The Council discussed the proposal for a Directive aimed at ensuring a high common level of security of electronic communication networks and information systems across the EU. The discussion was based on a progress report by the Irish Presidency on the work done so far in the Council's preparatory bodies.
The Presidency has identified the following main issues, which it believes are matters delegations would like to discuss further:
Impact assessment (IA): with regard to the IA which accompanies the proposal, a number of Member States pointed out that there appears to be a number of discrepancies between the two documents and that, in particular, the IA does not sufficiently justify why specific sectors have been included in the proposal, such as enablers of information society services, and others not, such as hardware/software manufacturers. Member States were also looking for more substance in the IA with regard to the impact of the proposal on employment, competitiveness and innovation, data protection, operations of multinational companies, investment climate, etc. Most Member States also raised the issue of the perceived significant costs involved in the implementation of the proposed Directive and regretted that the IA fails to sufficiently assess the possible benefits.
At a more fundamental level, Member States requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats, which the Commission perceives as being the root causes of the situation. Delegations asked for more information about which companies and other stakeholders had replied to which questions in the Commission's public consultation, as this would help them to better assess where urgent problems exist.
Scope: detailed discussions will be necessary on which "market operators" would fall within the scope of the proposed Directive. In this regard, doubts were expressed about putting providers of information society services under the same obligations as operators of critical infrastructures and questions were raised with the proposed non exhaustive list of market operators, which would need to be agreed upon and which would cover those entities to which obligations with regard to incidents' notifications would apply.
Organisational framework: with regard to the organisational framework for the implementation of the proposed Directive, delegations have not yet expressed firm positions on the proposed governance structure as they are carrying out national consultations with stakeholders and are analysing the details of the proposal in the context of existing or planned national cyber strategies.