Sunday, 27 December 2009

EU Network and Information Security (NIS)

Have we humans always got our priorities right? If Santa Claus gets a parking ticket for his reindeer, it is front page news around the globe. But without information and communication technologies (ICT) in working order, even that news item would go nowhere. Actually, very little would function in our modern world without secure networks and information.



The 2987th Council meeting, in the Transport, Telecommunications and Energy (TTE) configuration from 17 to 18 December 2009 (document 17456/09), adopted a resolution on network and information security (NIS), a brief mention on page 22:


Network and Information Security

The Council adopted a resolution on a collaborative European approach on network and information security (15841/09).

The resolution responds to the Commission's communication on this subject (8375/09), whose objective is to develop an EU policy on the protection of critical information infrastructure.





Secure information infrastructure got a three line mention, when the Swedish Council presidency summed up the results of the meeting for general consumption.

I am not out to criticise the brief mentions: They are geared towards the interests of the public, and most of the time we seem to look for more immediate pleasures, leaving critical, but “boring” work to specialists.



Resolution details



Council document 15841/09 Council Resolution on collaborative European approach on Network and Information Security – Adoption (dated 8 December 2009; 11 pages) recalls the establishment of the European Network and Information Security Agency (ENISA; Regulation 1007/2008 amending Regulation 460/2004) and initiatives to protect Critical Information Infrastructures (CIIs).

The annexed resolution will be published in the Official Journal of the European Union (OJEU), but in the meantime we follow the Council document.

Among other things the Council underlines that (page 6):
A high level of Network and Information Security in the EU is needed in order to support:

a. the freedoms and rights of citizens, including the right to privacy;

b. an efficient society in terms of quality in information handling;

c. the profitability and growth of trade and industry;

d. citizens’ and organizations’ trust in information handling and ICT systems.


The resolution stresses the need to modernise and reinforce ENISA, and it invites the EU member states to undertake continued efforts to improve network and information security, including by creating Computer Emergency Response Teams (CERTs).

The Commission is invited to support the efforts of the member states, for instance by evaluation and a possible NIS strategy.

ENISA is encouraged to work with all stakeholders, and these to put their best foot forward.


Commission communication



The basic underlying document was the Commissions Communication on Critical Information Infrastructure Protection "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience"; Brussels, 30.3.2009 COM(2009) 149 final (12 pages).



The Communication was accompanied by the Staff Working Document: Summary of impact assessment; Brussels 30.3.2009 SEC(2009) 400 (8 pages).




The full length Impact assessment SEC(2009) 399 came in three parts (addenda): Part 1 (Council document 8375/09 ADD 1; 149 pages), Part 2 (ADD 2; 133 pages) and Part 3 (ADD 3; 130 pages).



Preparation and hierarchy


We are able to see that a few vague sentences in the press releases from the Council and the Swedish presidency are just the tip of the iceberg.

The resolution itself is more detailed, although the phrases still resemble indistinct wishes for constructive action, as often is the case when we deal with cooperation and coordination between sovereign states.

Even when there is need for urgent action, herding 27 member states is a slow and laborious task, often spanning several Council presidencies.

The base of the iceberg is the preparatory work by the Commission, carefully researched and documented, often voluminous. Nosemonkey often stresses how incredibly dull the European Union is.


Few of us have cared to follow this far. We just expect our computers, networks and European Union to function, so that we can see if Santa wins the appeal against his parking ticket. We are all too human.




Ralf Grahn



P.S. Get to know Jon Worth’s Euroblog and other great European blogs listed on multilingual Bloggingportal.eu, our common “village well” for fact, opinion and gossip on European affairs.