The Elephant in the Room: Engaging with EU Legislative Processes
More than 72% of RIPE NCC members (just over 6,500 LIRs) are based in the 28 countries that make up the European Union (EU), and are therefore directly affected by the laws developed within the various institutions of the EU. But as one of the largest policy-making bodies in the world, the effects of EU regulation are felt well beyond those member states - as well as having an impact on any company doing business with European companies or governments, the EU's regulations, guidelines and definitions often influence other governments looking to develop their own policy frameworks.
Why Engage with the European Union?
In terms of the RIPE community, the RIPE NCC and its membership, current EU legislation touches on a number of extremely relevant subjects, including electronic communications policy, data protection and cybersecurity. Looking to the immediate future, there are pieces of proposed legislation moving through the law-making process that consider issues such as Network Information Security (NIS) and the use of electronic identification (eID), both of which are considered in more detail in this article.
In areas where the RIPE community and RIPE NCC membership have a clear interest, the RIPE NCC is uniquely placed to provide input to participants in the EU policy-making process, including European Commission staff, Members of the European Parliament (MEPs) and national government representatives. This input is informed by discussion with RIPE community members and the analysis of RIPE NCC staff, and may relate to technical issues, potential effects on network operators and the Internet industry, or implications for the RIPE NCC itself.
The RIPE NCC is also well placed to inform the RIPE community of recent and upcoming developments in this space, and to facilitate cooperation and cross-participation between RIPE community members and EU institutions.
How Does the RIPE NCC Engage?
EU legislation is initially drafted and proposed by the European Commission, before being discussed by Members of the European Parliament (often in one or more of its 22 Parliamentary Committees) and the Council of the EU (made up of Ministers from the 28 Member States). Agreed legislation is then passed into law and implemented by the Commission and the national governments of the individual Member States (whose laws may need to be adjusted based on EU Directives or Regulations). From beginning to end, this process can take several years for any single piece of legislation.
For stakeholders wishing to engage with policy-making, this process obviously poses a number of challenges, especially in terms of following what legislation is being proposed and what stage of the legislative process it has reached. Affecting the outcome of EU policy discussions requires speaking to the right participants at the right time - for instance, speaking to Commission staff once legislation has moved to discussion in the Parliament is unlikely to have much impact.
With limited resources to devote to following EU processes, the RIPE NCC's strategy relies on communicating and sharing information with RIPE community members and other relevant stakeholders, including national governments, regulators and law enforcement agencies. The ideal outcome is to provide a collective understanding of:
- What relevant legislation is being developed
- Who in the community might be affected (and how)
- Which organisation is best placed to provide input to the EU institutions, and
- How this input can be provided most effectively
In cases where a significant part of the RIPE community or the RIPE NCC itself will be affected, the RIPE NCC can work with the community to develop a response that can be submitted in the name of the RIPE NCC. Additionally, the RIPE NCC can assist the RIPE community by producing clear, straightforward statements that can then be submitted, either in whole or in part, by community members communicating with their national governments or relevant MEPs.
The remainder of this article considers two current examples of proposed legislation which the RIPE NCC is actively following.
Example 1: Electronic Identification (eID) and Trust Services
In June 2013, the RIPE NCC sent out a letter to a number of MEPs regarding an EU Regulation proposed by the European Commission regarding electronic identification and trust services within the EU.
The background to this letter included a presentation by Andrea Servida, of the European Commission Directorate General for Communications Networks, Content & Technology (DG CONNECT) on this proposal at the RIPE 66 Cooperation Working Group, which was in turn prompted by RIPE community concerns regarding the scope of the proposed Regulation. While Mr Servida's presentation marked a positive development in terms of the Commission's engagement with the Internet technical community, many continued to have concerns about the proposal, and on this basis, the RIPE NCC worked with some of those community members to develop its statement.
The proposed Regulation is an effort to establish "a clear legal framework [on e-signatures and the mutual recognition of e-identification and authentication] so as to eliminate fragmentation and the lack of interoperability, enhance digital citizenship and prevent cybercrime."
The RIPE NCC statement identified three specific concerns:
- The scope of the Regulation, specifically its potential to conflict with the open, bottom-up development of protocols and technical standards for securing communication.
- The proposal's establishment of "trusted lists" separate to (and potentially conflicting with) digital "chain-of-trust" mechanisms.
- The proposal's specification of requirements for the provision of security trust services, again in possible conflict with standards developed in existing forums.
Based on discussion with various MEPs and others, it was determined that around mid-2013 it would make sense to reach out to MEPs involved in "compromise proceedings" to finalise the text of the proposal (see the email to the RIPE Cooperation Working Group from Swedish MEP Amelia Andersdotter).
The RIPE NCC sent its statement on 28 June 2013. We are currently determining what further action may be useful, including reaching out to national governments as they prepare national positions going into Council discussions.
Example 2: Network and Information Security (NIS)
More recently, the RIPE NCC has been made aware of community concerns with another piece of proposed legislation:
- Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union
The aim of this legislation is "to ensure a high common level of network and information security (NIS) across the EU", specifically through the establishment of national Computer Emergency Response Teams (CERTs), improved information sharing between national authorities and required reporting on risk levels and security incidents by providers of "information society services". The Directive forms part of a broader EU cybersecurity strategy, which also includes a public-private cooperative NIS Platform (which builds on the work of the European Public-Private Partnership for Resilience (EP3R), to which the RIPE NCC contributed).
The concerns noted by several RIPE community members again focus on issues of scope, compatibility with other EU legislation (specifically the "Framework Directive"), impact on network operators (particularly small and medium-sized operators) and potential conflict with existing national network security arrangements. There is also the possibility that implementation would impose certain reporting obligations on the RIPE NCC itself, depending on the definition of "information society services".
The RIPE NCC is currently communicating with a number of our member organisations and RIPE community members, and is considering developing a statement reflecting the concerns that have been raised. A draft of any such statement would first be put before the community via the RIPE Cooperation Working Group mailing list. We also hope to discuss the issue at the RIPE 67 Cooperation Working Group session.
We strongly encourage any feedback, comments or questions from all interested parties, either on the mailing list or during RIPE 67.