Cyber Security Industry Alliance Newsletter •  Volume 3, Number 12  • November 2007

European Affairs Director's Message

Marika Konings

Finally, the European Commission has presented its proposals for the review of the EU regulatory Framework for eCommunications. Originally planned for January of this year, Commissioner Viviane Reding presented the proposals after almost two years of extensive public consultations and internal discussions in Strasbourg on 13 November.

From a security perspective, the proposals mark two important developments; firstly the introduction of breach notification obligations for ISPs and network providers and secondly, the proposition to incorporate the European Network and Information Security Agency (ENISA) in the new European Electronic Communications Market Authority (EECMA) which is to be created to oversee the implementation and application of the new rules, including the security provisions, across the EU.

 

The European Commission’s introduction of mandatory notification of security breaches is a proposal that CSIA strongly supports.

 

The proposal to introduce mandatory notification of security breaches does not come as a great surprise as the Commission already alluded to this in earlier policy papers. It is a proposal that CSIA strongly supports, provided that the appropriate fine tuning such as safe harbour provisions and details on what constitutes a breach and how notifications should be carried out, are taken into account.

 

The proposition to incorporate the European Network and Information Security Agency (ENISA) in the new European Electronic Communications Market Authority (EECMA) has come as a surprise, but provides interesting food for thought.

The second proposal came more as a surprise as earlier drafts of the new proposals had not referred to this possibility. In addition, the Commission recently held a public consultation on the future of ENISA in view of the expiration of its mandate in 2009.

Taking into account the new proposals on security, it might not be such a bad idea if one entity is responsible for defining the requirements for breach notification and enforcing them, instead of having 27 different regulatory authorities providing their own interpretation of the directive.

On the other hand, it is not clear how the other activities of ENISA that it currently undertakes in the area of information security, are incorporated in this new agency which would have as its main focus the functioning of the internal market in telecommunications.

On the whole, there are still plenty of details that need to be clarified and filled in which will provide for an interesting time ahead now that the European Parliament and the EU Member States will start their review of the proposals.

 

Marika Konings
Director of European Affairs