Explanatory Memorandum to COM(2003)63 - European Network and Information Security Agency - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2003)63 - European Network and Information Security Agency. |
|---|---|
| source | COM(2003)63  |
| date | 11-02-2003 |
Today more than 90% of companies in the European Union have an Internet connection and the majority of them operate a web site. An overwhelming number of employees use a mobile phone, a lap-top, or a similar device to send or retrieve information for their work. Such information can represent a considerable value, for instance describe a business transaction or contain technical knowledge.
Beyond work, computing and networking have become an essential part of people's lives. In 2002 about 40% of EU households had their own Internet connections and more than 2/3 of the population used a mobile phone. Schools and universities have Internet connections and learning and studying using the Internet or a computer is common practice. Public administrations are rapidly moving towards electronic government. Computers and communication networks control infrastructures such as electricity and water supply or public transport systems. Since 11 September 2001 these aspects have also become a matter for national security.
As so much depends on networks and information systems, their secure functioning has become a key concern. Similarly to what has become a natural expectance with e.g. electricity or water supply, people also expect a phone to work when they pick it up. They expect a computer to run properly when they need it. They want to have access to stored information without undue delays or interruptions. Network failures and computer crashes are no longer an isolated problem for computer specialists. The malfunctioning of networks and information systems concerns everybody: citizens, businesses and public administrations.
Security has become an essential feature of many businesses, in particular on-line businesses. It has therefore become an industry with specialised companies selling products and services and is also subject to commercial arrangements. Consumers for instance buy anti-virus software and install firewalls on their computers. Companies invest in security, establish protected intranets and encrypt e-mails or wireless communication. Sensitive data is transmitted using encryption. Some users seem to be well aware of vulnerabilities and means to manage them, others are less informed or concerned.
From today's perspective network and information security is about ensuring the availability of services and data, preventing the disruption and unauthorised interception of communications, confirming that data which has been sent, received or stored are complete and unchanged, securing the confidentiality of data, protecting information systems against unauthorised access, protecting against attacks involving malicious software and securing dependable authentication, i.e. the confirming of an asserted identity of entities or users.
In the near future requirements on security will rapidly change as networking and computing develop further and computing will become more ubiquitous. This means that broadband connections will offer people the possibility to be connected to the Internet at all times, new wireless applications will enable the users to access the Internet from just about anywhere and the possibilities to connect everything from printers to refrigerators to the Internet, will continue to develop and expand the way people use the Internet.
Managing security has turned out to be a difficult and complex task as the user has to deal with the availability, integrity, authenticity, and confidentiality of data and services. Due to the complexity of technology, many components and actors must play together, and human behaviour has become a crucial factor.
Full security will probably never be achievable at least not at reasonable costs. There will always be weak points, attacks, incidents and failures that will generate damage and undermine trust in systems and services. This is no different from other technologies and aspects of daily life. Society as a whole as well as individuals have to learn how to manage the risks involved in networks and information systems.
Contents
- 2. CAUSE FOR ACTION
- 3. THE PROPOSAL TO ESTABLISH A NETWORK AND INFORMATION SECURITY UNIT
- 3.1. Background
- 3.2. The choice of the legal basis
- 3.3. Section 1 - objectives and tasks
- 3.3.1. Objectives
- 3.3.2. Tasks
- 3.4. Section 2 - Organisation
- 3.4.1. Management
- 3.5. Section 3 - Operation
- 3.5.1. Work programme
- 3.5.2. Opinions
- 3.5.3. Working groups
- 3.5.4. Independence
- 3.5.5. Transparency and confidentiality
- 3.6. Section 4 - Financial provisions
- 3.7. Section 5 - General provisions
- 3.7.1. Legal personality and privileges
- 3.7.2. Liability
- 3.7.3. Personnel
- 3.7.4. Protection of personal data
- 3.7.5. Participation of third countries
- 3.8. Section 6 - Final provisions
- 3.8.1. Review
- 3.8.2. Location
- 3.8.3. Duration
Security has become a major policy concern. Governments see a widening responsibility for society and are increasingly making efforts to improve security on their territory. They want to promote security, for instance by giving support to computer emergency response teams, to research and for awareness campaigns. They also equip and train law enforcement to deal with computer and Internet related crime.
Member States are, however, in different stages of their work and the focus of attention varies. Apart from administrative networks such as TESTA there is no systematic cross-border co-operation on network and information security between Member States although security issues cannot be an isolated issue for only one country. There is no mechanism to ensure effective responses to security threats. Implementation of the legal framework varies. Product certification is national whilst key standards are developed by the global industry, and operators and vendors are faced with different attitudes of governments. All this leads to a lack of interoperability that impedes a proper use of the security products and services.
The European Community would benefit from increased co-ordination between Member States to achieve a sufficiently high level of security in all Member States. This is the objective of the Communication of the Commission on Network and Information Security from June 2001, i that proposed a number of measures inter alia awareness raising actions, improved exchange of information mechanisms and support for market oriented standardisation and certification.
The Communication also proposed the establishment of a European warning and information system. The Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security developed this concept further. It has become clear that the current institutional arrangements would not allow network and information security to be addressed appropriately at European level.
The Resolution welcomes the intention of the Commission to make proposals for the establishment of a cyber security task force to build on national efforts to both enhance network and information security and to enhance Member States' ability, individually and collectively, to respond to major network and information security problems.
In response to the Commission's suggestions, the European Parliament adopted an opinion whereby it has strongly requested a European answer to the increasing security problem.
In June 2002 the OECD adopted their Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. These guidelines emphasise the importance of applying certain common principles for information security and underpin the work that is taking place on a European level.
The European Parliament, the Council, and the Commission are advocating closer European co-ordination on information security. The setting up of an entity with a legal personality would be the most efficient way to achieve this objective. The proposed Regulation therefore proposes to establish a European regulatory agency in accordance with the provisions of the Commission Communication 'The operating framework for the European Regulatory Agencies', COM (2002) 718 final. This agency will be called the European Network and Information Security Agency, hereinafter referred to as 'the Agency'.
However the specific electronic communications legislation, and in particular the electronic communications framework directive, attribute an important role to national competent bodies. Therefore the Agency will not only provide assistance to the Commission but also to national regulatory authorities.
The proposal reflects a number of concerns that were expressed during the consultation with the Member States carried out by the Commission. Corresponding concerns were also addressed in contributions from the private sector and can be summarised as requiring flexibility, trustworthiness, competence, efficiency and consistency of the proposed Agency. In particular the following requirements have been emphasised:
a) as network and information security is a fast evolving area, the best institutional arrangement may change over time. Therefore the Agency should operate for an limited period after which a review process should be made,
b) the Agency needs to be trusted by public bodies and institutions in the Member States as well as by private sector,
c) the Agency should constitute a centre of expertise by bringing together competent people from all Member States,
d) the Agency needs to be able to act efficiently and quickly. Therefore sufficient human and financial resources will be necessary to enable a smooth and flexible operation but the Agency should nevertheless be limited to a reasonable size; and,
e) the Commission needs to be able to guide the work of the Agency.
These requirements are the guidance for the proposed Regulation. They explain why the tasks of the Agency are clearly described and at the same time provide for flexibility. They motivate an evaluation of the Agency's operations after the first three years. They make it clear that close co-operation with Member States institutions and bodies as well as with the Community institutions is crucial for the proper functioning of the Agency.
The Agency's work will benefit from scientific support through research activities carried out by the Joint Research Centre and other Community research programmes.
Against this background this proposal addresses two closely linked issues of Community interest, namely the proper functioning of the Internal Market and interoperability of electronic trans-European networks. Firstly the introduction of technically complex requirements for security in networks and information systems at Member State and Community level could hamper the full deployment of the Internal Market principles. Secondly, the smooth operation of the Internal Market also depends on the interoperability of security functions in networks and information systems.
The following sections refer to the Sections 1-5 in the proposal.
The broad objective of the Agency is to create a common understanding in Europe of issues relating to information security that is necessary to ensure the availability and security of networks and information systems in the Union. To meet this objective the definition of network and information security has to be wide and cover all activities that can have adverse effects on the security of networks and information systems.
The Agency shall be able to provide assistance in the application of Community measures relating to network and information security. The assistance it provides shall help ensure interoperability of information security functions in networks and information systems, thereby contributing to the functioning of the Internal Market. It shall enhance the capability of both Community and Member States to respond to network and information security problems. The Agency will play a key role for the security of Europe's networks and information systems and the development of the information society in general.
The Agency will have advisory and co-ordinating functions, where data on information security is gathered and analysed. Today both public and private organisations with different objectives gather data on IT-incidents and other data relevant to information security. There is, however, no central entity on European level that in a comprehensive manner can collect and analyse data and provide opinions and advice to support the Community's policy work on network and information security. The Agency will serve as a centre of expertise where both Member States and Community Institutions can seek advice on technical matters relating to security.
The Agency will further contribute to a broad co-operation between different actors in the information security field, e.g. to assist in the follow-up activities in support of secure e-business. Such co-operation will be a vital prerequisite for the secure functioning of networks and information systems in Europe. The participation and involvement of all stakeholders is necessary.
The Agency will contribute to a co-ordinated approach to information security by providing support to Member States, e.g. on the promotion of risk assessment and awareness raising actions. To ensure interoperability of networks and information systems, the Agency will also provide opinions and support for harmonised processes and procedures in the Member States when applying technical requirements that affect security. Not only legal requirements, but to a large extent technical requirements can affect the interoperability and create obstacles to the well functioning Internal Market.
The Agency will further play a supportive role in the identification of the relevant standardisation needs, and in the promotion of security standards and certification schemes and of their widest possible use by the Commission and the Member States in support of the European legislation.
As the network and information security issues are global there is also a need for international co-operation in this field. The Agency will provide support for the Community contacts with relevant parties in third countries.
New vulnerabilities and threats constantly arise in the area of information systems and networks. It is necessary that the Commission should be able to assign additional tasks to the Agency in order to keep up with current technological and societal development, in accordance with the provisions of the operating framework for the European Regulatory Agencies.
The organisational structure should facilitate the involvement of the Agency's diverse stakeholders, independence from external pressures, transparency and accountability to the democratic institutions. It is therefore proposed to establish a Management Board consisting of members appointed by the Council and the Commission. For instance, the Commission's representation will include a member of the Security Directorate. It is further proposed that there will be representatives of industry and consumers, proposed by the Commission and appointed by the Council in the Management Board. The industry and consumer representatives shall have no voting rights.
The Agency will be managed by an Executive Director who possesses a high degree of independence and flexibility and who will be responsible for organising the internal functioning of the Agency. The Executive Director will also be responsible for the preparation and implementation of the budget and the work programme of the Agency and for personnel matters. In order to provide the necessary legitimacy, the Executive Director should be appointed by the Management Board by a proposal from the Commission.
As a Community body, the Agency should ensure the best use of the expertise and resources in pursuit of its mission whilst respecting the overarching requirement for independence. It is therefore proposed that the Agency includes a restricted Advisory Board comprising experts whose task it is to facilitate co-operation and information exchange between the Agency and the competent institutions and bodies in the different Member States, e.g. a data protection expert or a research community representative. The Advisory Board will have advisory functions and be responsible together with the Executive Director for drafting the annual work programme of the Agency.
The Agency will need the flexibility to adapt its work to the fast evolving technological advances and to refocus its work. Therefore the Management Board shall adopt a work programme for each year, approved by the Commission after a proposal from the Executive Director. The results of the activities according to each years work programme shall be made in the general report, drafted by the Executive Director and adopted by the Management Board.
There is a risk that the Agency may become overloaded with requests to deliver opinions and assistance and therefore it should be specified who can make the requests and the process of how the requests should be handled.
Although the Agency staff will be highly qualified, it can be expected that issues of a more specialised nature may arise. Therefore the Agency shall be able to establish temporary working groups composed of experts in various fields. Pursuant to the transparency policy, representatives of the Commission will be entitled to be present in the meetings of such working groups.
The acceptance of advice and opinions of the Agency by individuals, public administrations and businesses will depend on establishing a model of independence. Therefore the members of the Management Board and the Advisory Board, the Executive Director and the external experts participating in working groups will be obliged to declare the absence of interest which might put their independence in question.
The Agency will adopt its rules regarding transparency and access to documents in compliance with the decisions of the European Parliament and the Council in the context of Article 255 of the EC Treaty and with Commission Security Provisions i
Although a high level of transparency is also necessary for the acceptance of the work of the Agency as well as a wide access to the documents it issues it will also collect information which needs to be kept confidential.
For 2004-2008 the Agency needs a budget allocation large enough to hire its personnel as described above and to provide the personnel with proper technological equipment to be able to carry out its tasks and to function smoothly. The budget is specified in the Legislative Financial Statement.
The budget of the Agency will be financed by a contribution from the Community with possible contributions from participating third countries participating in the Agency's work. The Executive Director will be responsible for the establishment of a preliminary draft statement of estimates. The Management Board will provide the Commission with the statement of estimates of revenue and expenditure for processing in accordance with standard budgetary procedures.
The Executive Director will be responsible for the implementation of the budget. The European Parliament, acting on a recommendation from the Council, will give discharge to the Executive Director of the Agency in respect of the implementation of the budget. The Financial Auditor of the Commission will ensure financial audit. The Court of Auditors will examine the accounts and publish an annual report.
The Agency shall have the broadest legal personality in every Member State and will benefit from the same privileges and immunities as set out in the Protocol on the Privileges and Immunities of the European Communities.
The regime of contractual and non-contractual liability of the Agency corresponds to the regime applicable to the Community by virtue of Article 288 of the Treaty.
As a centre of expertise, it is of vital importance for the Agency to have a sufficient number of highly qualified staff. Professionals with corresponding profiles are currently scarce and very sought after in Europe. The Agency shall recruit both from the public and the private sector. The personnel of the Agency will be subject to the Staff Regulations applicable to Officials of the European Communities and the Conditions of Employment of Other Servants. Without prejudice to the need to have stable, qualified staff in sufficient number, the personnel will be employed on temporary contracts with a maximum duration of five years.
The Agency will also process personal data in relation to its tasks and will in this respect apply the applicable regulations for such processing as a Community institution.
The Agency will be open to participation by third countries which have entered into agreements with the European Community whereby they have adopted and are applying the Community law in the field covered by this regulation.
As network and information security is a highly technological issue and therefore fast evolving, the best institutional arrangement may change over time. Within three years of the starting date established in Article 26, or earlier if considered necessary by the Management Board, a review process should start in order to show the value of continued operations after this initial period of five years and if necessary propose any modification to its future responsibilities, objectives and mandate.
This review will in particular address the extent to which the absence of law enforcement participation has negatively affected the effectiveness and efficiency of operations of the Agency. In case the evaluation would demonstrate such adverse effects, the Commission will examine the appropriateness of a proposal supplementing this regulation.
The location of the Agency should meet the following criteria:
- easily accessible in terms of communications, especially electronic communication facilities, and have effective and fast transport connections;
- enable the Agency to work closely and efficiently with those institutional services which deal with network and information security issues;
- be cost-effective and enable the Agency to start its work immediately;
- provide for the necessary infrastructure for the personnel of the Agency.
It is proposed that the Agency becomes operational 1 January 2004 and that it will function for 5 years. The continued operations of the Agency is dependent on the outcome of the evaluation performed by the Commission in collaboration with the Advisory Board.