JUDGMENT OF THE COURT (Grand Chamber)
2 May 2006 (*)
(Regulation (EC) No 460/2004 – European Network and Information Security Agency – Choice of legal basis)
In Case C-217/04,
ACTION for annulment under Article 230 EC, brought on 20 May 2004,
United Kingdom of Great Britain and Northern Ireland, represented by M. Bethell, acting as Agent, and by Lord Goldsmith QC, N. Paines QC and T. Ward, Barrister,
European Parliament, represented by K. Bradley and U. Rösslein, acting as Agents, with an address for service in Luxembourg,
Council of the European Union, represented by M. Veiga and A. Lopes Sabino, acting as Agents,
Republic of Finland, represented by T. Pynnä and A. Guimaraes-Purokoski, acting as Agents,
Commission of the European Communities, represented by F. Benyon and M. Shotter, acting as Agents, with an address for service in Luxembourg,
THE COURT (Grand Chamber),
composed of V. Skouris, President, P. Jann, C.W.A. Timmermans, A. Rosas and J. Malenovský, Presidents of Chambers, R. Schintgen, N. Colneric, S. von Bahr, J.N. Cunha Rodrigues, R. Silva de Lapuerta (Rapporteur), M. Ilešič, J. Klučka and U. Lõhmus, Judges,
Advocate General: J. Kokott,
Registrar: K. Sztranc, Administrator,
having regard to the written procedure and further to the hearing on 7 September 2005,
after hearing the Opinion of the Advocate General at the sitting on 22 September 2005,
gives the following
1 By its application the United Kingdom of Great Britain and Northern Ireland is seeking annulment of Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ 2004 L 77, p. 1; ‘the regulation’).
2 By order of the President of the Court of 25 November 2004 the Republic of Finland and the Commission of the European Communities were granted leave to intervene in support of the European Parliament and the Council of the European Union.
General Community legislation
3 Article 1(1) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) (OJ 2002 L 108, p. 33) seeks to establish a harmonised framework for the regulation of electronic communications services and associated facilities and services. It lays down, inter alia, the tasks of national regulatory authorities and establishes a set of procedures to ensure the harmonised application of the regulatory framework throughout the Community.
4 Community legislation relating to electronic communications networks also includes the following directives (‘the specific directives’):
– Directive 2002/19/EC of the European Parliament and of the Council of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive) (OJ 2002 L 108, p. 7);
– Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services (Authorisation Directive) (OJ 2002 L 108, p. 21);
– Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users’ rights relating to electronic communications networks and services (Universal Service Directive) (OJ 2002 L 108, p. 51);
– Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37);
– Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ 2000 L 13, p. 12) (Electronic Signatures Directive);
– Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (‘Directive on electronic commerce’) (OJ 2000 L 178, p. 1).
5 By Decision 2002/627/EC of 29 July 2002 (OJ 2002 L 200, p. 38) the Commission established the European Regulators Group for Electronic Communications Networks and Services.
6 The regulation was adopted on the basis of Article 95 EC. Article 1(1) of the regulation establishes a European Network and Information Security Agency (‘the Agency’).
7 Under Article 1(2) of the regulation, the role of the Agency is to ‘assist the Commission and the Member States, and in consequence cooperate with the business community, in order to help them to meet the requirements of network and information security, thereby ensuring the smooth functioning of the internal market, including those set out in present and future Community legislation, such as in the Directive 2002/21/EC’.
8 Article 2 of the regulation, entitled ‘Objectives’, is worded as follows:
‘1. The Agency shall enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and respond to network and information security problems.
2. The Agency shall provide assistance and deliver advice to the Commission and the Member States on issues related to network and information security falling within its competencies as set out in this regulation.
3. Building on national and Community efforts, the Agency shall develop a high level of expertise. The Agency shall use this expertise to stimulate broad cooperation between actors from the public and private sectors.
4. The Agency shall assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of network and information security.’
9 Article 3 of the regulation defines the tasks which the Agency must perform ‘[i]n order to ensure that the scope and objectives set out in Articles 1 and 2 are complied with and met’. Its tasks are to:
‘(a) collect appropriate information to analyse current and emerging risks and, in particular at the European level, those which could produce an impact on the resilience and the availability of electronic communications networks and on the authenticity, integrity and confidentiality of the information accessed and transmitted through them, and provide the results of the analysis to the Member States and the Commission;
(b) provide the European Parliament, the Commission, European bodies or competent national bodies appointed by the Member States with advice, and when called upon, with assistance within its objectives;
(c) enhance cooperation between different actors operating in the field of network and information security, inter alia by organising, on a regular basis, consultation with industry [and] universities, as well as other sectors concerned and by establishing networks of contacts for Community bodies, public sector bodies appointed by the Member States, private sector and consumer bodies;
(d) facilitate cooperation between the Commission and the Member States in the development of common methodologies to prevent, address and respond to network and information security issues;
(e) contribute to awareness raising and the availability of timely, objective and comprehensive information on network and information security issues for all users by, inter alia, promoting exchanges of current best practices, including on methods of alerting users, and seeking synergy between public and private sector initiatives;
(f) assist the Commission and the Member States in their dialogue with industry to address security-related problems in the hardware and software products;
(g) track the development of standards for products and services on network and information security;
(h) advise the Commission on research in the area of network and information security as well as on the effective use of risk prevention technologies;
(i) promote risk assessment activities, interoperable risk management solutions and studies on prevention management solutions within public and private sector organisations;
(j) contribute to Community efforts to cooperate with third countries and, where appropriate, with international organisations to promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security;
(k) express independently its own conclusions, orientations and … advice on matters within its scope and objectives.’
10 Chapters 2 and 3 of the regulation relate, respectively, to the organisation and operation of the Agency.
Arguments of the parties
11 In support of its application for annulment of the regulation the United Kingdom submits that Article 95 EC does not provide an appropriate legal basis for the adoption of that regulation. The power conferred on the Community legislature by Article 95 EC is the power to harmonise national laws and not one which is aimed at setting up Community bodies and conferring tasks upon such bodies.
12 According to the United Kingdom, the analysis to be carried out consists in determining whether the instrument adopted under Article 95 EC achieves a result which could be achieved by the simultaneous enactment of identical legislation in each Member State. If so, the regulation harmonises national law. If, on the other hand, the regulation ‘does something’ that could not have been achieved by the simultaneous enactment of identical legislation at Member State level, that is to say if it legislates in fields which are beyond the capacity of individual Member States, then it is not a harmonising measure.
13 The United Kingdom admits that a harmonisation measure adopted pursuant to Article 95 EC may contain provisions which do not, themselves, amount to a harmonisation of national laws where those provisions are merely incidental or correspond to the implementation of provisions which do not, themselves, harmonise national laws.
14 The United Kingdom submits that none of the provisions of the regulation approximates, even indirectly and in a very minor way, national legislation. On the contrary, the Agency is expressly precluded from interfering with the competences of national bodies since it must limit itself to providing non-binding advice in the area concerned.
15 The United Kingdom maintains that the regulation responds to the risk to the smooth functioning of the internal market arising from the complexity of the matter not by harmonising national rules, but by creating a Community body with an advisory role. The fact that a Community measure may be beneficial to the functioning of the internal market does not mean that it constitutes a harmonisation measure within the meaning of Article 95 EC.
16 The United Kingdom states that giving non-binding advice cannot amount to an ‘approximation of the provisions laid down by law, regulation or administrative action in the Member States’ within the meaning of Article 95 EC. Moreover, the dissemination of such advice may in practice increase the disparities which exist between national laws. It is entirely a matter of speculation as to whether in practice the advice given by the Agency will lead the Member States to exercise, in a similar manner, the discretion granted to them under the Framework Directive and the specific directives.
17 The United Kingdom draws attention to the fact that the functions of the Agency are limited to developing expertise and giving advice to a wide range of potential recipients and the only possible connection which might exist between the tasks which it carries out and the harmonisation of law is the one which results from the fact that it assists the Commission. However, that role, which seems to be a technical research function, is too far removed from Community legislation seeking harmonisation of national legislation.
18 The United Kingdom is of the view that the existence of the Framework Directive and the specific directives cannot alter that analysis. The Agency’s activities have a much wider scope than the directives. In addition, the giving of non-binding advice, as provided for in the regulation, does not facilitate the implementation of those directives since that task is reserved exclusively to the competent bodies in the Member States and not to the Agency.
19 It points out that the role conferred upon the Agency is more extensive than that determined by the scope of the specific directives since the regulation is concerned with the security not only of communications networks but also of information systems such as databases.
20 The United Kingdom also submits that the regulation is inadequately reasoned in relation to the question of the likely emergence of obstacles to trade resulting from the existence of different national requirements as to information security. A reference to the mere possibility of the heterogeneous application of network security requirements and the fact that these requirements can lead to inefficient solutions and obstacles to the internal market cannot constitute sufficient reasoning in this regard.
21 Furthermore, the United Kingdom acknowledges that the creation of the Agency does serve a desirable purpose, namely the establishment, by the Community, of its own centre of expertise in the field of network and information security. It also states that it does not object to the content of the provisions of the regulation. However, it comes to the conclusion from the arguments which it puts forward as a whole that that regulation should have been based on Article 308 EC.
22 The Parliament maintains that Article 95 EC does not define the degree to which the Community measure at issue must approximate the legal orders of the Member States. The EC Treaty does not require that measures based on that legal basis approximate substantive rules of national legislation where a lesser degree of Community action would be more appropriate. It is sufficient that a measure based on that provision is for the approximation of national provisions, even if that measure does not, itself, carry out such an approximation.
23 The Parliament points out that the regulation seeks to ensure the approximation of certain provisions that the Member States have adopted or are about to adopt in the area of information and network security with a view to facilitating the efficient implementation of existing Community legislation on the subject. In this context, the use of a different and more restrictive legal basis would be incoherent, given that the regulation should be regarded as complementary to a group of directives concerning the internal market in electronic communications networks and services.
24 The Parliament claims that the legislature considered it appropriate to adopt a common approach to current and foreseeable problems concerning network and information security by establishing a body responsible for advising the public authorities at Community and national level in the context of close consultation with the private sector. The three fields of activity of the Agency, namely the collection and dissemination of information, the provision of advice and the promotion of cooperation, contribute to the adoption of a common approach to different aspects of network and information security.
25 The Parliament submits that while the Community could in theory have adopted rules harmonising the provisions of the Member States concerning all or some of the matters dealt with in the regulation, the Community legislature, given the technical complexity of the area in question and its rapidly evolving character, drew up the regulation in order to prevent the emergence of obstacles to trade and the loss of efficiency which would arise from the uncoordinated adoption by the Member States of technical and organisational applications. It sought to achieve this by means of ‘low-intensity approximation’, enabling the Member States to adopt homogeneous measures to implement the various Community instruments on electronic communications, by establishing a centre of expertise providing guidance, advice and assistance in the area.
26 The Parliament adds that the fact that the substantive harmonising provisions were set out in the Framework Directive and specific directives does not alter the character of the regulation as a complementary measure designed to facilitate the implementation of those directives.
27 According to the Parliament, the functions of the Agency are relatively modest in that they do not include the power to adopt ‘standards’. The provision of advice by a single authoritative source of expertise at the European level contributes to the adoption of common positions in situations where the Community and the national bodies run the risk of receiving conflicting technical advice. The various forms of cooperation promoted by the Agency also facilitate the approximation of market conditions and the adoption by the Member States of measures which tackle information security problems.
28 The Parliament remarks finally that, should the Court conclude that the regulation could not be based on Article 95 EC, it could, in any event, be based on implied powers conferred on the Community legislature by that very provision. As regards such implied powers, the creation of the Agency could be regarded as indispensable to the achievement of the objectives pursued by the specific directives.
29 The Council considers that the approximation provided for in Article 95 EC concerns not only national laws but also regulations or administrative action of the Member States. Moreover, acts adopted on that legal basis can contain provisions which do not, in themselves, constitute harmonisation measures, but which facilitate the approximation of national laws. In particular, nothing in the wording of that article prevents the legislature from creating a Community body entrusted with the task of providing expertise in an area which is already subject to harmonisation measures.
30 The Council states in that regard that Article 95 EC does not prevent the Community legislature from adopting measures to prevent the emergence of future obstacles to trade resulting from the heterogeneous development of national laws. It is empowered to adopt acts which, even if they are not in themselves harmonising rules, relate directly to the approximation of national rules, in particular in order to prevent the development of ineffective solutions and the heterogeneous development of the laws of the Member States.
31 The Council maintains that, by assisting the Commission in the technical preparatory work for drawing up Community legislation, the Agency will provide, even by means of non-binding advice, a decisive contribution to the harmonisation of national laws and practices in the field of network and information security and to updating, developing and implementing that legislation.
32 According to the Council, the opinion of an independent authority, providing technical advice at the request of the Commission and the Member States, facilitates the transposition of directives adopted on the subject into the laws of the Member States. The regulation does not therefore have an incidental or subsidiary effect on harmonising market conditions within the Community, but contributes directly to the approximation of national laws.
33 The Council submits, finally, that Article 308 EC confers on the Community legislature only a residual legislative power in areas where substantive legislative authority to attain certain objectives has not been attributed to the Community. Where a specific legal basis exists for the adoption of a Community act recourse to Article 308 EC is precluded since the latter is only a ‘default’ legal basis.
34 The Republic of Finland submits that the objectives and content of the regulation are closely linked to the establishment and smooth functioning of the internal market. The basic task of the Agency consists in ensuring high-level and effective network and information security and in reducing the obstacles to the working of the internal market presented by the differences between the laws of the Member States in the area.
35 The Republic of Finland considers that the Agency facilitates the uniform application of Community provisions in relation to electronic communications networks and services. The Agency aims in particular to prevent the emergence of future obstacles to trade which are likely to arise as a result of the complex and technical nature of electronic networks and the differing practices of the Member States.
36 The Republic of Finland submits that, when considering the legal basis for the provisions establishing a Community body, it is appropriate to keep in mind the degree of approximation of the Community legislation concerning the area at issue. Given that the harmonisation of the Community provisions on electronic communications networks and services is already well advanced, the legislation adopted at Community level may require measures going further than those usually adopted in the area in order to ensure uniform practice in the application of those provisions.
37 The Commission considers that the regulation is, in its aim and content, a measure which directly facilitates the implementation and the harmonised application of certain directives based on Article 95 EC. One of the principal characteristics of the existing legislation resides in the fact that much of the detailed application of that legislation is decentralised and conferred on the national regulatory authorities.
38 The Commission submits that the creation of the Agency is part of a broader notion of harmonisation, facilitating in particular the harmonised application of Community directives by national regulatory authorities. The objective of the regulation goes beyond the mere creation of the Agency since that agency must provide advice and assistance to the Commission and the national regulatory authorities. Therefore, there is a link between the creation of that agency and the legislative Community framework in relation to electronic communications.
39 The Commission states that the Framework Directive creates a harmonised system for the regulation of electronic communications services and networks, and associated resources. It lays down the tasks of national regulatory authorities, establishing a set of procedures to ensure the harmonised application of the mechanism concerned throughout the Community.
40 It points out that even if the framework for the decentralised application of the directives is clearly defined, the national regulatory authorities may, in exercising their discretion, adopt different positions. The Agency was established to assist those authorities to achieve a common technical understanding of network and information security issues.
41 The Commission adds that the Agency functions within the harmonised parameters of the electronic communications Community legislative framework and it does not matter that the role of that body was not defined when that general framework was adopted.
Findings of the Court
The scope of Article 95 EC
42 As regards the scope of the legislative powers laid down in Article 95 EC it must be observed that, as the Court held in paragraph 44 of the judgment in Case C-66/04 United Kingdom v Parliament and Council  ECR I-0000, that provision is used as a legal basis only where it is actually and objectively apparent from the legal act that its purpose is to improve the conditions for the establishment and functioning of the internal market.
43 The Court also pointed out in paragraph 45 of that judgment that by using the expression ‘measures for the approximation’ in Article 95 EC the authors of the Treaty intended to confer on the Community legislature a discretion, depending on the general context and the specific circumstances of the matter to be harmonised, as regards the method of approximation most appropriate for achieving the desired result, in particular in fields with complex technical features.
44 It must be added in that regard that nothing in the wording of Article 95 EC implies that the addressees of the measures adopted by the Community legislature on the basis of that provision can only be the individual Member States. The legislature may deem it necessary to provide for the establishment of a Community body responsible for contributing to the implementation of a process of harmonisation in situations where, in order to facilitate the uniform implementation and application of acts based on that provision, the adoption of non-binding supporting and framework measures seems appropriate.
45 It must be emphasised, however, that the tasks conferred on such a body must be closely linked to the subject-matter of the acts approximating the laws, regulations and administrative provisions of the Member States. Such is the case in particular where the Community body thus established provides services to national authorities and/or operators which affect the homogenous implementation of harmonising instruments and which are likely to facilitate their application.
Conformity of the regulation with the requirements of Article 95 EC
46 In those circumstances, it must be examined whether the objectives laid down for the Agency in Article 2 of the regulation and the tasks which are conferred on it pursuant to Article 3 thereof are in line with the requirements set out in paragraphs 44 and 45 of the present judgment.
47 To that end, it needs to be determined, first, whether those objectives and tasks are closely linked to the subject-matter of the instruments which are described in Article 1(2) of the regulation as ‘present Community legislation’, and secondly, if the answer is yes, whether those objectives and tasks may be regarded as supporting and providing a framework for the implementation of that legislation.
48 As regards the Framework Directive, referred to in recital 9 in the preamble to the regulation, Article 1(1) thereof states that it seeks to establish a harmonised framework for the regulation of electronic communications services, electronic communications networks and associated facilities and services. It lays down the tasks of national regulatory authorities and establishes a set of procedures to ensure the harmonised application of the regulatory framework throughout the Community.
49 Recital 16 in the preamble to the Framework Directive indicates in that regard that those authorities are to base their actions on a harmonised set of objectives and principles. The latter are stated in Article 8 of that directive, and include, inter alia, a high level of protection of personal data and privacy and the integrity and security of public communications networks (see Article 8(4)(c) and (f) of the Framework Directive).
50 Numerous concerns of the specific directives express the concerns of the Community legislature in relation to network and information security.
51 First, as is apparent from recital 6 in the preamble to the regulation, the Authorisation Directive mentions, in points 7 and 16 of part A of the annex thereto, personal data and privacy protection in the electronic communications sector and security of public networks against unauthorised access.
52 Second, as is apparent from recital 7 in the preamble to the regulation, the Universal Service Directive aims to ensure the integrity and availability of public telephone networks. In that regard, Article 23 of that directive provides that the Member States are to take all necessary steps to ensure those functionalities, in particular in the event of catastrophic network breakdown or in cases of force majeure.
53 Third, as is specified in recital 8 in the preamble to the regulation, the Directive on privacy and electronic communications requires providers of publicly available electronic communications services to take appropriate technical and organisational measures to safeguard security of the services concerned and the confidentiality of the communications and related traffic data. Those requirements are reflected in particular in Articles 4 and 5 of that directive, which concern network security and the confidentiality of communications respectively.
54 Fourth, Article 17 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) provides that the Member States are to ensure that the controller implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
55 Fifth, Article 3(4) of the Electronic Signatures Directive provides that appropriate bodies designated by Member States are to determine the conditions relating to the conformity of secure signature creation devices.
56 As regards the tasks conferred on the Agency, those tasks concern the collection of appropriate information with a view to carrying out an analysis of current and emerging risks, in particular those which are likely to have an impact on the resilience of electronic communications networks and on the authenticity, integrity and confidentiality of those communications. The Agency is also called upon to develop ‘common methodologies’ to prevent security issues, contribute to raising awareness, promote exchanges of ‘current best practices’ and ‘methods of alert’ and risk assessment and management activities.
57 The Agency is also entrusted with enhancing cooperation between those involved in the area of network and information security, providing assistance to the Commission and the Member States in their dialogue with industry to address security-related problems in hardware and software products and contributing to Community efforts to cooperate with third States and, where appropriate, with international organisations to promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security.
58 Consequently, the tasks conferred on the Agency under Article 3 of the regulation are closely linked to the objectives pursued by the Framework Directive and the specific directives in the area of network and information security.
59 Accordingly, as stated in paragraph 47 of the present judgment, it needs to be determined whether the tasks of the Agency may be regarded as supporting and providing a framework for the implementation of the Community legislation in the area, that is to say, whether the establishment of the Agency and the objectives and tasks which are assigned to it by the regulation may be regarded as ‘measures for approximation’ within the meaning of Article 95 EC.
60 In the light of the characteristics of the subject-matter, the regulation does not constitute an isolated measure but forms part of a normative context circumscribed by the Framework Directive and the specific directives and directed at completing the internal market in the area of electronic communications.
61 All the elements in the case-file also tend to show that the Community legislature was confronted with an area in which technology is being implemented which is not only complex but also developing rapidly. It concluded from this that it was foreseeable that the transposition and application of the Framework Directive and the specific directives would lead to differences as between the Member States.
62 Accordingly, the Community legislature considered that the establishment of a Community body such as the Agency was an appropriate means of preventing the emergence of disparities likely to create obstacles to the smooth functioning of the internal market in the area.
63 It is stated in recitals 3 and 10 in the preamble to the regulation that the Community legislature considers that, as a result of the technical complexity of networks and information systems, the variety of products and services that are interconnected, and ‘the huge number of private and public actors that bear their own responsibility’, the smooth functioning of the internal market risks being undermined by a heterogeneous application of the technical requirements laid down in the Framework Directive and the specific directives.
64 In that context, the Community legislature was entitled to consider that the opinion of an independent authority providing technical advice at the request of the Commission and the Member States might facilitate the transposition of the directives at issue into the laws of the Member States and the implementation of those directives at national level.
65 Finally, in accordance with Article 27 of the regulation, the Agency is to be established from 14 March 2004 for a period of five years, and under Article 25(1) and (2) of the same regulation the Commission is bound to carry out by 17 March 2007 at the latest an evaluation to assess the impact of the Agency in the light of the objectives and tasks assigned to it, as well as its working practices.
66 It is thus apparent from those two provisions, read together, that the Community legislature considered that before making a decision as to the fate of the Agency it was appropriate to carry out an evaluation of the effectiveness of that Agency and the contribution which it makes to the implementation of the Framework Directive and specific directives.
67 In those circumstances and in the light of all the elements in the case-file, it must be found that the regulation is rightly based on Article 95 EC and the action must, therefore, be dismissed.
68 Under Article 69(2) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the Parliament and the Council applied for the United Kingdom to be ordered to pay the costs and the latter has been unsuccessful, it must be ordered to pay the costs. In accordance with Article 69(4) of those rules, the Republic of Finland and the Commission are to bear their own costs.
On those grounds, the Court (Grand Chamber) hereby:
1. Dismisses the action;
2. Orders the United Kingdom of Great Britain and Northern Ireland to pay the costs;
3. Orders the Republic of Finland and the Commission of the European Communities to bear their own costs.