Ms Lorena Boix Alonso:

I thank the Deputy for the very good questions and analysis. I will begin with the question on whether there is an issue with implementation. There is an issue with the nature of the NIS directive. A number of sectors are included and it is up to member states to decide which companies to identify. We are in the hands of member states. This is why we decided to propose a revision of the directive. We were facing situations where some member states, including Ireland, had identified, for example, a huge number of hospitals in the health sector. Other member states had not identified any. This was not ideal for merging. This is what we are now trying to fix with the new NIS directive. All of the sectors identified will be extended and companies will be covered automatically and, therefore, subject to these obligations. The nature of the legislative technique will make a difference. That being said, what is clear and what has to be acknowledged is that we constantly receive input, including in the context of the negotiations, from member states complaining they do not have sufficient resources. This is not something I can evaluate because I do not have the exact picture. The solution we propose is to have an overview in the new directive. It is very valuable to know the amount of money, and let us hope it is only money, that is being lost due to cyberattacks.

Are we putting the right resources into cybersecurity at all levels? That may include ourselves in the European Union in that. This is a very valid idea which probably goes beyond purely implementing legislative acts.

On ransomware I do not have much to add. Of course, under the NIS directive if there is an incident there is an obligation to notify if one is covered. A different thing is the whole debate about communicating payment or non-payment. Again, that is also a very valid debate.

The Deputy's main question was about the joint cyber unit. What is the joint cyber unit? My first answer is that the joint cyber unit will be what member states decide they want it to be. The European Commission is perfectly aware that this is a subject where there is a lot of sovereign power of member states, which is why the Commission came with our recommendation on a process to set up the joint cyber unit. This would then go to the Council to be blessed. In a way we said this is our proposal and left it up to the member states to decide.

The idea that we have is basically to set up something that to date has not existed. There is a gap. The gap is that right now there are a number of different communities, including the international community with the cyber toolbox, the law enforcement community and the civil community. Very often large-scale incidents happen together because it is not only a civil attack but a criminal attack. As the MEP correctly said, very often it comes from third countries so there is an international angle and sometimes a different angle. What we are missing today is a structure, a network, a one-stop shop, that is, a single point of contact. It can be defined in many different ways but it is a way to co-ordinate all of these communities when something big happens.

What are the advantages of having a joint cyber unit? Of course, the idea is to have well-defined roles and responsibilities so that if something happens, everybody knows who does what and whom to call. There would be a crisis response plan to a cybersecurity incident. There would also be constantly updated information and situational reports because the entire community would have the same information. The Deputy rightly asked about these cybersecurity rapid-reaction teams that we propose. The idea is not at all to create an army. The idea was very much like what we have today in the civil protection mechanism, the civil reaction teams. For example, during the summer there were fires in many member states and those member states that had capacity available helped member states that were in trouble if they so wished. The request for help is voluntary. That is basically what we had in mind and these are the types of ideas that are currently being discussed with member states.