The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already “have to exert due diligence in the management of their network and information systems” while the Commission’s broad category of “market operators” is reduced to something that looks much more like traditional critical infrastructures: “infrastructure[s] that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures, internet exchange points, food supply chain and health”. Adding internet exchange points suggests a view that that connectivity is now vital to society but social networks aren’t.
The committees are explicitly positive about CERTs and their “existing international and European cooperation networks … which have proven efficient in coordinating international and European responses to incidents”, and concerned that regulatory change must not disrupt these. Rather than the Commission’s proposal for a single “national CERT”, the committees want to ensure that the designated sectors have at least one CERT providing services to them and that those CERTs have sufficient resources to work together both nationally and internationally. To facilitate this there is a suggestion for agreed standards for both technical and procedural interactions.
The committees agree with the Commission that incident reporting is important for improving security but see it as part of developing a “culture of risk management, close cooperation and trust, involving risk assessment and the implementation of security measures appropriate to the risks and incidents”. They also seem aware of some of the ways that reporting schemes can fail, particularly if those reporting do not gain any benefit or are even disadvantaged by their participation. Thus there is a stress on exchange of information between participants, not just one-way reporting; those who report incidents should, where possible, be offered help to resolve them; bodies to whom incidents are reported must consult with reporters before making information public and consider “possible reputational and commercial damages” that might discourage reporters from sharing in future.
The European Parliament is expected to vote next week on whether to accept this report, with subsequent discussions likely to be interrupted by the Parliamentary elections in May. Security improvement needs to be seen as a virtuous spiral, from which everyone benefits: these proposals seem to be heading in the right direction.