Webcon Ad_300x250_NYMITY_FINAL

Wim Nauwelaerts

In a recent communication titled, "A Strategy for a Secure Information Society - Dialogue, Partnership and Empowerment" (COM(2006)251), the European Commission underscores the importance of continuous cooperation among different stakeholders to improve and information security (NIS). This communication is mainly aimed at "updating" the Commission's previous strategy - which dates from 2001 - in light of the newest security challenges that the Information Society is facing today.

Key Challenges for ICT Security

There are several reasons why the Commission considers it necessary to revitalize the existing European strategy for network and information security. First of all, cross-border attacks on NIS are increasingly driven by economic motives, which make them even more harmful than attacks that only have disruptive effects on networks. Spam, for example, is becoming a popular medium for infecting networks with spyware, phishing or other types of malicious software. The increasing use of mobile devices, mobile-based network services and the application of so-called "ambient intelligence" (i.e. RFID technology) in daily life also are adding a complicating factor to the debate over how to ensure NIS. In addition, the Commission is particularly concerned that increased use of "off-the-shelf"-software may lead to "monocultures" of certain software solutions, which would make it easier to spread security threats such as malware and viruses on a large scale, quickly. The most important challenge, however, appears to be the fact that businesses and individuals in Europe still underestimate the risks of using Information and Communication Technologies (ICTs) that are not sufficiently secure. The Commission has expressed concerns that individuals do not always realize that their home equipment is often the weakest link in overall network security. Many companies view security measures purely as a 'negative cost,' rather than appreciating the opportunity to bolster their business through enhanced security. Individuals, as well as businesses, using ICTs are currently failing to take up their "responsibility in the global security chain," at least according to the Commission.

Threefold Approach to Security Enhancement

In the Commission's view, effective network and information security calls for a coordinated strategy involving all three levels of action currently undertaken by the European Community. Since 2001, specific measures have been taken at the EU level to improve NIS, including the creation of the European Network Information Agency (ENISA). Based on the Isle of Crete (Greece), ENISA assists the Commission and EU member states in addressing security-related issues, for instance by providing advice, recommendations and data analysis services. ENISA started its operations in Crete in September 2005, but is expected to play a more prominent role with regard to NIS-enhancement in the years to come.

In parallel with specific NIS-measures, the EU regulatory framework for electronic communications, as well as general EU data privacy rules, include provisions aimed at promoting security and confidentiality of online communications. Article 4 of the E-Privacy Directive, for example, requires that a provider of electronic communications services takes "appropriate technical and organizational measures to safeguard security of its services." What constitutes an "appropriate" security measure under Article 4 likely is to be interpreted differently from one member state to another - a divergence which complicates the provision of cross-border electronic communications services in particular. The
regulatory framework for electronic communications currently is being reviewed by the Commission, but whether or not the existing security provisions will be amended, is still unclear at this point.

A third area of security enhancement efforts the Commission intends to coordinate more closely is the fight against cybercrime. Noteworthy initiatives to combat cybercrime via international cooperation include the Convention of Cybercrime (adopted by the Council of Europe in 2001) and the 2002 Proposal for a Council Framework Decision on attacks against Information systems. In addition, the UN-driven World Summits on the Information Society (held in 2003 and 2005) resulted in the "Tunis Agenda" and the "Tunis Commitments," which emphasize the need for a global alliance against cybercrime, while ensuring the protection of human rights and fundamental freedoms - including privacy and freedom of expression.  

A Policy Based on Dialogue, Partnerships and Empowerment   

To develop a secure Information Society, the Commission is proposing a new policy that requires the active participation of public administrations, companies, as well as individual users of ICTs. Such policy should be based on open and enhanced dialogue, the establishment of strategic partnerships and empowerment of each stakeholder group.

  • Dialogue: ENISA will be asked to be involved in the benchmarking of existing NIS-related policies at the member state-level, the purpose of which is to identify "best practices." These "best practices" could then be used by public administrations in the different member states to evaluate and, if necessary, optimize their security policies. In addition, the Commission intends to organize separate events targeting industry and end-users with the aim of raising awareness for NIS-issues. The upcoming Conference "i2010 -Towards a Ubiquitous European Information Society" and the public consultation on RFID that is ongoing, also are expected to foster stakeholder dialogue.
  • Partnerships: The Commission is convinced that, without reliable and updated information regarding security trends, incidents and challenges throughout Europe, it would be difficult to adopt the necessary policymaking decisions. The Commission is planning to ask ENISA to develop a partnership among the EU member states and other stakeholders to set up a data collection framework for that particular purpose. Furthermore, it is expected that ENISA also will conduct a feasibility study on the establishment of a pan-European, multilingual portal for sharing information on security treats, risks and alerts.          
  • Empowerment: According to the Commission, private sector stakeholders should play a vital role in enhancing NIS, and in its recent communication, the Commission has identified a number of private initiatives that industry should consider. For instance, companies should cooperate to develop affordable security certification schemes for ICT products and services, in sync with EU privacy requirements. The Commission also encouraged the development of good security practices and specific training programs for providers of electronic communications services. Also, the insurance sector should be involved, possibly through the development of specific risk-management solutions and products that focus on ICT-related risks. EU member states, on the other hand, are not only expected to cooperate in the above-mentioned benchmarking exercise, but they also should support security awareness campaigns as well as the inclusion of NIS-programs in higher education curricula. Through their e-government services, member states should promote "good security practices" so they are a source of inspiration for other sectors.   

EU Initiatives Expected in 2006

The Commission has announced that it would take several initiatives in the course of this year to enhance network and information security, which include a communication on the evolution of spam and malware, as well as a specific communication on cybercrime (with a focus on how to improve cooperation among national law enforcement agencies). In the broader context of global efforts to improve network and information security, the Commission recently confirmed that the EU will continue to play an active role in the upcoming discussions on Internet security at the Internet Governance Forum, which is expected to hold its next meeting in Athens, Greece, on Oct. 30, 2006.

Wim Nauwelaerts is a lawyer in the Brussels' office of Hogan & Hartson L.L.P., specializing in EU privacy and data protection law. He can be reached by email at wnauwelaerts@hhlaw.com or via telephone at +32 2 505 09 11.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The GDPR requires 75,000 DPOs

What’s the formula for DPO success? IAPP CIPP/E and CIPM training, certifications and our global privacy conferences.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»