25 November, 2014

Open Letter from ETNO, the European Telecommunications Network Operators’ Association, in view of the Telecoms Council

Dear Minister,

The Council discussions on the NIS Directive are now at an advanced stage, thanks to sustained efforts by the EU Italian Presidency to progress this file. This Directive has the potential to represent a fundamental milestone in the development of a modern framework for defending citizens and businesses’ data across the Continent.

ETNO views the NIS Directive as being crucial for the proper functioning of the Internal Market and for ensuring that European citizens experience a secure and trustworthy digital environment throughout the ICT value chain. Security and trust are key cornerstones for the development of the European digital economy and the time is right for such a debate.

Telecom operators have been at the forefront of the cyber-security debate for many years, protecting citizens’ personal data and ensuring network security. This was an area that was recognised as being important during the last Framework Directive debate, resulting in obligations on telecoms operators which were subsequently taken up. Telecoms operators are committed to continuously improving their security and data protection standards, both as a commercial differentiator and as a response to users’ needs.

ETNO has repeatedly stressed its view that a single European cyber-security market can properly function only if every link in the Internet value chain is considered and protected and a holistic approach is taken. As such, ETNO supports the inclusion of “Information Society Service providers” within the scope of application of the Directive. It is essential that minimum security requirements are also imposed on the so-called “Internet enablers” and that the adoption of risk management practices and the reporting of security breaches apply across the entire digital value chain in the interests of both consumers and businesses.  As such, ETNO broadly welcomed the European Commission’s initial Proposal, which went in this direction.

A single European cyber-secure market can only properly function with an approach which addresses a large number of actors of societal and economic value who, if not already doing so today, will be managing the critical infrastructure of tomorrow. In particular, companies are increasingly outsourcing their IT infrastructure in the cloud and it important that cloud providers remain within the scope of the Directive.  Internet payment gateways should also be considered as "Internet enablers" as they allow the provision of other services and play an important role in e-commerce transactions. Social networks are web destinations which draw large audiences and are accepted into enterprise settings, therefore more opportunities to deliver malware are also created. Search engines are a key part of the Internet infrastructure as the function itself involves extensive use of the Internet infrastructure and protocols. Finally, from a security standpoint, ETNO also believes that the provider of an application store has a role in ensuring the integrity of the applications it provides.

Cyber security is not only a policy issue in the EU but is also addressed in the United States. The US Stock Exchange's supervisory body has already issued guidelines according to which listed companies are subject to an obligation to report certain cyber incidents and has published guidelines on disclosure requirements within the framework of the disclosure obligations imposed by the federal securities laws.  At the same time the US is working on a Cyber Information Sharing Act which would be similar to the Commission's proposal for the NIS Directive.  It would be very awkward if Europe decides that there would be no need for such requirements in the Union.

Concretely, ETNO believes that it is of utmost importance that the Directive includes a sound definition of “market operator” together with the list of actors obliged in Annex II. Although the NIS Directive is a minimum harmonisation Directive, it is important that it specifies clear criteria to identify which actors are obliged in order to achieve a high degree of harmonisation within the EU.

ETNO believes that deleting Annex II would be a missed opportunity, taking into consideration the current debate around achieving a level playing field, and would leave the Directive ‘empty’.

To conclude, ETNO believes that this Directive will be pivotal in fostering a good functioning of the Internal Market and the opportunity to provide best-in-class, forward-looking security protection for EU citizens should not be wasted.

Best regards,

Daniel Pataki