Opinion of the European Economic and Social Committee on the "Proposal for a Regulation of the European Parliament and of the Council establishing the European Network and Information Security Agency"

(COM(2003) 63 final - 2003/0032 (COD))

(2003/C 220/07)

On 3 March 2003 the Council decided to consult the European Economic and Social Committee, under Articles 95 and 156 of the Treaty establishing the European Community, on the above-mentioned proposal.

The Section for Transport, Energy, Infrastructure and the Information Society, which was responsible for preparing the Committee's work on the subject, adopted its opinion on 5 June 2003. The rapporteur was Mr Lagerholm.

At its 400th plenary session, held on 18 and 19 June 2003 (meeting of 18 June), the European Economic and Social Committee adopted the following opinion by 71 votes in favour with one abstention.

1. Introduction

1.1. Information systems are crucial to the whole economy. Not only are they vital for most sectors of industry, they are also of fundamental importance for the public sector, universities and centres of learning, and for private citizens. When such systems malfunction, everybody is affected: individuals, public administrations and businesses alike.

1.2. The European Community would benefit from greater cooperation between the Member States in order to achieve an adequate level of security across the Community. This was the objective of the Commission's June 2001 Communication on Network and Information Security(1).

1.3. Security has therefore become an important user issue and consequently also a major policy concern. Since 11 September 2001, the functionality of information systems has also become a matter for national security. Member States are, however, at different stages of their work and the focus varies. There is no systematic cross-border cooperation on network and information security between Member States, despite the fact that security cannot be a solely domestic concern. There is no mechanism to ensure effective responses to security threats. Implementation of the legal framework differs. There is a lack of interoperability, which impedes the proper use of security products.

1.4. The proposed Agency will facilitate the application of Community measures relating to network and information security, and help ensure interoperability of security functions in networks and information systems, thereby contributing to the functioning of the internal market.

1.5. The agency will have advisory and coordinating functions:

- contributing to broad cooperation between different players in the field of information security;

- providing a coordinating approach to information security by providing support to Member States;

- playing a supportive role in the identification of relevant standardisation needs;

- providing support for Community contacts with relevant parties in third countries.

1.6. The Commission should be able to assign additional tasks to the Agency in order to keep abreast of technological and societal developments.

1.7. It is proposed that the Agency should become operational on 1 January 2004, and that it will operate for 5 years. Continued operation of the Agency will depend on the results of its performance assessment.

2. General comments

2.1. On several occasions in various opinions, the EESC has expressed its support for all initiatives that promote the information society, e.g. its opinions on the eEurope action plan; Network and information security(2); Combating computer-related crime(3); the need to develop an information society without discrimination(4); and the right to secure access to the Internet with regard to protection for personal data and secure commercial payments and information services(5).

2.2. The EESC shares the Commission's view that it is very important that network and information systems should operate securely. Network and information systems shortcomings affect everyone: citizens, businesses and public administrations. From today's perspective, network and information security is about ensuring the availability of services and data, preventing the disruption and unauthorised interception of communications, confirming that data that has been sent, received or stored is complete and unchanged, and protecting information systems against unauthorised access and attacks, etc. Users must have confidence in the new technology, regardless of whether they are using it at work, in centres of learning or at home. Security requirements are increasing as networking and computer use develops and spreads throughout the Member States and the world at large. In the light of this, the Committee would highlight in particular the need for safety requirements also to be adapted to and include the new types of user behaviour that are accompanying the rapid development of the sector. In particular, increasing use of mobile Internet and new radio communications systems are creating new requirements in terms of security, encryption, accessibility, etc.

2.3. User confidence in information technology and trust in the information society and the infrastructures that underpin it are essential if Europe is to be the most competitive, dynamic knowledge-based economy in the world by 2010. If the eEurope action plan objectives on access to information society services and e-business, e-health services, e-administration and electronic marketplaces, etc., are to be achieved, there must be better access to a more secure infrastructure and improved user confidence in information technology.

2.4. As the Commission points out, the Member States are at different stages of their security agenda. This is most probably a reflection of the fact that electronic services are used to differing degrees across the Member States. If the information society is to be applied across the board throughout the Community, common measures will be needed, such as the introduction of common standards, common certification criteria and common security solutions. This is a key requirement for individuals, businesses, universities and public administrations throughout the Community's territory. The security problem can no longer be seen as an isolated issue for one country. The EESC therefore endorses the Commission proposal to establish a European Network and Information Security Agency.

2.5. However, European cooperation on security policy to deal with threats to the information society, which would require cooperation between the Member States' law enforcement and judicial systems, is another matter. It is important to differentiate between subversive threats to individual nations, and threats to EU citizens' personal use of information-society services. The former could probably not be dealt with successfully at regional level; it would require global cooperation. The Committee, which is aware how immediate these threats are, shares the Commission's view that the Agency must not deal with issues that are normally dealt with by Member State security, defence, law enforcement and judicial systems. A future evaluation of the Agency's activities should, however, assess whether this restriction has had a negative impact on the Agency's work, and whether there is a case for establishing a clear demarcation between national security and functional information security.

2.6. The EESC would stress that it is essential that the Agency should begin its work as soon as possible. It is important that no practical constraints, such as lengthy deliberations regarding location, should be allowed to delay the launch, which should take place on 1 January 2004 at the latest.

3. Specific comments

3.1. The EESC feels that the Agency should have a wider remit than that attributed to it in the Commission proposal. In addition to creating a common understanding for the problems facing the information society, and to supporting Community measures for network and information security, the Agency should also have the explicit task of helping to disseminate knowledge and experience of network and information security between the Member States. This could help to bridge the digital divide in the Community. It would also help to enhance the Community's and Member States' ability to solve network and information-security problems, and boost user trust and confidence in information technology, the information society and the infrastructure that underpins it.

3.2. As the Commission asserts, the Agency's organisational structure should facilitate the involvement of its various stakeholders. This is particularly important as regards user groups from the business world, universities, and individuals, etc. Naturally, supply-side representatives must also be represented. The Committee therefore endorses the proposal to allow representatives of industry and consumers to sit on the Management Board. However, the Committee can see no reason why these members should have no voting rights - particularly since, according to the proposal, they are to be appointed by the Council. When it comes to exploiting information society services and knowledge of the market, it is often the case that industry, researchers and consumers are a step ahead of public administration representatives.

3.3. The EESC can generally endorse the proposals for the operation of the Agency as set out in point 3.5 of the Commission document. The Committee would nevertheless like to add a few comments.

3.3.1. With regard to the Agency's work programme, the Committee believes that the Agency must be provided with the resources to enable it to cope with sudden, immediate security issues, i.e. to cope with sudden incidents as well as with its regular work programme. Consequently, the work programme must not be such that the long-term agenda prevents the Agency from addressing unexpected, immediate security and confidence issues.

3.3.2. With regard to any restrictions on who should be entitled to request an opinion from the Agency, the EESC believes that the Member States' national business and consumer organisations should have this option.

3.3.3. The Committee assumes that user representatives from business and consumer organisations will also be involved in the working groups set up by the Agency, and thus be able to influence directly the work on standardisation and certification, for example. The Agency will need the active participation of the business world if it is to fulfil its remit here.

3.4. Turning to the financial provisions, the EESC believes it is essential to spell out and ensure that the Agency's work and financial situation cannot be dependent on any contribution from third countries participating in the work of the Agency.

3.5. The Committee shares the Commission's view that it is appropriate to carry out a review after three years, in order to decide whether the proposed institutional solution is the most suitable way to address network and information-security issues, user trust and confidence in information technology, the information society and the infrastructure underpinning it.

3.6. With regard to the location of the Agency, the EESC feels that, in addition to the criteria stipulated by the Commission, it is important that the Agency should be located in an environment where:

- there is well-developed infrastructure with high transmission capacity;

- public sector e-services are well-developed;

- e-business is a normal part of business life, and the wider user base uses information technology as a matter of course.

This would enable the Agency to operate in a well developed information society, and monitor and observe in situ the risks and threats it is tasked with studying, assessing and making public, etc. It could also be particularly useful in enabling the Agency to track the problems that individual users and small businesses come up against in the information society. These user groups would probably otherwise be the least likely to have their interests defended under the international cooperation system. Locating the Agency in such an area could be crucial to enabling it to carry out its tasks effectively.

Brussels, 18 June 2003.

The President

of the European Economic and Social Committee

Roger Briesch

(1) COM(2001) 298 final.

(2) ESC Opinion on the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach (OJ C 48, 21.2.2002); and ESC Opinion on the Proposal for a Council Decision adopting a multi-annual programme (2003-2005) for the monitoring of eEurope, dissemination of good practices and the improvement of network and information security (COM(2002) 425 final).

(3) ESC Opinion on the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions - Creating a safer information society by improving the security of information infrastructures and combating computer-related crime (OJ C 311, 7.11.2001).

(4) ESC Opinion on Public sector information: a key resource for Europe - Green Paper on public sector information in the information society (OJ C 169, 16.6.1999).

(5) ESC Opinion on the Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ C 123, 25.4.2001).