15 October, 2012

ETNO Expert Contribution on the European Commission Consultation “Improving Network and Information Security (NIS) in the EU”

With a view to the forthcoming EU Strategy on Cyber-security, expected by end 2012, the Commission has launched this public consultation on “Improving Network and Information Security (NIS) in the EU” in order to gather input from interested stakeholders.

ETNO, the European Telecommunications Network Operators’ Association, has 40 member companies who contribute actively to the achievement of the European Digital Agenda and who invest substantially in high speed broadband networks for the benefit of consumers. We welcome this opportunity to respond to the public consultation and we agree with the Commission on the need to enhance preparedness, strengthen the resilience of critical infrastructure and foster a cyber-security culture in the EU.

ETNO company members are key pan-European players in Networks and Information Systems and as such are strongly committed to ensuring a high level of security for all their networks and to supporting initiatives to improve security. Information and communication technologies form a relatively open ecosystem which is at the basis of the success of the Internet but at the same time, this renders the infrastructure and associated services vulnerable to attack.

Considering the international nature of the Internet, Network and Information Security challenges require a strong, coordinated European response without unnecessary regulatory burdens on e-communications service and network providers.

Currently, and based on Art. 13a and Art. 13b of the Framework Directive (Directive 2009/140/EC), only e-communications service providers are subject to obligations regarding minimum security requirements and the reporting of security incidents.  In order to achieve a level playing field across all sectors, ETNO believes that all actors in the supply chain providing services of key societal and economic value should be subject to the same obligations, namely, the requirements to adopt risk management practices and to report security breaches.  In addition, all participants in the ICT value chain should benefit from incentive programs to undertake measures that enhance security.