This study, commissioned by ENISA and written by RAND Europe and time.lex, examines the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe.
As noted in ENISA's press release on the study, "The report analyses what effects these aspects have on cross border information sharing between CERTs. The conclusion is that there exists a delicate balance of investigating, managing and mitigating computer incidents, whilst respecting rights and obligations provided for by certain legal and regulatory frameworks, including data protection and privacy provisions.
CERTs are crucial in cross border co-ordination of computer incidents and in order to perform their important role they need to exchange information. Cross border information exchange requires complex legal factors to be considered. CERTs in different countries have differing legal grounds to request from and transmit information to other teams. Furthermore, the information exchanged might be personal data and therefore subject to specific privacy provisions. In addition, CERTs, including national/governmental CERTs, have varying mandates. The study identifies these legal and regulatory factors, and performs an assessment of what effects they have on cross-border information sharing between CERTs. Among others, one of the findings of this study is that, in practice, data protection, data retention, and obligations to work with law enforcement are the greatest challenges for cross-border CERT co-operation."
Time.lex would like to thank both ENISA and RAND Europe for a very successful collaboration during this study.
The study can be freely downloaded here (PDF, 1.27MB).