Wim Nauwelaerts

In a recent communication titled, "A Strategy for a Secure Information Society - Dialogue, Partnership and Empowerment" (COM(2006)251), the European Commission underscores the importance of continuous cooperation among different stakeholders to improve and information security (NIS). This communication is mainly aimed at "updating" the Commission's previous strategy - which dates from 2001 - in light of the newest security challenges that the Information Society is facing today.

Key Challenges for ICT Security

There are several reasons why the Commission considers it necessary to revitalize the existing European strategy for network and information security. First of all, cross-border attacks on NIS are increasingly driven by economic motives, which make them even more harmful than attacks that only have disruptive effects on networks. Spam, for example, is becoming a popular medium for infecting networks with spyware, phishing or other types of malicious software. The increasing use of mobile devices, mobile-based network services and the application of so-called "ambient intelligence" (i.e. RFID technology) in daily life also are adding a complicating factor to the debate over how to ensure NIS. In addition, the Commission is particularly concerned that increased use of "off-the-shelf"-software may lead to "monocultures" of certain software solutions, which would make it easier to spread security threats such as malware and viruses on a large scale, quickly. The most important challenge, however, appears to be the fact that businesses and individuals in Europe still underestimate the risks of using Information and Communication Technologies (ICTs) that are not sufficiently secure. The Commission has expressed concerns that individuals do not always realize that their home equipment is often the weakest link in overall network security. Many companies view security measures purely as a 'negative cost,' rather than appreciating the opportunity to bolster their business through enhanced security. Individuals, as well as businesses, using ICTs are currently failing to take up their "responsibility in the global security chain," at least according to the Commission.

Threefold Approach to Security Enhancement

In the Commission's view, effective network and information security calls for a coordinated strategy involving all three levels of action currently undertaken by the European Community. Since 2001, specific measures have been taken at the EU level to improve NIS, including the creation of the European Network Information Agency (ENISA). Based on the Isle of Crete (Greece), ENISA assists the Commission and EU member states in addressing security-related issues, for instance by providing advice, recommendations and data analysis services. ENISA started its operations in Crete in September 2005, but is expected to play a more prominent role with regard to NIS-enhancement in the years to come.

In parallel with specific NIS-measures, the EU regulatory framework for electronic communications, as well as general EU data privacy rules, include provisions aimed at promoting security and confidentiality of online communications. Article 4 of the E-Privacy Directive, for example, requires that a provider of electronic communications services takes "appropriate technical and organizational measures to safeguard security of its services." What constitutes an "appropriate" security measure under Article 4 likely is to be interpreted differently from one member state to another - a divergence which complicates the provision of cross-border electronic communications services in particular. The
regulatory framework for electronic communications currently is being reviewed by the Commission, but whether or not the existing security provisions will be amended, is still unclear at this point.

A third area of security enhancement efforts the Commission intends to coordinate more closely is the fight against cybercrime. Noteworthy initiatives to combat cybercrime via international cooperation include the Convention of Cybercrime (adopted by the Council of Europe in 2001) and the 2002 Proposal for a Council Framework Decision on attacks against Information systems. In addition, the UN-driven World Summits on the Information Society (held in 2003 and 2005) resulted in the "Tunis Agenda" and the "Tunis Commitments," which emphasize the need for a global alliance against cybercrime, while ensuring the protection of human rights and fundamental freedoms - including privacy and freedom of expression.  

A Policy Based on Dialogue, Partnerships and Empowerment   

To develop a secure Information Society, the Commission is proposing a new policy that requires the active participation of public administrations, companies, as well as individual users of ICTs. Such policy should be based on open and enhanced dialogue, the establishment of strategic partnerships and empowerment of each stakeholder group.

  • Dialogue: ENISA will be asked to be involved in the benchmarking of existing NIS-related policies at the member state-level, the purpose of which is to identify "best practices." These "best practices" could then be used by public administrations in the different member states to evaluate and, if necessary, optimize their security policies. In addition, the Commission intends to organize separate events targeting industry and end-users with the aim of raising awareness for NIS-issues. The upcoming Conference "i2010 -Towards a Ubiquitous European Information Society" and the public consultation on RFID that is ongoing, also are expected to foster stakeholder dialogue.
  • Partnerships: The Commission is convinced that, without reliable and updated information regarding security trends, incidents and challenges throughout Europe, it would be difficult to adopt the necessary policymaking decisions. The Commission is planning to ask ENISA to develop a partnership among the EU member states and other stakeholders to set up a data collection framework for that particular purpose. Furthermore, it is expected that ENISA also will conduct a feasibility study on the establishment of a pan-European, multilingual portal for sharing information on security treats, risks and alerts.          
  • Empowerment: According to the Commission, private sector stakeholders should play a vital role in enhancing NIS, and in its recent communication, the Commission has identified a number of private initiatives that industry should consider. For instance, companies should cooperate to develop affordable security certification schemes for ICT products and services, in sync with EU privacy requirements. The Commission also encouraged the development of good security practices and specific training programs for providers of electronic communications services. Also, the insurance sector should be involved, possibly through the development of specific risk-management solutions and products that focus on ICT-related risks. EU member states, on the other hand, are not only expected to cooperate in the above-mentioned benchmarking exercise, but they also should support security awareness campaigns as well as the inclusion of NIS-programs in higher education curricula. Through their e-government services, member states should promote "good security practices" so they are a source of inspiration for other sectors.   

EU Initiatives Expected in 2006

The Commission has announced that it would take several initiatives in the course of this year to enhance network and information security, which include a communication on the evolution of spam and malware, as well as a specific communication on cybercrime (with a focus on how to improve cooperation among national law enforcement agencies). In the broader context of global efforts to improve network and information security, the Commission recently confirmed that the EU will continue to play an active role in the upcoming discussions on Internet security at the Internet Governance Forum, which is expected to hold its next meeting in Athens, Greece, on Oct. 30, 2006.

Wim Nauwelaerts is a lawyer in the Brussels' office of Hogan & Hartson L.L.P., specializing in EU privacy and data protection law. He can be reached by email at wnauwelaerts@hhlaw.com or via telephone at +32 2 505 09 11.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»