27.9.2013   

EN

Official Journal of the European Union

C 280/19

—

welcomes the Commission’s Cybersecurity Strategy and Directive on Network and Information Security (NIS), and supports the Strategy’s objective to ensure an open, safe and secure cyber space and make the EU’s online environment the safest in the world;

—

believes that a package to bind existing and proposed work in this area is urgently needed and will help provide a coordinated, strategic vision for Europe. The package is welcomed in order to ensure coordination, encourage cooperation, produce clear, decisive actions, achieve a common level of cyber protection, improve resilience in IT systems and networks against new and emerging cyber threats, and reduce fragmentation across the EU;

—

recommends the publication of an Action Plan by the Commission to explain how the ambitious goals set out in the package will work in practice. The Action Plan will also need guidance for evaluating and measuring the effect of the Strategy, in order to ascertain whether cooperation is taking place and whether progress is being achieved;

—

stresses that the new package should help improve the prevention, detection and response to cyber incidents and lead to better information sharing and coordination between Member States and the Commission against major cyber incidents. Achieving this will require genuine partnership working involving Member States, EU institutions, local and regional authorities (LRAs), the private sector and civil society.

Rapporteur

Robert BRIGHT (UK/PES), Member of Newport City Council

Reference documents

Joint Communication Cyber Security Strategy of the European Union

(JOIN(2013) 1 final)

Proposal for a Directive Concerning measures to ensure a high common level of network and information security across the Union

(COM(2013) 48 final)

1.

welcomes the Commission’s Cybersecurity Strategy and Directive on Network and Information Security (NIS), and supports the Strategy’s objective to ensure an open, safe and secure cyber space and make the EU’s online environment the safest in the world;

2.

expects the new cybersecurity package (including the Strategy and Directive) to "raise the bar" and make a major contribution to the development of cyber security standards across the EU, diminishing legal uncertainty, increasing trust and confidence in online services, reducing unnecessary costs and administrative burdens and thus supporting the Digital Single Market and the objectives of the Europe 2020 strategy;

3.

believes that a package to bind existing and proposed work in this area is urgently needed and will help provide a coordinated, strategic vision for Europe. The package is welcomed in order to ensure coordination, encourage cooperation, produce clear, decisive actions, achieve a common level of cyber protection, improve resilience in IT systems and networks against new and emerging cyber threats, and reduce fragmentation across the EU;

4.

recommends that organisations, including public authorities, need to acknowledge that tackling cybercrime is an ongoing battle, and are urged to prioritise the threat posed by cyber disruptions and attacks by identifying vulnerabilities and develop organisational capacities for managing breaches. As the internet becomes an increasingly integral part of peoples' lives the menacing threat from cybercrime increases and expands in parallel. Cybercrime, in all its forms, is a rapidly developing, sophisticated new threat to Member States, organisations and EU citizens in the 21st century and one which continually increases in frequency, complexity and knows no borders;

5.

recognises the key advances the EU has made to date in better protecting citizens from online crimes, including proposing legislation on attacks against information systems, and the launch of a Global Alliance to fight child sexual abuse online. The package should take forward previous actions, including those identified in the 2010 Digital Agenda for Europe (1), and build towards a robust European cyber defence policy; urges to this effect the co-legislators currently discussing the Commission proposal for a Directive on attacks against information systems (2), to come to a swift agreement on the proposal;

6.

supports the Strategy’s ambition as it aims to not only harmonise the cybersecurity capabilities of Member States and bring the various strands of existing and proposed work together to establish common standards and a level playing field, but also coordinate and achieve consistency across three policy areas; Law enforcement; the Digital Agenda; and Defence, Security and Foreign Policy; whose competences have been separate;

7.

suggests the package could benefit from evidence being collected by national governments and should propose a set of harmonised standards related to networks and information security;

8.

welcomes the multi-stakeholder approach taken by the package towards policy-making. The package recognises the importance of public-private cooperation, and achieving genuine partnership working with adequate resources. The package also aspires towards the completion of the EU Digital Single Market, creating a safe, secure and prosperous online digital environment for companies, governments and citizens;

9.

welcomes the measures proposed in the Directive, including the recommendation that Member States must adopt a national NIS Strategy, set up Computer Emergency Response Teams (CERTs) to work with the European Network and Information Security Agency (ENISA), and creating a clear cooperation mechanism among Member States and the Commission to share early warnings on risk and incidents through a secure infrastructure. These measures and the regulatory approach taken by the Directive should do much to improve consistency, establish a common minimum level of preparedness at national level and boost cyber defences across the EU;

10.

encourages the European Parliament and the Council to swiftly adopt the proposal for a Directive on a common high level of NIS across the European Union;

11.

suggests the package could benefit from further details on how Member States report and collate data on cybercrime as well as further specificities on how to implement measures. Common reporting systems and further clarity on notification requirements will be crucial to avoid uncertainty and a lack of consistency on how a national NIS competent authority defines and measures cyber-incidents that have a "significant impact". It is also imperative that setting up a national NIS competent authority takes into account the division of competences within Member States, particularly those with highly federalised or devolved structures;

12.

voices therefore some concern over certain regulatory and legal aspects of the package particularly with regard to the lack of clarity when it comes to the definition of the criteria to be fulfilled for a Member State to be authorised to participate to the secure information-sharing system, further specification of the triggering events for early warning, and the definition of the circumstances in which market operators and public administrations are required to notify incidents. The absence of clearly established rules over these issues impedes legal certainty;

13.

expresses some concern that the Directive could place unnecessary regulatory burdens on business and public bodies. All efforts must be made to avoid duplication of regulation and ensure that any additional regulation accords with the principles of proportionality. This will be of particular relevance to those organisations that may already have an obligation to notify which is substantially similar to what is envisaged here;

14.

recommends the publication of an Action Plan by the Commission to explain how the ambitious goals set out in the package will work in practice. The Action Plan will also need guidance for evaluating and measuring the effect of the Strategy, in order to ascertain whether cooperation is taking place and whether progress is being achieved;

15.

urges all Member States to develop national cybersecurity strategies (only ten Member States had developed a strategy by 2012) that complement the new EU Strategy. Complementarity between national strategies and the EU Strategy is important in order to ensure consistency. It is also important that EU actions complement existing structures and best practice in Member States;

16.

welcomes the Commission’s forthcoming actions to develop the EU’s cybersecurity capabilities, including the launch of a pilot project to fight botnets and malware; the commitment to enhancing cooperation between national CERTs, ENISA and the new European Cybercrime Centre; the development of a network of national Cybercrime centres of excellence; and the launch of a public-private platform on NIS solutions to develop incentives for the adoption of secure ICT solutions. The Strategy’s aim to gather together all relevant parties to assess progress in 12 months’ time is also welcomed;

17.

underlines that a successful cybersecurity strategy relies on the close cooperation between competent NIS authorities and law enforcement authorities. To this effect, systematically reporting incidents of a suspected serious criminal nature to law enforcement authorities is of key importance;

18.

believes that the priorities outlined in the package strike a good balance and are appropriate. The priorities, such as protecting fundamental rights, personal data and privacy, an efficient multi-stakeholder governance and a shared responsibility to ensure security, are all domains in which the cities and regions should play a key role in their capacity of holders of public sector information;

19.

suggests the regions should be recognised alongside the Member States as main promoters of the closer cooperation between users and producers of ICT innovations in different corners of governments and administrations, including cyber security and data protection;

20.

stresses that the new package should help improve the prevention, detection and response to cyber incidents and lead to better information sharing and coordination between Member States and the Commission against major cyber incidents. Achieving this will require genuine partnership working involving Member States, EU institutions, local and regional authorities (LRAs), the private sector and civil society;

21.

acknowledges that countering cyber threats will require greater resources, raising awareness of the threats posed by cybercrime and the need for efficient and adequate cybersecurity. Regarding multi-level governance, a strong approach to cybersecurity must consider LRAs, who need to be fully and effectively involved in the governance of ICT-related initiatives;

22.

believes that given that breaches of security are a threat to utility services e.g. local water, energy, and given they use and own many digital information products and services, LRAs have a key role to play in tackling cybercrime, collating cyber-related data and protecting data security. An increasing amount of responsibility falls on LRAs to deliver, for example, digital services to citizens and communities and provide NIS training in schools. Governments, including those at the local and regional level, are responsible for safeguarding access and openness, respecting and protecting fundamental rights online and maintaining the reliability and interoperability of the internet;

23.

suggests that in order to achieve better law-making, given LRAs competences and the key role they are called to play at the time of planning and implementing any measures in the fields of ICT (particularly for aspects related to privacy, data protection and cybersecurity), these authorities should be systematically consulted by the EU institutions and Member States both in the conception and implementation of measures deigned to put the European Digital Agenda into effect. Indeed it is regrettable that no particular effort was made to collect the views of LRAs in preparing the Directive proposal. The CoR has made it clear that it is ready to assist the Commission with pre-legislative consultations, as stated in the CoR-Commission Protocol of Cooperation (3);

24.

recommends including measures applicable to the local and regional level in Article 14, Point 1 of the Directive. These measures might include establishing a risk assessment and management process, enforcing information security policy and increasing perception of cybersecurity issues and improving digital literacy and skills;

25.

stresses that at the sub-national level, partnerships should be encouraged and developed between all relevant actors to work on coordinated actions for cybersecurity and feed into cybersecurity actions at the national and EU level, with a view to combating e-crime and minimising its effects caused by direct financial or intellectual property theft, disruption of communications or damage to business-critical data;

26.

notes that, on the whole, the two conditions for complying with the subsidiarity principle, necessity for EU action and added value of action at EU level, appear to be met. The proposed actions are necessary because they involve trans-national aspects that cannot be properly regulated by Member States and/or LRAs acting alone. The proposed actions are also likely to provide a clear benefit compared with isolated action at national, regional or local levels because, for example, personal data are transferred across national boundaries, both internal and external borders, at rapidly increasing rates. In addition, regulatory obligations at EU level will clearly assist with establishing a level playing field and close legislative loopholes;

27.

welcomes the Directive’s fundamental commitment to the principles of subsidiarity and proportionality. Given the cross-border aspects of NIS incidents and risks, the objectives outlined in the Directive can be better achieved at EU level, in line with the subsidiarity principle. Research shows that EU citizens trust institutions such as the Commission regarding the protection of personal data (4). The Directive also essentially aligns with the proportionality principle, ensuring that the proposed Directive does not go beyond what is necessary in order to achieve those objectives. However, the fact that the proposal provides for only one competent authority or national CERT per country does raise concerns with regard to the respect of the proportionality principle and of the internal governance structures of the EU Member States;

28.

believes that whilst the legal basis for the package is grounded in Articles 26 and 114 TFEU, the proposed actions go beyond these Articles as the proposal covers all public administration information systems, including internal information systems such as the intranet.;

29.

welcomes the Directive’s commitment to the Charter of Fundamental Rights of the European Union. The same norms, principles and values that the EU upholds offline should also apply online. Information and communication technologies (ICTs) should include the needs of all members of society, including those risking social exclusion. All internet users should expect minimum standards across a broad range of needs, including reliability, security, transparency, simplicity, interoperability and risk and liability reduction. In the interests of effective protection for fundamental rights, legal certainty and maintenance of the parliamentary scrutiny reservation, the Committee calls for more specific substantive rules defining network and information security standards to be included in the Directive itself. This should include, in particular, requirements for network and information security in terms of fundamental rights and data protection and data security law;

30.

emphasises that attempts to protect and defend citizens online must have an appropriate balance with the rights, freedoms and principles granted to citizens in the Charter. The importance of framing cyber policies within EU core values is welcomed. As outlined in previous Opinions (5), It will be crucial to ensure that all security requirements at every level are met to ensure optimum levels of privacy and protection of personal data and prevent any kind of unauthorised tracking of personal information and profiling;

31.

emphasises that despite private operators becoming increasingly responsible for critical infrastructures and online services and the need to recognise the crucial role of the private sector, the State must, ultimately, have responsibility for both preserving the freedom and protecting the safety of its citizens online;

32.

notes that the introduction across Europe of the principle that people's details and the details of objects be registered once only, removing the need for repeated form-filling, will do a great deal to remove unnecessary red-tape for the public and help reduce public administration costs. Attention must therefore be paid to due compliance with data protection legislation;

33.

highlights that effective cyber defences require training and up-skilling personnel, including those in LRAs. Extensive training should be provided for all staff, particularly specialist technicians, staff working directly with security procedures involving different methodologies and staff generally or indirectly involved in innovation and modernisation drives on trust and security related issues. Continuous training is important for the success of local e-Government, whilst LRAs also play an increasingly important role in providing information and guidance to citizens to properly use systems and recognise cyber threats (6);

34.

notes that management involvement is critically important to success. For this reason, targeted training of executive and management groups is also needed with the aim of giving them knowledge and a good basis for developing a culture of safety in their respective organisations;

35.

notes the improvement in education and training through the introduction of NIS training and establishing a cybersecurity championship in 2014. This should take account of established events held in Member States and encourage the exchange of best practices. Welcomes the ambition through the Strategy to introduce NIS training in schools; however, given that education is a Member State competence, suggests that achieving this by 2014 will require significant resources and planning;

36.

draws attention to the fact that providing privacy protection depends on certain factors, including the structuring of public sector bodies (the majority of which are at local level), the convergence of EU legislation, the fostering of an innovative culture among public authority officials, including through the use of a common code of ethics, and among citizens, through defining and raising awareness of their digital consumer rights, and the management of ICT-based applications;

37.

maintains that further activities should be aimed at stimulating and encouraging the development and application of technical solutions for dealing with illegal content and harmful conduct online, as well as at promoting cooperation and exchange of best practice among a wide range of stakeholders at local, regional, European and international level. In this regard, of utmost importance are the help-lines for children, parents and carers, hotlines for reporting abuse, software that allows better identification of abusive content and easy and fast reporting;

38.

recommends that every effort must be made to increase the small percentage of enterprises in the EU (26% by January 2012) who have a formally defined ICT security policy (7). Enterprises of all sizes must be encouraged to invest in cybersecurity, which can be used as a marketing tool towards prospective clients and mitigate the catastrophic effects of cybercrime in the process. Enterprises should consider a business-driven approach to cybersecurity supported by technology, prioritising their most critical business assets or processes;

39.

stresses that considering the huge economic potential of ICTs to the European economy (currently almost 6% of the EU GDP (8)), concrete steps are needed now to tackle the growing phenomenon of cybercrime and restore confidence in internet security from both citizens and companies (reducing the number of EU internet users who are concerned about the safety of, for example, online payments (9), in the process);

40.

maintains that in order to reduce the huge amounts of funds lost to cybercrime and boost consumer confidence, urgent efforts are needed at the local/regional, national and EU level to counter cybercrime;

41.

suggests that the Strategy would benefit from further details on how to protect and develop cloud computing, which has huge economic potential. The rapid growth in the use of mobile electronic devices shows no sign of slowing. Gartner reports that by 2016 at least 50% of enterprise email users will rely on a mobile client (10). New problems and opportunities created by mobile electronic devices and cloud computing must be examined. Furthermore, cloud computing needs an appropriate architecture to achieve optimum security levels (11). In fact, the Committee has expressed its concern over the fact that the recent European Commission communication on cloud computing does not go into enough depth into links between the proposed strategy and other issues, such as secure data processing, copyright law as well as the development of data accessibility and portability (12);

42.

believes that given the global, inter-connected and cross-border threat posed by cybercrime, international cooperation and dialogue beyond EU borders is also encouraged in order to ensure a truly global, coordinated approach to cybersecurity. In this respect, all States must be encouraged to commit themselves to the International Convention on Cybercrime (Budapest Convention) (13).Continued cooperation at bilateral level, particularly with the US, and at multilateral level with a range of international organisations, is also important;

43.

emphasises the importance of improving coordination with existing and future funding instruments, such as Horizon 2020, European Framework Cooperation, and the Internal Security Fund, in order to ensure a more coordinated approach towards cyber-related investments;

44.

queries whether the budget allocation of EUR 1.25 million will be sufficient to provide a robust and adequate NIS infrastructure, and expresses disappointment over the reduced financial allocation for the Connecting Europe Facility in the 8 February Council agreement on the Multi-Annual Financial Framework 2014-2020. A robust and enlarged budget is needed to provide financial support for key ICT infrastructure, linking up Member States' NIS capabilities and therefore easing cooperation across the EU.