ENISA debate in Brussels – some notes and excerpts  21.5.11

Here some of my notes on the ongoing ENISA debate in Brussels.
Currently, there are bunch of proposals in the loop, thrown in by the European Commission. (The parliament itself can still not issue their own initiatives. All they can do or rather: after Lisbon, the parliament can at least alter existing paragraphs, though it can’t add new ones.)

In the loop:

• Proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA) 
COM(2010) “New” ENISA Regulation
• Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on attacks against information systems and repealing Council Framework Decision 2005/222/JHA {SEC(2010) 1122 final} {SEC(2010) 1123 final} European principles and guidelines for Internet resilience and stability – Version of March 2011. The accompanying Impact Assessment, summary thereof.

European Economic and Social Committee (EESC), “‘New’ ENISA regulation” (dt: “New” ENISA Regulation). EESC servces as “a bridge between Europe and organised civil society”

Brussels cabal is obviously in favour of option 3 out of five alternatives. Undaring middle ground. Key features:

• Reducing the fragmentation of national approaches (problem driver 1), increasing data and knowledge/information-based policy and decision making (problem driver 3) and increasing overall awareness of and the tackling of NIS risks and challenges (problem driver 4) by contributing to:
• more efficient collection of relevant information on risks, threats and vulnerabilities by each individual Member State;
• increased availability of information on current and future NIS challenges and risks;
• higher quality NIS policy provision in Member States.
• Improving European early warning and response capability (problem driver 2) by:
• helping the Commission and Member States to set up pan-European exercises, thereby achieving economies of scale in responding to EU-wide incidents;
• facilitating the functioning of the EP3R, which could ultimately lead to more investment triggered by common policy objectives and EU-wide standards for security and resilience.
• Promoting a common global approach to NIS (problem driver 5) by:
• increasing the exchange of information and knowledge with non-EU countries.
• Fighting cybercrime more efficiently and effectively (problem driver 7) by:
• being involved in non-operational tasks relating to NIS aspects of law enforcement and judicial cooperation, such as bi-directional exchange of information and training (e.g. in cooperation with the European Police College CEPOL).”

Problems Enisa should address: fragmentation, limited early warning and response, lack of limited data and limited response capability, need for models of collaboration, uneffective cybercrime LE.

The following results are expected: CERT for EU institutions, supporting EP3R

“by acting as an EU NIS CERT and by coordinating national CERTs as an EU NIS Storm Centre, including both day-to-day management activities and handling emergency services.”

Policy option 5 would have been harsher:

• provide support on procedural law (cf. Convention on Cybercrime): e.g. collection of traffic data, interception of content data, monitoring flows in case of denial-of-service attacks;
• be a centre of expertise for criminal investigation including NIS aspects.”