[cooperation-wg] Draft RIPE NCC submission on EU NIS Directive

Dear colleagues, 

As noted in the recent RIPE Labs article on European Union (EU) engagement, the RIPE NCC has been working with representatives of the RIPE community to address the European Commission's proposed EU Directive on network and information security (NIS). This proposed Directive is currently under consideration by the European Parliament and is available online at: 
http://eeas.europa.eu/policies/eu-cyber-security/cybsec_directive_en.pdf

The aim of this Directive is "to ensure a high common level of network and information security (NIS) across the EU", specifically through the establishment of national Computer Emergency Response Teams (CERTs), improved information sharing between national authorities and required reporting on risk levels and security incidents by providers of "information society services". 

RIPE community members and RIPE NCC staff have identified several areas of concern with the current draft of the Directive, and these concerns form the basis of the draft response below.

We would like to invite feedback from this working group on whether there is support for the position(s) taken in the statement, whether there is support for the RIPE NCC engaging Members of the European Parliament on this issue, and any other thoughts. 

There will also be a discussion of this issue in the RIPE 67 Cooperation Working Group session, which takes place on Thursday, 17 October, 16:00-17:30 local time (UTC+3). You can follow and contribute to this session either on-site in Athens or remotely at: 
https://ripe67.ripe.net/live/

Best regards,
Chris Buckridge
External Relations Officer, RIPE NCC

--------------------------

The RIPE NCC welcomes the European Commission's efforts in the area of network and information security (NIS), premised on the need for closer international cooperation to meet the global nature of network security issues. We also welcome the Directive's acknowledgement of the need for all stakeholder groups to participate in developing solutions to NIS challenges.
 
Drawing on discussions with members of the RIPE community and internally, the RIPE NCC would like to raise a general concern with the current draft. While the proposed Directive recognises the importance of "informal cooperation mechanisms", we believe that there is an important and formal role for multi-stakeholder mechanisms and processes in refining the implementation details of the Directive.
 
Recognition of such a role would be particularly useful in relation to the following specific aspects of the Directive:
 
1. Scope
The RIPE NCC believes that there is a need to clarify the scope of the Directive, particularly with regard to the following terms:
 
- "information society services which enable the provision of other information society services"
- "significant impact" (in relation to security incidents)
 
In line with the purpose and the legal basis of the Directive (i.e. ensuring the functioning of the Internal Market according to Article 26 of the Treaty on the Functioning of the European Union), we believe that the Directive should be clearly limited to organisations or security incidents that directly impact the Internal Market. Clear criteria should be developed via transparent, multi-stakeholder processes to identify those incidents or organisations covered by the Directive.
 
2. Establishment of security requirements
The Directive aims to establish security requirements for market operators and public administrations, and to this end it empowers the Commission to:
 
- Draw up a list of standards by means of implementing acts [1]
- Adopt delegated acts concerning the definition of circumstances in which public administrations and market operators are required to notify incidents
 
The Cybersecurity Strategy of the European Union notes the role of multi-stakeholder, bottom-up procedures in developing and maintaining security standards. We believe it would be appropriate that the specification of such standards and definitions in the context of this Directive should also be the outcome of such formal, multi-stakeholder processes. This would help to ensure the inclusion of input from all relevant stakeholders and the flexibility and responsiveness that is required in an online environment.
 
 
	[1] Definitions of "implementing acts" and "delegated acts": 
	http://europa.eu/legislation_summaries/institutional_affairs/treaties/lisbon_treaty/ai0032_en.htm