For many years EuroISPA has been a strong supporter of the European Commission’s efforts to create a harmonised framework for digital security in Europe. Ensuring a sufficient level of security across the EU is an important endeavour, and we fully appreciate the key requirement to create security and confidence in the IT sector. It is essential that the imperative to provide security for users and critical infrastructures is allied with the need to maintain an innovation-friendly legislative environment in Europe. Moreover, in the context of data retention it is essential that such security concerns are properly balanced with European citizens' fundamental rights. EuroISPA’s cybercrime and cybersecurity committee works with the European institutions to ensure our technical expertise and experience can guide policy that protects key network infrastructure and citzens fundamental rights, and allows the Internet industry to thrive as an economic enabler. It also functions as important meeting point for all those with an interest in European cybersecurity, allowing experts from across the continent to share best practice and contribute towards more effective policy.
Key ongoing dossiers
Network and Information Security Directive
Directive on Combatting Terrorism
June/July 2016: Network and Information Security Directive adopted; implementation process to begin
On 06 July, the European Parliament officially adopted the Network and Information Security Directive, thus kicking-off the 21 month implementation phrase.
To facilitate a harmonised implementation of the technical aspects of the NIS Directive, the EU Institutions must now engage in a ‘Comitology’ process, whereby technical experts from Member States come together to agree common standards and procedures.
One of the key functions of this comitology process concerns standards and procedures for Digital Service Providers.
- Particular security measures that DSPs must implement (e.g. incident handling, business continuity management, etc)
- The kinds of security incidents that DSPs must notify
Under this general comitology process, the European Commission is convening a number of policy fora.
NIS expert group
- Each Member State nominates an expert from their country.
- The Group’s mandate is to support the Commission in preparing draft technical standards and procedures (implementing acts) to be agreed by the Member States in the official comitology committee.
- This expert group may invite external participants on a case-by-case basis.
- The expert group held its first meeting in late April and will meet again in the Autumn.
Member State Cooperation Group:
- It is open to Member State governments only.
- It will run alongside the implementation process and continue once the Directive is fully in force in Member States.
- Its role is to help Member States to exchange information and best practice in the practical workings of the NIS.
- The group held an informal meeting in June and will officially commence in autumn 2016.
- The committee will bring together Member States to finalise the legal instruments underpinning the implementation standards (building on the work of the NIS expert group).
- It is possible for interested stakeholders to participate in the comitology process in an observer capacity.
- A timeline for its meetings has not yet been defined but it must complete its work 12 months after the NIS implementation process begins.
June/July 2016: European Parliament adopts position on Terrorism Directive
On 05 July the European Parliament’s Civil Liberties committee finalised its negotiating position on the Directive on Combatting Terrorism.
Leading MEPs will now enter into closed-door “Trialogue” negotiations with the EU Council (Member States) to develop a joint-text.
You can find below the sections of the Parliament’s text that are particularly relevant to EuroISPA – the sections which we lobbied strongly on.
The final text is a compromise of over 400 amendments drafted by MEPs in committee. While far from perfect, the below “compromise amendments” are in fact a significant improvement on the aggressively anti-Internet approach to the early discussions amongst MEPs.
An effective mean of combatting terrorism on the Internet is to remove illegal terrorist content at source. In that context, this Directive is without prejudice to voluntary action taken by the Internet industry to prevent the misuse of its services or to any support for such action by Member States, such as detecting and flagging illegal content. Member States should take all necessary measures to remove or to block access to webpages publicly inciting to commit terrorist offences. Where such measures are taken, they must be set by transparent procedures and provide adequate safeguards under the control of independent authorities. Member States should use their best endeavours to cooperate with third countries in seeking to secure the removal of such content from servers within their territory. However when removal of illegal content at its source is not possible, Member States may put in place measures to block access from the Union's territory to Internet pages identified as containing or disseminating terrorist content. Member States should consider legal action against internet and social media companies and service providers, which deliberately refuse to comply with a legal order to delete from their internet platforms illegal content extolling terrorism after being duly notified about such specific content. Such refusal should be punishable with effective, proportionate and dissuasive sanctions. The right to judicial review should be guaranteed to the internet and social media companies and service providers.
Article 14a - Measures against illegal terrorist content on the internet:
1. Member States shall take the necessary measures to ensure the prompt removal of illegal content publicly inciting to commit a terrorist offence, as referred to in Article 5, hosted in their territory and to endeavour to obtain the removal of such content hosted outside of their territory. When that is not feasible Member States may take the necessary measures to block the access to such content.
2. These measures must be set by transparent procedures and provide adequate safeguards, in particular to ensure that the restriction is limited to what is necessary and proportionate and that users are informed of the reason for the restriction. Measures on removal and blocking shall be subject to judicial review.
- Representatives from the European Parliament and the EU Member States will soon begin trialogue negotiations in order to develop a joint-text.
June/July 2016: Council of Europe publishes new study on filtering, blocking, and take-down of illegal content
The Council of Europe has published a comparative study on filtering, blocking and take-down of illegal content on the Internet.
For each of the 47 member countries of the Council of Europe, the report provides details of:
- The legal framework underpinning filtering, blocking and take-down of illegal content.
- The different procedures and approaches for particular types of illegal content.
- The competent authority to mandate filtering, blocking and take-down and the conditions of enforcement.
- Voluntary practices to filter, block and take-down content.
- Relevant and important case law.
The dedicated reports for each country can be accessed here.
The authors’ general analysis as to filtering, blocking and take-down regimes across Europe can be read here.
The methodology and additional background information can be accessed on the report’s holding page, here.
- Secretariat will assess the general comparative analysis of the text and inform members of any particularly pertinent insights from the report.
May 2016: Council of the EU formally adopts the NISD
On 17 May the Council of the EU (Composed of the Member States) formally adopted the network and information security (NIS) directive.
The Council had already reached an informal agreement with the European Parliament on the NIS on 7 December 2015.
- European Parliament still needs to approve the legal act
- The Directive is expected to enter into force in August 2016
May 2016: Closed-door discussions continue in European Parliament on proposed Terrorism Directive
Over the past two months EuroISPA has engaged heavily with the European Parliament as MEPs deliberate on the proposed Directive on Combating Terrorism.
EuroISPA's engagement on the dossier has centered on the elements pertaining to tackling terrorism in the online sphere. A number of amendments proposed by the European Parliament's Civil Liberties committee have sought to a vertical liability framework for ISPs vis-a-vis terrrorist content, while also mandating ISPs to undertake proactive detection of illegal content. On these issues EuroISPA has been particularly vocal.
At present, the leading MEPs on the topic are negotiating a series of 'compromise amendments' that seek to consolidate the various perspectives into a coherent uniform position. Once the compromise amendments are agreed, they will be put before the Parliament Civil Liberties committee to vote.
EuroISPA continues to monitor the discussions and will seek to contribute to the Parliament's approach when the file comes to committee vote in mid-June.
March/April 2016: EuroISPA engages on European Parliament Terrorism Directive discussions
For a number of months EuroISPA has engaged intensively on the negotiations around the Directive on Combatting Terrorism. Proposed by the European Commission in December 2015, the Directive is currently under discussion in the European Parliament.
EuroISPA's engagement on the dossier has centered on the elements pertaining to tackling terrorism in the online sphere. A number of amendments proposed by the European Parliament's Civil Liberties committee have sought to a vertical liability framework for ISPs vis-a-vis terrrorist content, while also mandating ISPs to undertake proactive detection of illegal content.
To ensure a directive which best allows ISPs to tackle illegal content online while safeguarding fundamental rights, EuroISPA written letters, held face-to-face meetings, and submitted amendments to influential MEPs working on the dossier.
The European Parliament expects to adopt its position on the file in late May.
The Parliament will then enter into "trialogue" negotiations with the EU Council (Member State government representatives) in order to agree on a joint text.
EuroISPA will continue to engage with the Parliament to convey the European Internet industry's position.
February 2016: Cybersecurity committee chair represents EuroISPA at meeting of EU agency on IPR infringements
EuroISPA was invited by OHIM to participate at their Observatory working group meeting, taking place in Alicante from 1st to 3rd March, having the scope to guide the work of the same Observatory in issuing studies. The seminars covered a wide range of studies and analyses, including draft FAQs about national copyright and malware on IPR infringing websites, costs of IPR infringements, as well as physical destruction of counterfeited goods.
Whilst the overwhelming majority of participants stemmed from right holders side, industry and civil society intervened in the seminars not only to question methodology and outcome of current studies but also to provide input for terms of reference for new ones. EuroISPA which was represented by Maximilian Schubert participated to the discussion providing e.g. inputs for a questionnaire on IPR infringements in third countries as well as warnings about potential monitoring obligations for ISPs. Numerous members of OHIM welcomed and appreciated the presence of the internet industry at the discussion.
A common statement by civil society (EDRI, BEUC, Wikimedia and COMMUNIA) received great attention as it called, among other issues, for the “prevention of low quality outputs in outsourced studies”. This is a point which was formulated in a very direct way, but which, based on the experience in the working groups might have some valid grounds. A representative of OHIM has made it clear during the common session: “Studies are weapons [to fight crime]”. As such it appears beneficial to accept the offer from OHIM and to continue participating in the Observatory to make sure that the studies it produces will be beneficial for all stakeholders involved.
February 2016: Letter to Jourova on cooperation in cybersecurity
The EuroISPA Cybersecurity committee decided to respond to Commissioner Jourová’s invitation to enter in a dialogue with ISPs to find ways to cooperate on cybercrime-related matters. Commissioner Jourová extended this invitation during an informal meeting of justice and home affairs ministers of the Council of the EU on 26 January 2016 (for more information, click here).
In a letter addressed to Commissioner Jourová, which was sent out on 10 February, EuroISPA welcomed the Commissioner’s initiative and expressed its interest to participate in the dialogue, given the association’s wide experience in engaging with national law enforcement authorities (LEAs) in the fight against cybercrime. EuroISPA specifically highlighted the need for requests for access to electronic records of ISPs for cybercrime investigations by foreign LEAs to be made through the respective national channels where the ISP has it main establishment.
EuroISPA looks forward to collaborating with the Commission in the fight against cybercrime.
The EuroISPA Secretariat followed up with the Commissioner’s cabinet in the first week of March for a possible timeframe on the initiative. One of the Cabinet members confirmed that the EuroISPA letter was received and that they would get back in due course, but that currently, no timeline could be provided concerning the initiative for dialogue. The Secretariat will keep members informed of any updates in this area
January 2016: Chair of the EuroISPA Cybersecurity Committee applies for membership of Europol EC3 Advisory Group on Communication Providers
During the last General Meeting in January, EuroISPA members agreed to extend our institutional engagement activities to the Advisory Group of Communication Providers at European Cybercrime Centre, managed by Europol.
Members selected Dr. Maximilian Schubert to represent EuroISPA in this advisory group due to ISPA Austria’s good cooperation and longstanding experience with national law enforcement authorities and his role of Chair of the Cybersecurity Committee.
The European Cybercrime Centre began its activities in January 2013 to help law enforcement authorities in its fight against cybercrime. Its Communications Advisory Group will be a platform to exchange the needs and priorities for Communication Providers in the context of cross-border cybercrime. As such, this group will play a crucial role in shaping European governments' responses and policies to the challenges that communications providers face when working to prevent and fight crime online.
EuroISPA is looking forward to collaborating with Europol to bring the voice and the expertise of the industry on this important matter.
The European Cybercrime Centre will contact the successful applicants in the coming weeks. The Secretariat will inform EuroISPA members about the outcome of our application.
December 2015: Institutions agree on a Network and Information Security Directive
On Friday 18 December, COREPER I endorsed the agreement on the Network and Information Society (NIS) Directive reached in trilogues the past 7 December. The Commission put forward in 2013 a first proposal for a Directive with the aim of ensuring a high common level of network and information security in the EU.
The text will now have to be formally approved by the European Parliament and the Council, after which it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.
We will prepare a comprehensive analysis of the Directive for the EuroISPA General Meeting in January 2016.
November 2015: No progress made by legislators on Network and Information Security Directive
At the last Council meeting, representatives of Member States failed to reach any agreement on proposed Network and Information Society Directive. As a reminder, the disagreement lies on whether or not certain existing cybersecurity obligations, currently only for electronic communication services, should be extended to additional services "Digital Service Providers (DSP)”.
September/October 2015: Network and Information Security Directive: new Digital Service Platform definition
After months of political uncertainty, the EU Institutions are moving towards a consensus to include a definition of “Digital Service Platforms (DLP)”, and to make a reference to the current notion of Information Society Service in its definition. Annex III of the Directive proposes explicit definitions of online/e-commerce marketplace, social networks, online search engine, cloud computing service provider and internet payment gateways.
The compromise position proposed by the Council Presidency includes many of EuroISPA’s suggestions. The Presidency has proposed to include the “light touch” approach in a new Chapter IVa with new Articles 15a and 15b including separate requirements for Digital Service Platforms. This light touch refers to the security requirements, notification regime, incidents that concern two or more Member States, the exclusion of small and micro enterprises and the supervisory regime, which would only apply ex post.
The next technical meeting in Council is scheduled for 14 and 22 October.
The Institutions aim to reach an agreement in principle by the end of the year.
August 2015: Negotiations to resume in Network and Information Security Directive
The Parliament and Council are still negotiating in a bid to reach a joint agreement on the proposed Network and Information Security Directive. Under current proposals, Internet enablers will be included in the scope of the Directive, albeit under a lighter-touch approach. The Luxembourgish Presidency is drafting proposals for the definition and identification of "digital service platform".
Under the latest Presidency proposals:
Security requirements: platforms would be subject to them but the technical and organisational requirements should be commensurate to the degree of risk. Security requirements would be excluded from the minimum harmonisation (forum shopping). Competent authorities will act ex-post.
Notification requirements: mandatory and voluntary is still on the table
Territoriality would only relate to digital service platform and would require companies to designate a representatives if they provide service to customers in the EU.
Jurisdiction: would concern both operators and digital service platforms. Will be dealt with at a later stage.
- Threshold: no agreement for the moment. The Commission suggests to exclude SMEs besides micro enterprises, while the Presidency disagrees.
- Digital service platforms providing services for essential operators should be considered as part of the essential service.
The next trialogue discussion is scheduled for October, with the aim of reaching agreement on a joint text by end of 2015.