Cyber Security Industry Alliance Newsletter • Volume 2, Number 4  • December 2005

Global Perspectives

Directive on Data Retention Adopted

On 14 December 2005 the European Parliament voted in a plenary session to approve the European Commission's proposal for a directive on data retention. It calls for data to be retained by telecommunications companies for a minimum of six months with the possibility for individual member states to extend that to 24 months if necessary.

An amendment relating to security of data was also adopted. It introduces wording to boost data protection and security, referring to the 1995 Data Protection Directive (95/46/EC) and reads as follows:

"Data protection and data security

Without prejudice to the provisions adopted pursuant to Directive 95/46/EC and Directive 2002/58/EC, each Member State shall ensure that providers of publicly available electronic communications services or of a public communications network respect, as a minimum, the following data security principles with respect to data retained in accordance with the present Directive:

(a) the retained data shall be of the same quality and shall be subject to the same security and protection as those data on the network;

(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, or accidental loss or alteration, unauthorised or unlawful storage, processing, access or disclosure;

(c) the data shall be subject to appropriate technical and organisational measures to ensure that access to the data is undertaken only by specially authorised personnel; and

(d) the data shall be destroyed at the end of the period for retention except those data which have been accessed and preserved."


On 14 November 2005, Reino Paasilinna, Finnish Socialist Member of the European Parliament, issued a working document on i2010 for the Parliament's Committee on Industry, Research and Energy. In the Report Mr Paasilinna states that certain aspects of the Commission's i2010 programme should be discussed by the Parliament, including:

  • the availability of broadband services to all EU citizens

  • creating the political will in member states to invest more in competitiveness through innovation and investment in research

  • review of the electronic communications regulatory framework

  • strategy for efficient spectrum management

Link to the draft report:

Viviane Reding, European Commissioner for the Information Society and Media, appeared before the European Parliament on 23 November 2005 to report on the European Commission's priorities for 2006 regarding the information society. They included: clamping down on security threats such as spam and spyware, the development of a new regulatory framework for electronic communications networks and the proposal for an e-Government action plan.

See also the newsletter of 28 October 2005 for information about other relevant Commission priorities for 2006.

ENISA Update

Representatives from the 25 Member States of the EU attended the first pan-European "National Liaison Officer's Day", with ENISA on 18 November 2005. The purpose of the National Liaison Officer's Day was for delegations from the 25 countries to meet ENISA representatives, encourage closer co-operation and build contacts.

ENISA's Executive Director Andrea Pirotti commented:

"We are all affected by the Digital Economy of the Information Society in Europe in our everyday lives. To make our computers and mobiles at home and at work function, with safe systems, requires that all actors and stakeholders across Europe work together. This meeting has been the starting shot for a closer cooperation between the EU25 Member States' National Liaison Officers and ENISA, creating networks and a better collaboration among the key actors in this field."

Andrea Pirotti, Executive Director of ENISA has appointed Professor Olivier Hance as his Policy Adviser. In this capacity, Prof. Hance will be responsible for:

  • advising the Executive Director on policies and legislation;

  • supporting the Executive Director in his relationships with the European Institutions, especially the European Commission, the European Parliament and the Council; and

  • managing the Secretariat of the Management Board of ENISA.

Professor Hance was previously a Policy Developer in Unit A3 "Internet; Network and Information Security" at DG Information Society at the European Commission. Prior to that, he acquired extensive experience in the private sector, where he successively served as an Attorney-at-law, Partner of a "big four" consulting firm, of Counsel for a high profile competition law firm and consultant for governments and multinational corporations. Olivier Hance is also a visiting professor at the University Paul Cézanne of Aix-Marseille (I.A.E.) and the University of Padova's Law School.

Internet Governance and WSIS — The European View

The European Commission issued a press release on 16 November 2005 entitled: "EU brokers deal on progressive internationalisation of Internet governance at Tunis World Summit". It states that: "The compromise text agreed was based largely on EU proposals presented in the discussions since June."

Commissioner Viviane Reding, responsible for the Information Society and Media portfolio at the European Commission and head of the Commission delegation to Tunis stated:

"I welcome the texts now agreed in Tunis. They pave the way for a progressive internationalisation of Internet governance. This agreement was possible because of the strong belief of all democratic nations that enhanced international cooperation is the best way to make progress towards guaranteeing the freedom of the Internet around the globe and also to enhance transparency and accountability in decisions affecting the architecture of the Web. The fact that the EU spoke with one voice in Tunis, and had stood by its case for more cooperation on Internet governance in the run-up to the summit, certainly strongly influenced this positive agreement."


Article 29 Working Party/RFID

The list of contributors to the Article 29 Working Party's consultation on RFID (reported in the newsletter dated 11 October 2005) has been published at the following address:

Other Issues of Relevance

Critical Infrastructure Protection: On 24 November 2005 the European Commission adopted a Green Paper on a Programme for critical infrastructure protection which outlines the options on what would enhance prevention, preparedness and response to the Union's critical infrastructure protection. The Green Paper provides options on how the Commission may respond to the Council's request to establish a "European Programme for Critical Infrastructure Protection" (EPCIP) and a "Critical Infrastructure Warning Information Network" (CIWIN) and constitutes the second phase of a consultation process that began with a Commission Communication on critical Infrastructure Protection that was adopted in October 2004.

The Green Paper addresses such key issues as:

  • What should EPCIP protect against?
  • Key principles
  • The type of framework needed
  • Definition of EU Critical Infrastructure
  • National Critical Infrastructure
  • Role of Critical Infrastructure owners/operators
  • The Critical Infrastructure Warning Information Network (CIWIN)
  • Funding
  • Evaluation and monitoring

The objective of the Green Paper is to obtain feedback on EPCIP from a broad number of stakeholders. The Commission recognises that effective protection of critical infrastructure requires communication, coordination, and cooperation nationally and at EU level among all interested parties - the owners and operators of infrastructure, regulators, professional bodies and industry associations in cooperation with all levels of government, and the public.

Link to the Green Paper:


Changes to three databases to strengthen EU internal security: On 24 November 2005 the European Commission proposed changes to three databases in order to strengthen EU internal security whilst at the same time facilitating legitimate travel. The databases are:

  • Schengen Information System (SIS);

  • Visa Information System (VIS) as a system for the exchange of visa data between Member States; and

  • EURODAC, the database containing fingerprints of asylum seekers and illegal immigrants.

European Commission Vice-President Franco Frattini, responsible for Justice, Freedom and Security, underlined the Commission's approach:

"It is essential in the fight against terrorism and organised crime for the relevant services of the Member States and relevant bodies of the European Union, such as Europol, to have the fullest and most up-to-date information if they are to perform their tasks properly and effectively. However, this can only be done subject to strict respect of rules on fundamental rights."

Link to the press release:;


European Commission Review of the EU Regulatory Framework for electronic communications networks and services: The Commission published a call for input in relation to the forthcoming review of the EU regulatory framework on 28 November 2005. This constitutes the beginning of a process that will end up in the review of the "new regulatory framework" (NRF), which was adopted in 2002 and entered into force in July 2003. The consultation document announces the review of, amongst other things, the five Directives of the NRF: Framework Directive (2002/21/EC), Authorisation Directive (2002/20/EC), Access Directive (2002/19/EC), Universal Service Directive (2002/22/EC) and Directive on Privacy and Electronic Communications (2002/58/EC). The Commission has invited interested parties to submit their comments on the application and functioning of these Directives. The Commission has also looked into some specific topics, including privacy and security of communications.

The contributions gathered will provide input to a Commission Communication on the functioning of the EU regulatory framework for eCommunications which is to be adopted by mid 2006. The legislative proposals emanating from this review process will reach the European Parliament and the Council at the end of 2006. The entry into force of any resulting legislation will take place only in two /three years. It is a process that is worth monitoring closely however as the review may well result in amendments to the directives and therefore opportunities to have additional wording on security.

The full text of the consultation document is available at the following link:

Responses are to be sent by 31 January 2006 to [email protected], indicating "2006 Review" in the subject line.

A whole-day public workshop is tentatively scheduled for 24 January 2006 in Brussels. The workshop will be open to all interested parties but prior registration is required.

The registration form can be found at: