19.9.2013   

EN

Official Journal of the European Union

C 271/133

1.1

The Committee notes the proposed Directive, which should be seen in the broader context of the recently published Cybersecurity Strategy (1), outlining a comprehensive vision for network and information security (NIS) to ensure that the digital economy can grow safely whilst furthering the European values of freedom and democracy.

1.2

The EESC welcomes this proposal for a Directive to ensure a high common level of NIS across the EU. Harmonisation and management of NIS at European level is essential to the completion of the Digital Single Market and the smooth functioning of the Internal Market as a whole. The Committee shares the concern of the Commission about the enormous damage that could be done to the economy and the welfare of citizens by a failure of NIS. However, the proposed Directive does not meet the expectations of the Committee for strong legislative action on this critical issue.

1.3

The Committee is extremely disappointed with the lack of progress made by many Member States (MS) to implement effective NIS at a national level. The EESC deplores the increased risks that this failure creates for citizens as well as the negative impact it is having on the completion of the Digital Single Market. All MS should take action on their outstanding NIS obligations without further delay.

1.4

This lack of progress is creating another digital divide between the elite group with highly advanced NIS and the less-advanced MS. This gap is adversely affecting trust and collaboration around NIS at EU level and, unless it is urgently addressed, is likely to cause Internal Market failures associated with the divergence in capabilities across the MS.

1.5

As advised in previous opinions (2) the EESC believes that tentative, voluntary measures do not work and there needs to be strong regulatory obligations on MS to ensure harmonisation, governance and enforcement of European NIS. Unfortunately, the EESC does not think that this proposal for a Directive provides the clear and decisive legislation needed. To provide the high common level of NIS required, the Committee believes that a Regulation, with well-defined compulsory obligations on MS, would be more effective than a Directive.

1.6

Notwithstanding the European Commission’s intent to adopt delegated acts to ensure some uniform conditions for the implementation of parts of the Directive, the Committee perceives a dearth of standards, clear definitions and categorical obligations in the proposed act; thus providing too much flexibility to MS on how they interpret and transpose critical elements. The Committee would like to see much more explicit definitions in the act of the standards, requirements and procedures for MS, public authorities, market operators and key Internet enablers to observe.

1.7

To provide strong policy formulation and implementation for NIS in the EU, the Committee would like to see an EU-level authority for NIS created, analogous to the central authority in the aviation industry (EASA) (3). This body would establish standards and monitor enforcement for all elements of NIS across the Union: from the certification of secure terminal devices and usage, to network security, and data security.

1.8

The EESC is very aware of the increased risks to cybersecurity and data protection from the adoption of cloud computing (4) in Europe. The Committee would like the proposed act to explicitly include special, additional security requirements and obligations regarding the provision and use of cloud services.

1.9

So that there is proper accountability for NIS, the act should make it clear that entities with obligations under the proposed Directive would have a right to hold suppliers of software and hardware liable for any defects in their products or services that contribute directly to NIS incidents.

1.10

The EESC calls on MS to provide special attention to increasing the NIS knowledge and cybersecurity skills of Small and Medium-Sized Enterprises (SMEs). The Committee also draws the attention of the Commission to the success of ‘hacker competitions’ in the US (5) and in some MS (6), at raising cybersecurity awareness and cultivating the next generation of NIS professionals.

1.11

Given the importance of compliance in all MS to the network and information security of the entire EU, the EESC asks the Commission to consider what Multiannual Financial Framework (MFF) funding might be targeted at NIS compliance to assist MS that need financial assistance.

1.12

Spending on Research, Development and Innovation (R&D&I) for NIS technologies should be a high priority in the EU Framework Programme for Research and Innovation ‘Horizon 2020’, so that Europe can keep pace with the fast-changing landscape of cyber threats.

1.13

To help provide clarity about which entities have legal responsibilities under the proposed act, the EESC would like to see an obligation on every MS to publish an online directory of all entities covered by the risk management and reporting requirements of the Directive. This transparency and public accountability would build trust and support compliance.

1.14

The Committee directs the Commission’s attention to the many previous opinions of the EESC that have discussed the topic of network and information security, and which commented on the need for a secure information society and protection for critical infrastructures (7).

2.1

The proposed NIS Directive was published alongside the EU Cybersecurity Strategy, which aims to strengthen the resilience of information systems, reduce cybercrime, enhance EU international cybersecurity policy and cyberdefence, and develop the industrial and technological resources for cybersecurity, while promoting fundamental rights and other EU core values.

2.2

NIS is concerned with the protection of the Internet and other networks, information systems and underpinning services, which support the functioning of our society. NIS is essential to the smooth functioning of the Internal Market.

2.3

The purely voluntary approach to NIS that the EU has followed to-date does not provide sufficient protection against NIS risks. Existing NIS capabilities are insufficient to keep pace with the fast-changing world of threats and to ensure a common high level of protection in all the Member States.

2.4

Today the MS have very different levels of capabilities and preparedness, leading to fragmented approaches to NIS across the EU. Given the fact that networks and systems are interconnected, those MS with an insufficient level of protection weaken the overall NIS in the Union. This situation also hinders the creation of trust among peers, which is a prerequisite for cooperation and information sharing. As a result, there is cooperation only among a minority of MS with a high level of capabilities.

2.5

The purpose of the Directive, proposed in accordance with Article 114 of the TFEU, is to facilitate the completion and smooth operation of the Digital Single Market:

2.6

The proposed Directive lays down legal requirements including:

2.7

Member States will have to implement the Directive within 18 months of its adoption by the Council and European Parliament (expected sometime in 2014).

3.1

The growth of the Internet and digital society is profoundly impacting everyday life. However, as our dependency on the Internet grows, our freedom, prosperity and quality of life become increasingly dependent on robust network and information security (NIS): If the Internet is down and you can’t access electronic medical records in an emergency, people will die. However, the security of Europe’s critical information infrastructure is under increasing threat and our level of NIS is not good enough.

3.2

The Director of Europol stated last year that he was ‘… very worried by this great misplaced confidence in the unbreakable nature of the Internet’ (8). We frequently hear of new cyber attacks on essential infrastructure by criminals, terrorists or foreign governments. Targets do not report most attacks because they fear reputational damage; however, in recent weeks we have witnessed attacks on Europe’s Internet infrastructure (9) and banking systems (10) that were too disruptive to hide. One report (11) estimated that the Netherlands suffered 92 million cyber attacks in 2011 and Germany 82 million. The UK government estimates that the UK suffered 44 million cybercrime attacks in 2011 at a cost to the economy of up to EUR 30 billion (12).

3.3

In 2007, the Council of the EU addressed Europe’s NIS problem (13). But the policy approach followed since then (14) has mostly relied on voluntary action by MS and only a minority of them have taken effective action. The Committee notes that many MS still have neither published a national cybersecurity strategy nor have developed a national cyber incident contingency plan; and some haven’t yet created a Computer Emergency Response Team (CERT). Also, a number of MS have still not ratified the Council of Europe Convention on Cybercrime (15).

3.4

Ten MS that are highly advanced in NIS have formed the European Government CERTs (EGC) group to collaborate closely on NIS and incident response. Membership of the EGC is closed at present: the other less-advanced 17 MS and the newly formed CERT-EU (16) are currently excluded from this elite group. A new digital divide is opening- up between MS that are highly advanced in NIS and the rest. Unless this gap is bridged, the NIS divide will attack the heart of the Digital Single Market, limiting the development of trust, harmonisation and interoperability. Furthermore, without strong action, the divide between the highly advanced and the less-advanced Member States is likely to increase and so would the internal market failures associated to the divergences in the capabilities across the MS.

3.5

The success of the Cybersecurity Strategy and the effectiveness of the proposed NIS Directive will depend on having a strong NIS industry in Europe and sufficient workers with specialist NIS skills. The EESC is pleased to see that the need for MS to invest in NIS education, awareness and training is included in the proposed Directive. The Committee would also like to see every MS make special efforts to inform, educate and support the SME sector with cybersecurity. The large firms can easily acquire the knowledge they need but SMEs need support.

3.6

The EESC is looking forward to cooperating with the European Network and Information Security Agency (ENISA) to promote NIS during ‘Cybersecurity Month’ later this year. Regarding the objective in the Cybersecurity Strategy and the NIS Directive to develop a security-conscious culture across the Union, and to increase the level of NIS skills, the Committee directs the attention of the Commission to the ‘hacker competition’ events for teenagers that have proven so successful at raising awareness in some MS and the USA.

3.7

The Committee is also pleased to note the commitment in the Cybersecurity Strategy to R&D&I spending on NIS technology.

3.8

The growth of cloud computing creates many new risks for cybersecurity to deal with. For example, massive computing power for relatively little expense is now available to cyber criminals; and data from thousands of companies are now located in centralised data stores that are vulnerable to focused attacks. The EESC has called for greater cyber resilience for cloud computing (17).

3.9

The Committee has previously called for the introduction of a voluntary, EU eID scheme for online transactions, to complement existing national schemes. A scheme would provide a higher degree of protection against fraud, a greater climate of trust between economic operators, lower costs of service provision, and a higher quality of service and protection for citizens.

4.1

Regrettably, this NIS Directive proposal from the Commission is too tentative, lacks sufficient clarity and depends too heavily on self-regulation by MS. A shortage of standards, clear definitions and categorical obligations, particularly in Chapter IV of the Directive, provides too much flexibility to MS on how they interpret and transpose critical elements of the act. A Regulation, with well-defined compulsory, legal obligations on MS, would be more effective than a Directive.

4.2

The Committee notes that Article 6 of the Directive requires each MS to designate a ‘competent authority’ (CA) to monitor and ensure the consistent application of the Directive across the EU. It is further noted that Article 8 establishes a ‘cooperation network’ (CN), which, through powers vested in the CN and the Commission, will provide pan-European leadership, stewardship, and enforcement if necessary, down to MS-level. The EESC believes that building on this governance framework the EU should consider creating an authority at EU-level for NIS, analogous the European Aviation Safety Agency (EASA) that establishes standards and manages security enforcement and compliance for aircraft, airports and airline operations.

4.3

The EU-level NIS authority proposed by the Committee at point 4.2 above, could be set- up on the foundations of the cybersecurity work already being done by ENISA, the European Committee for Standardization (CEN), the CERTs, European Government CERTs (EGC) group and others. Such an authority would establish standards and monitor enforcement for all elements of NIS: from the certification of secure terminal devices and usage, to network security, and data security.

4.4

Given the high- interdependence among MS to provide NIS across the Union and the potentially very high cost of NIS failure events on all affected parties, the EESC would like to see legislation include explicit and proportionate sanctions for compliance failures, harmonised to reflect the pan-European dimension of the responsibility and the scale of damage that could be caused, not only in the domestic market, but also across the Union. Article 17 of the act, which deals with sanctions, is general, allows too much discretion to MS to set sanctions, and does not provide sufficient guidelines to take account of cross-border and pan-European effects.

4.5

Today, governments and the providers of vital services do not publicise security and resilience failures unless they have to. This lack of disclosure hurts Europe's ability to respond speedily and effectively to cyber threats, and to improve general NIS through shared-learning. The Committee commends the Commission on the decision to make notification of all significant NIS incidents mandatory under the Directive. The EESC does not believe that voluntary, self-reporting of incidents would work because there is an incentive, for reputational and liability fears, to cover-up failure events.

4.6

However, Article 14 of the Directive, which deals with reporting, fails to define what would constitute an incident having a ‘significant impact’ on security, and it allows too much discretion to relevant entities and MS on whether or not to report NIS incidents. Effective legislation requires unambiguous requirements. Because the proposed Directive is too vague on essential definition of requirements, it is not possible to hold parties liable for compliance failures as envisaged under Article 17 of the Directive.

4.7

Because the provision of NIS is mostly in the hands of the private sector, it is important that high levels of trust and cooperation are fostered with all companies responsible for vital information infrastructure and services. The European Public Private Partnership for Resilience (EP3R) initiative launched by the Commission in 2009 is to be applauded and encouraged. However, the Committee believes that the initiative needs to be strengthened and supported with a regulatory obligation in the NIS act to compel the cooperation of key stakeholders who fail to properly engage.

4.8

Each MS should publish an online directory for its jurisdiction of all the entities that fall under the security requirements and incident notification obligations of Article 14 of the proposed Directive. As well as clarifying how each MS decides to apply the definitions in Article 3 of the act, this transparency would help build trust and encourage a culture of risk management among citizens.

4.9

The EESC notes that software developers and hardware manufacturers are explicitly excluded from the requirements of the Directive because they are not providers of information society services. However, the Committee believes that the proposed act should state that those entities with obligations under the Directive would have recourse to suppliers of software and hardware for any defects in their products or services that contribute directly to NIS incidents.

4.10

Although the Commission estimates that implementing the proposed NIS Directive will cost about EUR 2bn/annum, spread across the public and private sector in Europe, the Committee notes that some MS under financial pressure will struggle to find the investment required for compliance. There is a need to consider how support might be provided under the MFF for NIS compliance, by various instruments, including the European Regional Development Fund (ERDF) and perhaps the Internal Security Fund.