerates. || a) Supervision via network: The three European Supervisory Authorities (ESAs) to work in a network and in tandem with the existing national supervisory authorities to safeguard financial soundness at the level of individual financial firms and protect consumers of financial services ("micro-prudential supervision"). European network to combine nationally based supervision of firms with strong coordination at European level so as to foster harmonised rules as well as coherent supervisory practice and enforcement. ESAs have the power to: – draw up specific rules for national authorities and financial institutions; – develop technical standards, guidelines and recommendations. – monitor how rules are being enforced by national supervisory authorities – take action in emergencies, including the banning of certain products; – mediate and settle disputes between national supervisors, – ensure the consistent application of EU law, – where necessary, possibility of settling disagreements between national authorities, in particular in areas that require cooperation, coordination or joint decision-making by supervisory authorities from more than one MS. ESAs are able to address decisions directly to national authorities in three areas: (i) cases where they are arbitrating between national authorities both involved in the supervision of a cross-border group and where they need to agree or coordinate their position; (ii) cases where a national authority is incorrectly applying EU Regulations; (iii) in emergency situations declared by the Council. ESAs are able to take decisions directly applicable to financial institutions as a last resort in these three cases when the ESA has addressed a decision to the national supervisor and the national supervisor has not complied with it. b) Joint Committees: to ensure agreement and co-ordination between national supervisors of the same cross-border institution or in colleges of supervisors. c) Direct supervision: the European Securities and Markets Authority (ESMA) entrusted with direct supervisory powers over credit rating agencies registered in the EU and have the power to request information, to launch investigations, and to perform on-site inspections. d) Enhancing supervision: further prerogatives may be transferred to ESAs in particular in the area of financial infrastructures, with MS and EP agreement. e) Single European rulebook: ESAs should contribute to a common legal basis for supervisory action in the EU, by developing technical standards which could for instance determine the formats in which financial institutions have to report information to the supervisors. Differences in the national transposition of EU law stemming from exceptions, derogations, additions or ambiguities in current directives must be identified and removed, so that this core set of key standards can be defined and applied in a harmonised manner throughout the EU by all supervisors. f) Capital requirements (Directive 2006/48/EC): obligation of both individual credit institutions and competent authorities in supervising that "Minimum own funds requirements for operational risk" are met. ‘Operational risk’ means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes legal risk. This could be interpreted as also including a disruption in the ICT systems. E-communications Legal basis and pre-existing legal framework and mechanisms || Governance structure || Main obligations / Cooperation mechanisms Regulated since 2002; security provisions in force since 2009. Former Art. 95 TEC and Art. 114 TFEU for Framework Directive 2002/21/EC as amended by Directive 2009/140/EC || a) Member States - National Regulatory authorities (competent bodies designated at national level): responsibility to ensure security and integrity of public communications networks or publicly available electronic communications services b) Undertakings providing public communications networks or publicly available electronic communications services: responsibility to carry out c) COM: to supervise and possibility to adopt measures for implementation d) European Network and Information Agency (ENISA): to provide advice and expertise e) No specific role for the Body of European Regulators for Electronic Communications (BEREC) which has no security prerogatives, while its mandate is to ensure consistent application of the regulatory framework. || – "National regulatory authorities" to ensure that security and integrity of networks are maintained, by being empowered to issue binding instructions and require undertakings to assess security, provide results of security audits, investigate cases of non-compliance. – Relevant private sector undertakings: to carry out risk assessment, adopt preventive measures, notify to competent national regulatory authorities any breaches of security or losses of integrity with a significant impact. – COM: to obtain annual summary report on notifications and actions; may adopt technical implementing measures (via regulatory procedure with scrutiny) based much as possible on European and international standards and do not prevent MS from adopting additional requirements. – (ENISA): to provide advice and expertise and promote exchange of best practises. In particular, ENISA is to obtain the annual summary report and where appropriate to obtain ad hoc notification from MS its opinion is to be taken into the utmost account by the Commission when adopting technical implementing measures. – Public/individuals: where national regulatory authorities determine that the breach is in the public interest, it may disclose it to the public. ANNEX 11:
LEGAL AND REGULATORY ASPECTS OF INFORMATION SHARING AND
CROSS-BORDER COLLABORATION OF NATIONAL/GOVERNMENTAL CERTS IN EUROPE Extract (Study commissioned by ENISA – prepared by RAND Europe and time.lex[228]) Legal and regulatory factors for
information sharing A number of
substantive legal frameworks and common horizontal issues have been identified
that may positively or negatively affect the extent of cross-border information
sharing. It is important to note that these factors may be seen in a positive
or negative light: for example, CERTs may be more inclined to share information
knowing that the peer operates under a legal framework affording the same protections
to personal data. A number of legal initiatives have been taken specifically to
facilitate and encourage information sharing, such as the provisions on mutual
assistance requests and international cooperation in the Council of Europe’s
Convention on Cybercrime, or the rules with respect to cross-border exchanges
of information in the Council Framework Decision on attacks against information
systems. While these rules do not apply uniformly to all CERTs, they are
indicative of an increased recognition at the policy level of the importance of
cross-border information exchanges for information security incidents. Nonetheless,
these legal and regulatory factors can complicate the delicate balancing act
that CERTs have to perform between investigating, managing and mitigating
incidents and contributing to a better understanding of the relative state of
cyber security, and protecting those rights and obligations provided for by
certain legal and regulatory frameworks. Clearly, the
exchange of information (including in cross-border scenarios) should not be
examined as a risk to certain fundamental rights (for example, privacy),
without also acknowledging that these exchanges are a precondition for
responding effectively to ICT incidents. Poor cyber security could undermine
the exercise of other rights enshrined in the Charter of Fundamental Rights of
the European Union[229]
such as the protection of integrity of the person, personal life, data
protection, freedom of expression and information, the freedom to conduct a
business and the right to property. Legal factors
we identified as being primarily of relevance include: · Definitions and criminal sanctions concerning different types of
computer and network misuse; · The European legal framework governing data protection and privacy; · Freedom of Information (FoI) and Public Sector Reuse of Information
(PSI) legislation; · Criminal procedure; · Intellectual Property Rights; · Confidentiality obligations; · Determining applicable law; · Mandate and competences of the CERT. In addition,
other legal frameworks noted include rules governing working with law
enforcement, national security laws and competition law. A number of harmonizing
initiatives have aimed at reducing differences between the Member States for
most of these topics, including with respect to data protection and retention,
defining crimes against information systems, re-use of public sector
information, and determining applicable laws. Nonetheless, as the sections
below indicate, these initiatives leave a significant margin of national policy
in the Member States, meaning that CERTs are still confronted with ambiguities
and differences in national laws and policies. This creates uncertainty when
determining if data sharing is permissible and lawful. A commonly
recurring element in this uncertainty is the variety of mandates for CERTs. Not
all CERTs will have comparable mandates to intervene in any type of computer
emergency. Their competences can be strongly affected by their national laws,
but also by their own statutes or operating rules, depending on the legal basis
of their formation (e.g. as independent entities or as part of an interior or
economic affairs ministry). This also affects how they can address each of the
challenges above: a national CERT with a clear legal remit defined by law may,
for example, have a clearer legal basis for collecting and processing personal
data relating to suspicious activities than a purely private sector CERT that
oversees the security of a single communications network. Ignoring these bounds
can result in evidence being tainted and/or the CERT risking its liability.
Thus, for a CERT it is vitally important to have a clear mandate, and to be
able to communicate this information clearly to its peers before engaging in
information exchanges. Whilst the
literature review and Key Informant Interviews (KII) conducted for this study
identified a number of challenging legal concerns, at the practical level not
all of these concerns were noted as being of direct impact with respect to
cross-border information sharing. The research
found that a degree of uncertainty remained with respect to the legal basis of
much CERT cross-border coordination. Interviewees reported that CERTs’
cooperation operates on an informal basis which sometimes perceives legal
involvement as hampering swift and effective cooperation. CERTs participating
in this study reported having participated in cross-border information
exchange. Many of the respondents to the online questionnaire indicated they
had managerial or technical, rather than legal expertise. Evidence from
the research indicated that in practice, data protection, data retention,
and obligations to work with law enforcement constituted the greatest set
of challenges for cross-border CERT cooperation. The respondents to our
questionnaire were most familiar with their own national legal frameworks in
these areas, whereas they were less familiar with international harmonization
initiatives in the same domain. For example, with respect to their own
legislation 15 out of 17 respondents reported that they had at least some
knowledge of definitions of computer crime or data protection and privacy law;
14 out of 17 respondents reported some knowledge of data retention rules;
procedures for preserving computer data as evidence or national security rules
and 13 out of 17 respondents reported at least some knowledge concerning laws
about working with law enforcement. With regard to
international aspects, however, the situation is different. Here, 9 out of 17
respondents reported some understanding of international efforts to harmonies
computer crime definitions (as afforded by the Convention on Cybercrime, for
example). Eleven out of 17 respondents indicated some understanding of
international efforts to harmonies data protection and communications privacy,
whilst 9 out of 17 respondents reported some understanding of international
efforts concerning national security laws. There was
least familiarity with international efforts governing rules determining the
competent court, applicable law for specific incidents or legal value of
evidence: only 7 out of 17 respondents indicated any degree of understanding
with international harmonization regimes in this regard. Regarding the
specific legal frameworks cited as justification for their own request being
denied, 12 out of 14 respondents cited data protection and privacy law as
having been used as a reason to justify a declined request by a peer. On the
other hand, 5 out of 13 respondents indicated that with some degree of frequency
data protection and privacy laws; rules concerning computer data as evidence;
laws concerning cross-border mutual legal assistance; laws concerning working
with law enforcement or rules concerning the legal value of evidence were all
cited as a justification to withhold information in a cross-border request. Of
course, this should not be taken as clear proof that such exchanges would
certainly have been in clear breach of these laws, but rather that sufficient
doubt existed on the legality of the exchanges to withhold them. Recommendations The evidence
gathered during our study (especially from the online questionnaire) should not
be taken as entirely representative of the entirety of the European
national/governmental CERT community. Nonetheless, below we identify some
recommendations which may further improve the work of CERTs based on the
material gathered during this study. We split these up into short, medium and
long-term recommendations. In the short term: · A.1 Identify ways to support operational coordination between CERTs – for example by the provision of a one stop shop or legal
helpline, modeled perhaps on the European Judicial Network (EJN) ‘legal
helpdesk’. Other approaches include the provision of checklists. · A.2 Disseminate Declared Level of Service templates building upon the establishment of common ‘declared level of
service’ templates (based on the RFC23508 model) to help set expectations as to
legal factors which may affect cross-border information exchange; · A.3 Investigate measures to encourage cross-border information
exchange for example via sanitization of data,
confidentiality charters or means to limit liability of CERT incident response
activities (such as the 2011 Danish law concerning Incident Response). Over the
medium to longer term, more extensive recommendations concern policy
intervention: · B1. Address legal uncertainty concerning requests via clarification
of the differences between relevant national legal frameworks to remove
uncertainty and create a common baseline for cooperation. · B.2 Designate national/governmental CERTs on a specific regulatory
basis to provide them with a clearer mandate. · B.3 Ensure EU-level legislation takes account of the scope of
national/governmental CERTs particularly with the current revision of the Data
Protection Directive 95/46/EC noting principles for the use of personal data in
the fight against terrorism and serious and organised crime. · B.4 Specify a threshold for incidents requiring
national/governmental CERT response and sharing – that incidents must pass some
certain threshold according to agreed indicators for them to be considered as
within the competence of being addressed by a national/governmental CERT. · B.5 Articulate why CERTs need to process personal data to the
relevant authorities so that guidance may be prepared to establish clarity on
under what circumstances personal data used by CERTs may be shared across
borders. Finally, three
long-term recommendations concern research activities or projects. · C.1 Incorporate information on the legal basis for an information
request (e.g. via coordination with structured
information exchange initiatives such as those run by the IETF or ITU). · C.2 Further foster R&D into privacy enhancing Security Event
& Incident Monitoring (SEIM) tools, for example
anonymisation infrastructure. · C.3 Conduct further empirical research into the mechanics of
cross-border CERT cooperation to explore the logic
and process of cross-border incident response. ANNEX 12: INTERNET 2011 IN NUMBERS Source:
http://royal.pingdom.com/2012/01/17/internet-2011-in-numbers/ Email ·
3.146 billion –
Number of email
accounts worldwide. ·
27.6% – Microsoft Outlook was the most
popular email client. ·
19% – Percentage of spam emails delivered
to corporate email inboxes despite spam filters. ·
112 – Number of emails sent and received per day by the average corporate
user. ·
71% – Percentage of worldwide email traffic
that was spam (November 2011). ·
360 million – Total number of Hotmail users (largest email
service in the world). ·
$44.25 – The estimated return on $1
invested in email marketing in 2011. ·
40 – Years since the first email was sent, in 1971. ·
0.39% – Percentage of email that was malicious (November
2011). ·
Websites ·
555 million – Number of websites (December
2011). ·
300 million – Added websites in 2011. Web servers ·
239.1% – Growth in the number of Apache websites in 2011. ·
68.7% – Growth in the number of IIS websites in 2011. ·
34.4% – Growth in the number of NGINX websites in 2011. ·
80.9% – Growth in the number of Google websites in 2011. ·
Domain names ·
95.5 million – Number of .com domain names at the end of
2011. ·
13.8 million – Number of .net domain names at the end of
2011. ·
9.3 million – Number of .org domains names at the end of
2011. ·
7.6 million – Number of .info domain names at the end of
2011. ·
2.1 million – Number of .biz domain names at the end of
2011. ·
220 million – Number of registered domain
names (Q3, 2011). ·
86.9 million – Number of country code top-level domains
(.CN, .UK, .DE, etc.) (Q3, 2011). ·
324 – Number of top-level domains. ·
28% – Market share for BIND, the number one DNS server
type. ·
$2.6 million – The price for social.com, the
most expensive domain name
sold in 2011. Internet
users ·
2.1 billion – Internet users worldwide. ·
922.2 million – Internet users in Asia. ·
476.2 million – Internet users in Europe. ·
271.1 million – Internet users in North America. ·
215.9 million – Internet users in Latin America / Caribbean. ·
118.6 million – Internet users in Africa. ·
68.6 million – Internet users in the Middle East. ·
21.3 million – Internet users in Oceania / Australia. ·
45% – Share of Internet users under the age of 25. ·
485 million – Number of Internet users in China, more than any other
country in the world. ·
36.3% – Internet penetration in China. ·
591 million – Number of fixed (wired)
broadband subscriptions
worldwide. Social
media ·
800+ million – Number of users on Facebook
by the end of 2011. ·
200 million – Number of users added to
Facebook during 2011. ·
350 million – Number of Facebook users that
log in to the service using their mobile phone. ·
225 million – Number of Twitter accounts. ·
100 million – Number of active Twitter users
in 2011. ·
18.1 million – People following Lady Gaga. Twitter’s most popular user. ·
250 million – Number of tweets per day
(October 2011). ·
1 – #egypt was the number one hashtag on Twitter. ·
8,868 – Number of tweets per second in August for the MTV Video
Music Awards. ·
$50,000 – The amount raised for charity by
the most retweeted tweet of
2011. ·
39 million – The number of Tumblr blogs by the end of 2011. ·
70 million – Total number of WordPress blogs by the end of 2011. ·
1 billion – The number of messages sent
with WhatsApp during one
day (October 2011). ·
2.6 billion – Worldwide IM accounts. ·
2.4 billion – Social networking accounts worldwide. Web browsers Mobile ·
1.2 billion – The number of active mobile broadband
subscriptions worldwide in 2011. ·
5.9 billion – The estimated number of
mobile subscriptions worldwide in 2011. ·
85% – Percentage of handsets shipped globally in 2011 that
included a web browser. ·
88% – Apple iPad’s share of global tablet web traffic
in December. Videos ·
1 trillion – The number of video playbacks on YouTube. ·
140 – The number of YouTube video playbacks per person
on Earth. ·
48 hours – The amount of video uploaded to YouTube every minute. ·
1 – The most viewed video on YouTube during
2011 was Rebecka Black’s “Friday.” ·
82.5% – Percentage of the U.S. Internet audience that viewed
video online. ·
76.4% – YouTube’s share of the U.S. video website market (December 2011). ·
4,189,214 – Number of new users on Vimeo. ·
201.4 billion – Number of videos viewed online per
month (October 2011). ·
88.3 billion – Videos viewed per month on
Google sites, incl. YouTube (October 2011). ·
43% – Share of all worldwide video views
delivered by Google sites, incl. YouTube. Images ·
14 million – Number of Instagram accounts created during 2011. ·
60 – The average number of photos uploaded per second to Instagram. ·
100 billion – Estimated number of
photos on Facebook by mid-2011. ·
51 million – Total number of registered users on Flickr. ·
4.5 million – Number of photos uploaded to Flickr each day.
·
6 billion – Photos hosted on Flickr (August 2011). ·
1 – Apple iPhone 4 is the most popular camera on Flickr. ANNEX 13: IMPACT
ASSESSMENT MATRIX The matrix presents the determination of the
expected impacts per policy option. The assessment of the impacts under each of
the options was done by analysing the magnitude of the expected impact,
as well as the likelihood that the impact will actually occur as a
result of the proposed policy option. The notation used to express the magnitude of
an impact in comparison with to baseline scenario is the following: - - - very negative impact - 3 - - negative impact - 2 - slightly negative impact - 1 0 no impact 0 + slightly positive impact + 1 + + positive impact + 2 + + + very positive impact + 3 The likelihood will be expressed as follows: 1 low likelihood 1 2 medium likelihood 2 3 high likelihood 3 The magnitude of the impact is weighed by to
likelihood. The value given for the likelihood is an absolute score, i.e. not
relative to the score of the baseline scenario. Impacts || Option 1 Business as usual || Option 2 Regulatory approach || Option 3 Combined approach Objective 1: To put in place a minimum common level of NIS in the MS and thus increase the overall level of preparedness and response || || || || || || || || Magnitude || Likelihood || Magnitude (compared to baseline) || Likelihood || Magnitude (compared to baseline) || Likelihood || || || || || || || || || || || || To ensure that all the Member States are adequately equipped at national level both in terms of technical and organisational capabilities to prevent, detect, mitigate and respond to NIS risks, threats and incidents || Given that initiatives would be voluntary in nature, the pace of development would vary significantly across the MS. Whereas in those MS which already consider NIS as a priority the level of security might further improve, the other Member States will continue to lag behind. The overall level of security would not improve adequately and in a timely fashion. || 0 || High || 3 || The obligations on the Member States should in principle ensure a common minimum high level of capabilities across the EU. As a result, the level of security should improve considerably. || +++ || High || 3 || It is unlikely that all the Member States would reach adequate and comparable preparedness via voluntary initiatives. It would still be possible that some Member States would follow up on Commission's recommendations. Overall, the level of security is not likely to improve more than marginally compared to the baseline option. || 0 || High || 3 To ensure that all Member States develop and update national cyber security strategies and national cyber incident contingency/cooperation plan || Given that initiatives would be voluntary in nature, the pace of development would vary significantly across the MS. Whereas in those MS which already consider NIS as a priority the level of security might further improve, the other Member States will continue to lag behind. The overall level of security would not improve adequately and in a timely fashion. || 0 || High || 3 || The obligations on the Member States should in principle ensure a common minimum high level of capabilities across the EU. As a result, the level of security should improve considerably. || +++ || High || 3 || It is unlikely that all the Member States would reach adequate and comparable preparedness via voluntary initiatives. It would still be possible that some Member States would follow up on Commission's recommendations. Overall, the level of security is not likely to improve more than marginally compared to the baseline option. || 0 || High || 3 Total score Objective 1 || || 0 || || 18 || || 0 Objective 2: To improve cooperation on NIS at EU level with a view to counter cross border incidents and threats effectively || || || || || || || || Magnitude || Likelihood || Magnitude (compared to baseline) || Likelihood || Magnitude (compared to baseline) || Likelihood || || || || || || || || || || || || To ensure that national competent authorities and CERTs share NIS information and best practices regularly || On the basis of voluntary initiatives and in the absence of a minimum level of capabilities in the Member States there would be no development of trust across the EU and there would be no guarantee that cooperation involving all the Member States would take place. Existing mechanisms involving would continue to involve only few Member States. || 0 || High || 3 || A common minimum level of preparedness at national level would contribute to the creation of a climate of mutual trust, thereby enabling close cooperation and allowing coherent and coordinated prevention and response to cross-border NIS incidents, risks and threats. || ++ || Medium || 2 || On the basis of voluntary initiatives and in the absence of a minimum level of capabilities in the Member States there would be no development of trust across the EU and there would be no guarantee that cooperation involving all the Member States would take place. Existing mechanisms involving would continue to involve only few Member States. || 0 || High || 3 To make sure that national competent authorities and CERTs can exchange information cross-border in a reliable and confidential manner || Current mechanisms lack a framework and an infrastructure for trusted information sharing, based on common confidentiality requirements. This would hinder information exchange on NIS threats and incidents across the Member States. || 0 || High || 3 || Competent authorities cooperation within the network would provide for effective cross-border exchange of information on NIS threats and incidents. A secure infrastructure would guarantee the necessary confidentiality. || +++ || Medium || 2 || Current mechanisms lack a framework and an infrastructure for trusted information sharing, based on common confidentiality requirements. This would hinder information exchange on NIS threats and incidents across the Member States. || 0 || High || 3 Total score: Objective 2 || || 0 || || 10 || || 0 Objective 3: To create a culture of risk management and improve the sharing of information between the private and public sectors || || || || || || || || Magnitude (compared to baseline) || Likelihood || Magnitude || Likelihood || Magnitude (compared to baseline) || Likelihood To make sure that key private sector players and public administrations engage in assessment of the risks and risk management practises || Only electronic communications providers would continue to be bound to adopt risk management practices. Other key players providing important inputs to economic and societal processes would not be required to do so. || 0 || High || 3 || Mandatory requirements for key private sector players and public administrations to analyse risks and adopt adequate measures to face those risks would create a strong incentive to manage and dimension security risks effectively and in turn enhance preparedness and timely response. || +++ || High || 3 || Mandatory requirements for key private sector players and public administrations to analyse risks and adopt adequate measures to face those risks would create a strong incentive to manage and dimension security risks effectively and in turn enhance preparedness and timely response. On the other hand, it is unlikely that public administrations would be able to carry out appropriate risk management in those Member States where NIS capabilities would not be in place at the level of the central government (e.g. CERTs or national competent authorities). || ++ || Medium || 2 To ensure that NIS breaches with a significant impact are reported to the national competent authorities || Only electronic communications providers would continue to be bound to report NIS breaches. Other key players providing important inputs to economic and societal processes would not be required to do so. || 0 || High || 3 || Mandatory requirements for key private sector players and public administrations to report NIS incidents with a significant impact would enhance transparency and enable timely and effective response. It would also empower governments to conduct evidence-based policy making. || +++ || High || 3 || Mandatory requirements for key private sector players and public administrations to report NIS incidents with a significant impact would enhance transparency and enable timely and effective response. It would also empower governments to conduct evidence-based policy making. On the other hand, only those Member States who have followed the Commission's recommendations on capabilities would be able to support this process appropriately (e.g. without a national competent authority being appointed, there would be no organisation to which NIS incidents could be reported). || ++ || Medium || 2 Total score Specific Objective 3 || || 0 || || 18 || || 8 Grand Total || || 0 || || 46 || || 8 ANNEX 14: LIST OF
ACRONYMS BEREC Body of European Regulators
for Electronic Communications CCA Cross-sector Crisis Coordination
arrangement CERTs Computer Emergency Response Teams CII Critical Information
Infrastructures CIO Chief Information Officer CIIP Critical Information Infrastructure
Protection CIP Critical Infrastructure Protection CISO Chief Information Security Officer CNECT Communications Networks,
Content and Technology Directorate General, (former Information Society and
Media Directorate-General) of the European Commission CSIRTs Computer Security Incident
Response Teams DG CONNECT Communications Networks,
Content and Technology Directorate General, (former Information Society and
Media Directorate-General) of the European Commission DAE Digital Agenda Europe DHS United States Department of Homeland
Security EC3 European Cybercrime Centre ECIs European Critical Infrastructures ECJ Court of Justice
of the European Union EFMS European Forum for
Member States EGC The European Government CERTs group EISAS European Information Sharing and Alert
System ENISA European
Network and Information Security Agency EP3R European Public-Private Partnership
for Resilience EPCIP European Programme for Critical
Infrastructure Protection EU European Union EU2020 Europe 2020 is the EU's
growth strategy for 2020 EWRS Early warning and response system FWD Framework Directive FTE Full-time equivalent GDP Gross Domestic Product ICS Industrial Control System ICT Information and Communications
Technologies ISACs Information Sharing and Analysis
Centers ISP Internet Service Provider ISS EU Internal Security Strategy IT Information Technology MS Member States of the European Union NACE Statistical Classification of Economic
Activities in the European Community NCI National critical infrastructure NCP National Contingency Plan NIS Network and Information Security NRA National Regulatory Authority PPPs Public-private partnerships SME Small and Medium Enterprise TFEU Treaty on the
Functioning of the European Union [1] The European Public Private Partnership for
Resilience (EP3R) aims to foster the cooperation across Europe between the
public and the private sector to develop coordinated strategic policy
objectives as well as tactical/operational measures to strengthen security and
resilience in CIIP [2] http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/expert_group_smart_grid/index_en.htm [3] http://ec.europa.eu/information_society/digital-agenda/actions/infosec-consultation/index_en.htm [4] http://ec.europa.eu/information_society/digital-agenda/actions/infosec-consultation/index_en.htm
[5] Final report: https://ec.europa.eu/digital-agenda/sites/digital-agenda/files/daa12-final_report_1.pdf [6] http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2012-0237&language=EN&ring=A7-2012-0167 [7] COM(2001)298 [8] See http://ec.europa.eu/information_society/policy/ecomm/doc/library/regframeforec_dec2009.pdf [9] These consisted of security provisions including on security
breaches notifications (Art. 13a&b of Framework Directive 2002/21/EC), and
were to be transposed at national level by 25 May 2011 [10] eBay Inc. filing to SEC for the fiscal year that ended
31.12.2010 http://www.sec.gov/Archives/edgar/data/1065088/000106508811000003/ebay10k20101231.htm
[11] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf [12] http://nctb.nl/Images/brief-cyber-meldplicht-en-interventie_tcm91-435018.pdf http://nctb.nl/Actueel/Nieuwsberichten/2012/wettelijke-regeling-meldplicht-en-interventiemogelijkheden-bij-digitale-veiligheidsincidenten.aspx?cp=91&cs=25481 [13] http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/34 [14] Circular CSSF 11/504 – Frauds and incidents due to
external computer attacks [15] http://www.bmi.bund.de/SharedDocs/Downloads/EN/Broschueren/Leitfaden_Schutz_kritischer_Infrastrukturen_en.pdf?__blob=publicationFile
[16] http://www.theregister.co.uk/2012/08/28/cut_underseas_cable_cripples_networks/?utm_source=google&utm_medium=twitter&utm_campaign=Feed%253A+InformationSecurityDisclosure+%2528Information+Security+Disclosure%2529
[17] Internet Security Threat Report Volume 16, Symantec [18] Cybersecurity, Threats Impacting the Nation, GAO 2012 [19] http://www.enisa.europa.eu/media/news-items/The-threat-from-Flamer.pdf [20] http://www.eweek.com/c/a/Security/Huge-Shady-RAT-CyberAttack-Likely-Targeted-Thousands-More-Victims-503656/ [21] The Internet economy has generated 21 % of the GDP
growth of the last 5 years and could represent as much as 20% of GDP growth in
the period up to 2015 in the Netherlands and in the UK. Internet consumption
and expenditure already exceed the share of GDP of agriculture or energy, and
its GDP is bigger than the GDP of Canada or Spain. It represents 7% of UK GDP,
3.7% in France, 2.2% in Spain, 2% in Italy, 2.7% in Poland, 3.6% in the Czech
Republic, 4.3% in the Netherlands, 5.8% in Denmark, 6.6% in Sweden, 3.4% in
Germany and 2.5% in Belgium. According to IMRG, in March 2010, 600,000 jobs
were associated with e-commerce in the UK. Each year, 200
million Europeans – 40% of all citizens – buy over the Internet. 27% of
European enterprises purchase and 13% sell online. Some sectors have already
been profoundly transformed by e-commerce. These include travel agencies (39%
of sales took place online in 2008), sales of electronic and cultural goods
(22%), financial services, gambling and sports betting (5th Consumer Scoreboard
- March 2011). [22] Source,
Eurostat,
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_cisce_ic&lang=en [23] http://www.sec.gov/Archives/edgar/data/313838/000115752311003320/a6733820.htm [24] http://www.sec.gov/Archives/edgar/data/1070235/000107023511000054/pr120211.htm [25] Source, FBI, Statement before the House Financial
Services Committee, http://www.fbi.gov/news/testimony/cyber-security-threats-to-the-financial-sector [26] http://www.nytimes.com/2012/10/01/business/cyberattacks-on-6-american-banks-frustrate-customers.html?_r=0&adxnnl=1&adxnnlx=1349785139-tC3YxWCWhVImONk4tIKGZA [27] A Detica Report, in partnership with the Office of
Cyber security and information assurance in the UK Cabinet Office, 2012
"The cost of cyber-crime". [28] http://www.rim.com/newsroom/service-update.shtml [29] Special Eurobarometer 390/2012 on cyber security http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf
[30] http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf [31] http://www.cio.co.uk/news/3258814/london-stock-exchange-under-major-cyberattack-during-linux-switch/ [32] Source: Centre for Strategy and Evaluation Services,
Interim Evaluation of FP7 Research activities in the field of Space and
Security, http://ec.europa.eu/enterprise/policies/security/files/doc/aviation_case_study__cses_en.pdf [33] Summary report of the Expert Group on the security and
resilience of communication networks and information systems for Smart Grids,
July 2012, http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/expert_group_smart_grid/index_en.htm
[34] Idem Eurobarometer 390/2012 [35] Based on expected GDP for EU27 in 2010 of approximately
€12 trillion. Copenhagen Economics, The Economic Impact of a European Digital
Single Market, March 2010 [36] OECD 2008 'Economics of malware: Security decisions,
incentives and externalities'
http://www.oecd.org/internet/interneteconomy/40722462.pdf [37] http://epp.eurostat.ec.europa.eu/statistics_explained/index.php/ICT_security_in_enterprises [38] The European Network and Information Security Market,
IDC EMEA, 2009 [39] Eurostat, Community Survey on ICT usage in businesses,
2008 [40] EU-US Summit 2010, Final statement, http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/597 [41] The information on the state of capabilities provided
in this Section is based on the results of the stocktaking exercise carried out
by Vice-President Neelie Kroes via two letters sent to Ministries in charge in
the Member States respectively in 2011 and in 2012. Not all the Member States
have participated to this stocktaking exercise however, the outcomes provide quite
a clear overview of NIS capabilities across the EU. [42] Measuring the cost of cybercrime, June 2012, R.
Anderson et al. http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf [43] IDC EMEA study on the European Network and Information
Security Market, April 2009. http://ec.europa.eu/information_society/policy/nis/docs/others_pdf/smart2007005_D_7_1.pdf
[44] Informal European Government CERTs Group [45] For overview see ENISA Who-is-Who Directory on network
and information security http://www.enisa.europa.eu/publications/who-is-who-directory-2011.
See also Annex 4 to this Staff Working Paper. [46] http://www.enisa.europa.eu/activities/cert/support/files/status-report-2012 [47] See http://www.egc-group.org/
[48] http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1459 [49] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cyber-europe/ce2010/ce2010report [50] Respondents to the public consultation stressed that
the financial industry is already required to manage NIS risks under certain
national laws, e.g. in the UK, Netherlands and Germany. This would be
accompanied by an obligation to report incidents to the national central bank
or to the supervisory authorities. It may also be expected that those
requirements will be further aligned as part of the plans to establish a
European Banking Union [51] Directive 2002/21 a common
regulatory framework for electronic communications networks and services (Framework
Directive), Article 13 a) and b) as introduced by Directive 2009/140/EC http://ec.europa.eu/information_society/policy/ecomm/doc/140framework.pdf
[52] See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT
[53] See http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
[54] COM(2012) 11 [55] COM(2010) 517, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0517:FIN:EN:PDF [56] See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF
[57] http://ec.europa.eu/dgs/information_society/evaluation/studies/s2006_enisa/docs/final_report.pdf [58] See http://www.isaccouncil.org/ [59] ICS are typically used in industries such as electric,
water and wastewater, oil and natural gas, transportation, chemical,
pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing
(e.g., automotive, aerospace, and durable goods.) Source: US Department of
Commerce, http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf [60] http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic4.htm [61] Regulation (EC) No 460/2004 of the European Parliament
and of the Council of 10 March 2004 establishing the European Network and
Information Security Agency (OJ L 077, 13/03/2004, P 1-11). [62] ECJ 02.05.2006, C-217/04, United Kingdom of Great
Britain and Northern Ireland v. European Parliament and Council of the European
Union [63] Point 62. [64] Point 63. [65] Proposal
for a Regulation of the European Parliament and of the Council concerning the
European Network and Information Security Agency (ENISA) of 30 September 2010,
COM(2010) 521. [66] SEC(2010) 1126 [67] http://ec.europa.eu/information_society/policy/ecomm/doc/library/ext_studies/cost_non_europe/im_e_com.pdf [68] Micro, small and medium enterprises are defined based
on the criteria set out in EU
recommendation 2003/361 [69] https://resilience.enisa.europa.eu/article-13/guideline-for-minimum-security-measures/technical-guideline-for-minimum-security-measures-v1.0 [70] In their reply to the public consultation, Finland and
GSMA underlined that a reporting obligation would require the competent
authorities to have the ability to collect, combine, assess the criticality of
notifications and distribute situational awareness on NIS incidents to relevant
entities. [71] NACE
Rev2 Code 50.1 [72] NACE
Rev2 Code 50.2 [73] ‘Infrastructure managers’ are defined as ‘Any
enterprise or transport operator responsible in particular for establishing and
maintaining railway infrastructure, as well as for operating the control and
safety systems’. [74] ‘Integrated companies’ are defined as: ‘Railway transport operator also being an
infrastructure manager’.
Railway transport operators include all public or private transport operators
which provide services for the transport of goods and/or passengers by rail.
Included are all transport operators that dispose of/provide traction. Excluded
are railway transport operators which operate entirely or mainly within
industrial and similar installations, including harbours, and railways transport
operators which mainly provide local tourist services, such as preserved
historical steam railways. Sometimes the term “railway undertaking” is used. [75] Any public or private transport operator which provides
services for the transport of goods and/or passengers by rail. Included are all
transport operators that dispose of/provide traction. Excluded are railway
transport operators which operate entirely or mainly within industrial and
similar installations, including harbours, and railways transport operators
which mainly provide local tourist services, such as preserved historical steam
railways. Sometimes the term “railway undertaking” is used. [76] NACE Rev2 Code 52.1: operation of storage and warehouse
facilities for all kinds of goods: operation of grain silos, general
merchandise warehouses, refrigerated warehouses, storage tanks etc. [77] NACE Rev2 Code 52.24: loading and unloading of goods or
passengers' luggage irrespective of the mode of transport used for
transportation – stevedoring - loading and unloading of freight railway cars [78] NACE Rev2 Code 52.29 forwarding of freight, arranging
or organising of transport operations by rail, road, sea or air, organisation
of group and individual consignments (including pickup and delivery of goods
and grouping of consignments), issue and procurement of transport documents and
waybills, activities of customs agents, activities of sea-freight forwarders
and air-cargo agents, brokerage for ship and aircraft space, goods-handling
operations, e.g. temporary crating for the sole purpose of protecting the goods
during transit, uncrating, sampling, weighing of goods [79] Credit institutions are defined
by the EBC as ‘commercial banks, savings banks, post office banks, credit
unions, etc.’ (see http://www.ecb.int/press/pr/date/2011/html/pr110114.en.html) [80] General government refers to all four sub-sectors of
government (see ‘Manual on Government Deficit and Debt, Methodologies and
Working Papers, ISSN 1977-0375 - Implementation of ESA95’ ; URL:
http://epp.eurostat.ec.europa.eu/cache/ITY_OFFPUB/KS-RA-09-017/EN/KS-RA-09-017-EN.PDF): These are: -
central government: this includes all administrative departments of the State and
other central agencies whose competence extends normally over the whole
economic territory, except for the administration of social security funds; -
state government
: this consists of separate institutional units exercising some of the
functions of government at a level below that of central government and above
that of the governmental institutional units existing at local level, except
for the administration of social security funds; -
local government
: this includes those types of public administration whose competence extends
to only a local part of the economic territory, apart from local agencies of
social security funds; -
social security funds : this includes all central, state and local institutional units
whose principal activity is to provide social benefits and which fulfil each of
the following two criteria: (1) by law or by regulation certain groups of the
population are obliged to participate in the scheme or to pay contributions;
(2) general government is responsible for the management of the institution in
respect of the settlement or approval of the contributions and benefits
independently from its role as supervisory body or employer. [81] In the public consultation, some stakeholders expressed
the view that sectoral regulation in some cases already empowers the regulatory
bodies to address security issues. In their views the Commission needs to be
careful to avoid unnecessary duplication or contradictions between its
proposals and existing mechanisms. [82] http://ess.nsd.uib.no/essmd [83] Cf. ‘Operational guidance for assessing impacts on
sectoral competitiveness within the Commission IA system’
(http://ec.europa.eu/governance/impact/key_docs/docs/sec_2012_0091_en.pdf) [84] Cf. “Competitive proofing toolkit” – page 8. [85] Approach and data sources used are consistent with the
best practice recommendations in the “Competitive proofing toolkit”. [86] http://www.gartner.com/technology/home.jsp [87] Assuming a cost of 150 EUR for a technician and of 300 EUR
for a project manager. [88] Considering that one man*day/month (2/3 technician, 1/3
project manager) should suffice [89] http://ec.europa.eu/idabc/en/document/2097.html [90] Micro, small and medium enterprises are defined based
on the following criteria (cf.: EU recommendation 2003/361 ): [91] Cyber-Security Market - Global Forecast & Trends
(2012 – 2017), http://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html
and Global Industry Analysis Inc "Cyber Security - A Global Strategic Business Report" [92] See
http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02 [93] See ‘The Cost of Cyber Crime’ – a Detica report in
partnership with the Office of Cyber Security and Information Assurance in the
Cabinet Office. [94] COM(2001)298 [95] See Regulation (EC) No 460/2004 at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004R0460:EN:HTML [96] COM(2010)521 e
[97] COM(2006)251 http://eur-lex.europa.eu/LexUriServ/site/en/com/2006/com2006_0251en01.pdf [98] 2007/068/01 [99] COM(2006)786 http://eur-lex.europa.eu/LexUriServ/site/en/com/2006/com2006_0786en01.pdf [100] See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF
[101] Decision No 1351/2008/EC http://ec.europa.eu/information_society/activities/sip/docs/prog_decision_2009/decision_en.pdf [102] COM(2009)149 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF [103] 2009/C 321/01 [104] See http://ec.europa.eu/information_society/policy/ecomm/doc/library/regframeforec_dec2009.pdf [105] COM(2010)245,http://ec.europa.eu/information_society/digital-agenda/documents/digital-agenda-communication-en.pdf [106] COM(2010)673
lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0673:FIN:EN:PDF [107] COM(2010)171 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0171:FIN:EN:PDF [108] COM(2011)163 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0163:FIN:EN:PDF [109] http://www.europarl.europa.eu/meetdocs/2009_2014/documents/sede/dv/sede150611cccybersecurity_/sede150611cccybersecurity_en.pdf [110] COM(2010) 517,
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0517:FIN:EN:PDF [111] COM(2012)140 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0140:FIN:EN:PDF [112] http://europa.eu/rapid/press-release_MEMO-10-597_en.htm [113] See Eurostat, Structural business statistics, NACE_R1
Code E comprises ‘Electricity, gas and water supply’ and is the best
proxy available for estimating the average turnover of electricity and gas
companies. [114] Only taking into account medium-sized and large
enterprises, i.e. micro- and small enterprises do not intervene in the
calculation as they are considered not relevant for inclusion in the scope (cf.
the broad definition of the NACE_R1 code E comprising around 28.000 companies
whereas only electricity and gas generating and retailing companies are
targeted here). [115] NACE
Rev2 Code 51.10 [116] NACE
Rev2 Code 51.21 [117] ‘Infrastructure managers’ are defined as ‘Any enterprise
or transport operator responsible in particular for establishing and
maintaining railway infrastructure, as well as for operating the control and
safety systems’. [118] ‘Integrated companies’ are defined as: ‘Railway transport operator also being an
infrastructure manager’.
Railway transport operators include all public or private transport operators
which provide services for the transport of goods and/or passengers by rail.
Included are all transport operators that dispose of/provide traction. Excluded
are railway transport operators which operate entirely or mainly within
industrial and similar installations, including harbours, and railways
transport operators which mainly provide local tourist services, such as
preserved historical steam railways. Sometimes the term “railway undertaking”
is used. [119] Any public or private transport operator which provides
services for the transport of goods and/or passengers by rail. Included are all
transport operators that dispose of/provide traction. Excluded are railway
transport operators which operate entirely or mainly within industrial and
similar installations, including harbours, and railways transport operators
which mainly provide local tourist services, such as preserved historical steam
railways. Sometimes the term “railway undertaking” is used. [120] NACE Rev2 Code 50.1 [121] NACE
Rev2 Code 50.2 [122] http://ec.europa.eu/transport/maritime/ports_en.htm [123] NACE Rev2 Code 52.1: operation of storage and warehouse
facilities for all kinds of goods: operation of grain silos, general
merchandise warehouses, refrigerated warehouses, storage tanks etc. [124] NACE Rev2 Code 52.24: loading and unloading of goods or
passengers' luggage irrespective of the mode of transport used for
transportation – stevedoring - loading and unloading of freight railway cars [125] NACE Rev2 Code 52.29 forwarding of freight, arranging or
organising of transport operations by rail, road, sea or air, organisation of
group and individual consignments (including pickup and delivery of goods and
grouping of consignments), issue and procurement of transport documents and waybills,
activities of customs agents, activities of sea-freight forwarders and
air-cargo agents, brokerage for ship and aircraft space, goods-handling
operations, e.g. temporary crating for the sole purpose of protecting the goods
during transit, uncrating, sampling, weighing of goods [126] NACE Rev2 Code 52.2 [127] 482 airports and 320 commercial airlines [128] http://ec.europa.eu/transport/air/observatory_market/doc/annual-2010.pdf
[129] See Eurostat, Structural business statistics, NACE_R1
Code I60 comprises ‘Land transport; transport via pipelines’, i.e.
transport via railways, transport via pipelines and other land transport (by
road or other), and is the best proxy available for estimating the average
turnover of railway operators employing over 250 people. [130] Only taking into account figures for companies with more
than 250 employees, due to the nature of the activities carried out by railway
operators. [131] Excluding turnover related to ports. [132] 82,7% of 9.921 monetary financial institutions; credit
institutions are defined by the EBC as ‘commercial banks, savings banks,
post office banks, credit unions, etc.’
(see http://www.ecb.int/press/pr/date/2011/html/pr110114.en.html) [133] Production value measures the amount actually produced
by the unit, based on sales, including changes in stocks and the resale of
goods and services. The production value is defined as turnover, plus or minus
the changes in stocks of finished products, work in progress and goods and
services purchased for resale, minus the purchases of goods and services for
resale, plus capitalised production, plus other operating income (excluding subsidies).
Income and expenditure classified as financial or extra-ordinary in company
accounts is excluded from production value. The production value is taken for
the Eurostat Structural business statistics for NACE_R1 J6512_J6552 (i.e.
monetary intermediation excl. central banking). [134] Directive 2004/39/EC on
Markets in Financial Instruments [135] http://mifiddatabase.esma.europa.eu/ [136] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:348:0009:0015:EN:PDF [137] E.g. on www.wikinvest.com,
www.world-stock-exchanges.net,
en.wikipedia.org/wiki/List_of_European_stock_exchanges [138] http://www.fese.be/_lib/files/EUROPEAN_EXCHANGE_REPORT_2011_FINAL.pdf [139] Euronext turnover has thus been allocated to The
Netherlands, which explains the high value for this Member State. The second
largest turnover is for Germany, and the biggest part of this comes from the
large exchange Deutsche Börse. [140] See the European Hospital and
Healthcare Federation (http://www.hope.be/03activities/quality_eu-hospitals/eu_country_profiles/00-hospitals_in_europe-synthesis.pdf) [141] See: http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=hlth_sha_hp&lang=en [142] Based on the European Hospital
and Healthcare Federation (http://www.hope.be/03activities/quality_eu-hospitals/eu_country_profiles/00-hospitals_in_europe-synthesis.pdf) [143] See Eurostat: http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=hlth_sha_hp&lang=en [144] See e.g. article on the evolution of Telco activities in
the cloud: http://blogs.yankeegroup.com/2012/09/20/do-telcos-have-klout-in-cloud [145] Namely those providing services where there is access to
and from numbers in a national or international telephone numbering plan. [146] http://ec.europa.eu/information_society/policy/ecomm/doc/library/working_docs/406_14_voip_consult_paper_v2_1.pdf
[147] Cf. http://www.voipproviderslist.com/
[148] NACE Rev2 Code 63: This division includes the activities
of web search portals, data processing and hosting activities, as well as other
activities that primarily supply information. [149] Based on all actors with 50 persons employed or more,
incl. an additional number of 400 companies with 20 people employed or more (18.471
+ 11.300 + (400 * 4) = 31.370,5 million EUR [150] See Report on ‘General government expenditure: Analysis
by detailed economic function’ (Eurostat – Statistics in focus 33/2012 - http://epp.eurostat.ec.europa.eu/cache/ITY_OFFPUB/KS-SF-12-033/EN/KS-SF-12-033-EN.PDF). [151] See Eurostat: Annual government finance statistics; Government
revenue, expenditure and main aggregates (gov_a_main). [152] General government refers to all four sub-sectors of
government (see ‘Manual on Government Deficit and Debt, Methodologies and
Working Papers, ISSN 1977-0375 - Implementation of ESA95’ ; URL: http://epp.eurostat.ec.europa.eu/cache/ITY_OFFPUB/KS-RA-09-017/EN/KS-RA-09-017-EN.PDF): These are: -
central government: this includes all administrative departments of the State and
other central agencies whose competence extends normally over the whole
economic territory, except for the administration of social security funds; -
state government
: this consists of separate institutional units exercising some of the
functions of government at a level below that of central government and above
that of the governmental institutional units existing at local level, except
for the administration of social security funds; -
local government
: this includes those types of public administration whose competence extends
to only a local part of the economic territory, apart from local agencies of
social security funds; -
social security funds : this includes all central, state and local institutional units
whose principal activity is to provide social benefits and which fulfil each of
the following two criteria: (1) by law or by regulation certain groups of the
population are obliged to participate in the scheme or to pay contributions;
(2) general government is responsible for the management of the institution in
respect of the settlement or approval of the contributions and benefits
independently from its role as supervisory body or employer. [153] E.g. costs related to human resources, to securing
buildings, higher costs paid to network suppliers that guarantee a higher
security level, etc. [154] For data, see for instance “IT Key Metrics Data 2012” by
Gartner, November 2011 [155] http://www.gartner.com/it/page.jsp?id=2156915 [156] For the public sector, this figure relate to the total
operating expenditure [157] ‘Data controllers’ refers to the persons or entities
which collect and process personal data. For instance, a medical practitioner
is usually the controller of his patients' data; a company is the controller of
data on its clients and employees; a sports club is controller of its members'
data and a library of its borrowers' data. Data controllers determine 'the
purposes and the means of the processing of personal data'. This applies to
both public and private sectors. Data controllers must respect the privacy and
data protection rights of those whose personal data is entrusted to them. [158] See
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF [159] See COM(2012) 11 final - Proposal for a Regulation of
the European Parliament and of the Council on the protection of individuals
with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation). [160] If such costs would occur, they could only be measured
in a later assessment of any secondary legislation introducing such standards. [161] Micro, small and medium enterprises are defined based on
the following criteria (cf.: EU recommendation 2003/361 ): [162] Cf. http://ec.europa.eu/enterprise/policies/smart-regulation/administrative-burdens/actionprogramme/index_en.htm#h2-6 [163] Cf. Impact
Assessment Guidelines, Annex 10. page 53 http://ec.europa.eu/governance/impact/commission_guidelines/docs/ia_guidelines_annexes_en.pdf
[164] Full Time Equivalent [165] Whereas both for the electronic communications sector as
for the sectors to which the rules would be extended, it is possible that the
rules for reporting breaches to the national authority are more stringent, thus
leading to a higher number of notifications, the cost linked to this is not
relevant here, as it does not stem from EU but national rules. [166] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents-reporting/annual-reports [167] General estimate based on Eurostat
Information Society statistics on the number of operators and service providers
for telecommunications services. [168] See Annex 2 on Assessment of costs related to the
requirements to adopt a NIS Risk Management approach [169] 1700 notifications *60.000EUR/12
months/20 days/2 [170] See for instance the results of the benchmark presented in Annex 5 [171] An overview of the ENISA proposed reporting template for
Art. 13a breaches can be found in their “Annual Incident Reports 2011” (cf.
above), whereas recommendations on the data to be reported in case of data
breaches are identified by ENISA in “Recommendations on technical
implementation guidelines of Article 4” – April 2012 [172] E.g. in case of a NIS security breach, caused by a
lightning, very little or no specific NIS audit would be needed for analysing
what happened. [173] See “Implementing the revised EU Electronic
Communications Framework – Impact Assessment” by the department for culture,
media and sport, and the underlying Detica report “Impact of Security and
Integrity provisions of the EU Electronic Communications Framework” [174] Assumption of an investigation
costing 25.000 EUR for 10 to 20% of all NIS breach notifications. [175] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/cyber-security-strategies-paper [176] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-an-implementation-guide [177] For overview see ENISA Who-is-Who Directory on network
and information security http://www.enisa.europa.eu/publications/who-is-who-directory-2011.
[178] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/policies/stock-taking-of-national-policies [179] See COM(2009)149 of 30.03.2009. "Protecting Europe
from large scale cyber-attacks and disruptions: enhancing preparedness,
security and resilience" [180] In June and November 2009; March, June, October 2010;
January, May, September, December 2011; March, June, December 2012. [181] Council Directive 2008/114/EC [182] Established at the EU-US
Summit of 20 November 2010 in Lisbon. [183] See http://ec.europa.eu/transparency/regexpert/detailGroup.cfm?groupID=2527
[184] See www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf
[185] See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF [186] See http://www.parliament.uk/documents/lords-committees/eu-sub-com-f/govttresponsefinal060710.pdf [187] ENISA Desktop Research Report available at http://www.enisa.europa.eu/act/res/other-areas/national-public-private-partnerships-ppps/desktop-reserach-on-public-private-partnerships [188] ENISA Good Practice Guide on Cooperative models for
effective Public Private Partnerships available at http://www.enisa.europa.eu/act/res/other-areas/national-public-private-partnerships-ppps/good-practice-guide-on-cooperatve-models-for-effective-ppps [189] The updated n/g CERT baseline capabilities guide is
under development (ENISA
WP2012/WS3/WPK3.1). It will be published at ENISA’s website (www.enisa.europa.eu/act/cert) on
December 2012. This updated document will further clarify the relation between
n/g CERT and other national bodies (regional cooperation). [190] http://www.enisa.europa.eu/activities/cert/support/baseline-capabilities [191] COTER brings together Member
States experts from foreign affairs ministries to focus on the external aspects
of terrorism. [192] The NCPs guide is under development. It will be
published at ENISA’s website (www.enisa.europa.eu)
on March 2012. [193] http://www.enisa.europa.eu/activities/cert/other-work/eisas_folder/eisas-enhanced-roadmap-2012 [194] See http://fisha-project.eu/ [195] See http://ec.europa.eu/idabc/en/document/2097.html [196] See http://circa.europa.eu/Public/irc/infso/cocom1/library?l=/public_2012/cocom12-11_finalpdf/_EN_1.0_&a=d [197] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents-reporting/annual-reports [198] See http://www.enisa.europa.eu/act/res/reporting-incidents/incidents-reporting-to-enisa/technical-guideline-on-incident-reporting [199] http://www.enisa.europa.eu/act/res/reporting-incidents/minimum-security-requirements/technical-guideline-on-minimum-security-measures
[200] http://www.enisa.europa.eu/act/res/reporting-incidents/incidents-reporting-to-enisa/technical-guideline-on-incident-reporting
[201] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents%20reporting/good-practice-guide-on-incident-reporting [202] http://www.enisa.europa.eu/act/it/risks-and-data-breaches/dbn [203] http://www.enisa.europa.eu/activities/Resilience-and-CIIP/policies/analysis-of-national-policies/analysis-of-policies-and-recommendations,
page 30 and 100. [204] See http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=1&DF=04/04/2012&CL=ENG
[205] See an exhaustive review of the activities of the UN
regarding cyber-security at http://www.un.org/en/ecosoc/cybersecurity/maurer-cyber-norm-dp-2011-11.pdf
[206] http://www.unodc.org/unodc/en/crime-congress/12th-crime-congress.html [207] A/66/359; http://www.fmprc.gov.cn/eng/zxxx/t858978.htm [208] See http://www.un.org/News/Press/docs/2011/gadis3442.doc.htm
[209] http://meridianprocess.org/ [210] See http://meridianprocess.org/Content.aspx?c=6 [211] http://meridianprocess.org/ [212] See page 7 of the Meridian newsletter volume 2 number 2,
available at
http://meridianprocess.org/library/documents/newsletter_vol1_no2.pdf [213] http://www.cpni.gov.uk/ [214] See http://www.itu.int/ITU-T/studygroups/com17/ict/index.html [215] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0037:0069:EN:PDF [216] Information Society service: any service normally
provided for remuneration, at a distance, by electronic means and at the
individual request of a recipient of services;“by electronic means”: means that
the service is sent initially and received at its destination by means of
electronic equipment for the processing (including digital compression) and
storage of data, and entirely transmitted, conveyed and received by wire, by
radio, by optical means or by other electromagnetic means, [217] Business as usual: Common good
practices in managing business imply that certain minimal standards and
cooperation are assumed to be widespread since the non-compliance to these
common good practices results in reputational, commercial and financial losses.
Common business sense is therefore to adopt these minimal standards and
coordination. [218] Cf. Sectors explicitly mentioned in the description of
Option 2 – Regulatory approach [219] Business as usual: Common good practices in managing
business imply that certain minimal standards and cooperation are assumed to be
widespread since the non-compliance to these common good practices results in
reputational, commercial and financial losses. Common business sense is
therefore to adopt these minimal standards and coordination. [220] Risk for customers is limited by MS protective
legislation. In case of financial losses due to
security breaches, banks are responsible to compensate the financial losses to
its customers [221] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:326:0113:0141:EN:PDF
– article 2 (8) [222] Business as usual: Common good practices in managing
business imply that certain minimal standards and cooperation are assumed to be
widespread since the non-compliance to these common good practices results in
reputational, commercial and financial losses. Common business sense is
therefore to adopt these minimal standards and coordination. [223] http://ec.europa.eu/energy/infrastructure/critical_en.htm [224] Directive 2008/114/EC, annex I - http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF [225] http://www.crisis.ibz.be/index.php?option=com_content&task=view&id=190&Itemid=160&lang=dutch [226] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2010/02/26/analyse-bescherming-vitale-infrastructuur/bijlage1analysebeschermingvitaleinfrastructuur.pdf [227] Energy: http://ec.europa.eu/energy/index_en.htm Banking: http://www.eba.europa.eu/ E-communications: http://ec.europa.eu/information_society/index_en.htm [228] http://www.enisa.europa.eu/activities/cert/support/fight-against-cybercrime/legal-information-sharing [229] The Charter of the Fundamental Rights of the European
Union is a statement of fundamental political, social and economic rights
granted to citizens and residents of the EU. The Charter includes such rights
as the right to life, dignity, liberty and security, and the protection of
private life and personal data. It became legally binding through the entry
into force of the Treaty of Lisbon, on 1 December 2009