Last updated: 
3 weeks 5 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

EU Parliament committees on Network and Information Security

Monday, March 3, 2014 - 11:53

The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already "have to exert due diligence in the management of their network and information systems" while the Commission’s broad category of "market operators" is reduced to something that looks much more like traditional critical infrastructures: "infrastructure[s] that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures, internet exchange points, food supply chain and health". Adding internet exchange points suggests a view that that connectivity is now vital to society but social networks aren’t.

The committees are explicitly positive about CERTs and their "existing international and European cooperation networks ... which have proven efficient in coordinating international and European responses to incidents", and concerned that regulatory change must not disrupt these. Rather than the Commission’s proposal for a single "national CERT", the committees want to ensure that the designated sectors have at least one CERT providing services to them and that those CERTs have sufficient resources to work together both nationally and internationally. To facilitate this there is a suggestion for agreed standards for both technical and procedural interactions.

The committees agree with the Commission that incident reporting is important for improving security but see it as part of developing a "culture of risk management, close cooperation and trust, involving risk assessment and the implementation of security measures appropriate to the risks and incidents". They also seem aware of some of the ways that reporting schemes can fail, particularly if those reporting do not gain any benefit or are even disadvantaged by their participation. Thus there is a stress on exchange of information between participants, not just one-way reporting; those who report incidents should, where possible, be offered help to resolve them; bodies to whom incidents are reported must consult with reporters before making information public and consider "possible reputational and commercial damages" that might discourage reporters from sharing in future.

The European Parliament is expected to vote next week on whether to accept this report, with subsequent discussions likely to be interrupted by the Parliamentary elections in May. Security improvement needs to be seen as a virtuous spiral, from which everyone benefits: these proposals seem to be heading in the right direction.