The Agency has published a study into legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe. The report analyses what effects these aspects have on cross border information sharing between CERTs. The conclusion is that there exists a delicate balance of investigating, managing and mitigating computer incidents, whilst respecting rights and obligations provided for by certain legal and regulatory frameworks, including data protection and privacy provisions.

CERTs are crucial in cross border co-ordination of computer incidents and in order to perform their important role they need to exchange information. Cross border information exchange requires complex legal factors to be considered. CERTs in different countries have differing legal grounds to request from and transmit information to other teams. Furthermore, the information exchanged might be personal data and therefore subject to specific privacy provisions. In addition, CERTs, including national/governmental CERTs, have varying mandates. The study identifies these legal and regulatory factors, and performs an assessment of what effects they have on cross-border information sharing between CERTs. Among others, one of the findings of this study is that, in practice, data protection, data retention, and obligations to work with law enforcement are the greatest challenges for cross-border CERT co-operation.

The Executive Director of ENISA, Professor Udo Helmbrecht, comments: "CERTS have to perform a delicate balancing act between investigating, managing, and mitigating incidents, and at the same time protecting privacy, data, and integrity. Clearly, cross border exchange of information should not be considered as a risk to fundamental rights, as exchanges are a precondition for effective response to cyber ICT incidents, as well as to protect these very rights. Poor cyber security can in effect undermine the exercise of your human rights.”

Samples of medium/long term policy intervention recommendations include:

• Clarification of the differences between national legal frameworks;

• Adoption of EU legislation that takes account of the scope of national/governmental CERTs;

• Specification of a threshold for incidents requiring national/governmental CERT response & information sharing;

• Explanation of why CERTs need to process personal data for relevant authorities to establish clarity under what circumstances this data may be shared across borders;

• Inclusion of information on the legal basis for information requests.

For FULL REPORT

Background: EU Commission 2011 Critical Information Infrastructure Protection Communication

For interviews: Ulf Bergstrom, Spokesman, ENISA, press@enisa.europa.eu, Mobile: + 30 6948 460 143, or Silva Portesi, Expert, cert-relations Q enisa.europa.eu