Background to the complaint

1. The Network and Information Systems Cooperation Group (‘NIS Cooperation Group’) was established[1] to ensure cooperation and information exchange among Member States on cybersecurity. The NIS Cooperation Group is composed of representatives of the EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA). Amongst other activities, the NIS Cooperation Group draws up non-binding guidelines to Members States to address cybersecurity policy issues, such as threats to electoral processes, 5G network security or ‘top-level domain name registries’.[2]

2. In July 2023, the complainant asked the Commission to grant public access to documents[3] concerning the meetings of the NIS Cooperation Group, namely all meeting agendas and minutes. He also requested public access to guidelines and guidance notes prepared by the Commission in accordance with the applicable rules.[4]

3. In its initial reply dated 28 September 2023, the Commission explained that all meeting agendas of the NIS Cooperation Group are published online.[5] It identified 24 documents relating to the minutes of each NIS Cooperation Group meeting since 2017, and refused access to the documents in their entirety. In doing so, it invoked an exception under the EU legislation on public access to documents, arguing that their disclosure would undermine the protection of the public interest as regards public security.[6] It also informed the complainant that it had not identified any document related to “guidelines or guidance notes”.

4. In October 2023, the complainant asked the Commission to review its decision (by making a ‘confirmatory application’), arguing that the documents could not reasonably be covered fully by the ‘public security’ exception. In his view, the minutes of the meetings related to the internal rules of the NIS Cooperation Group or its work programme should have been disclosed. The same applied to any information concerning exchanges of good practice, as they would likely describe digital security issues that are common knowledge. In addition, as some minutes are more than five years old, he argued that the passage of time had likely removed the risks of disclosing their contents. He also argued that the Commission should have identified more meeting minutes.

5. The Commission acknowledged receipt of the confirmatory application and said it would reply within the applicable time limits, before 30 November 2023. After having sent two reminders, to which the Commission failed to reply, the complainant turned to the Ombudsman in January 2024.

The inquiry

6. The Ombudsman opened an inquiry into the Commission’s failure to reply to the confirmatory application submitted by the complainant.

7. In view of the persisting delay, the Ombudsman inquiry team inspected the documents at issue.[7] Following a review of the documents, the Ombudsman made a proposal for a solution that the Commission grant the widest possible access to the documents.

8. On 20 August 2024, that is after a significant delay of almost one year, the Commission replied to the confirmatory application and, two months later, to the Ombudsman’s proposal for a solution. The Ombudsman gave the complainant an opportunity to provide comments on the Commission’s reply, but did not receive any.

The Ombudsman’s proposal for a solution

9. Following the inspection of the documents by the inquiry team, the Ombudsman took the view that the Commission should have granted partial access to the documents, and made a proposal for a solution to this end in March 2024.

10. The Ombudsman considered that the documents at issue, to a large extent, do not contain sensitive information that, if disclosed, could constitute a reasonably foreseeable (and not purely hypothetical) risk to public security.[8] Most of the minutes are drafted in general terms and do not provide sensitive details about concrete operational work of the relevant national authorities specialised in cybersecurity. In addition, a large part of the minutes cover updates from the Member States on how they have transposed the two relevant EU directives.[9] These parts do not appear to be covered by the public security exception given the passage of time. Finally, the Ombudsman suggested that three additional documents[10] should have been identified.

11. The Ombudsman noted that, in its initial decision refusing access, the Commission had relied on internal rules[11] setting out explicitly that the discussions of the NIS Cooperation Group should not be open to the public. She stated that the Commission should base its assessment of the complainant’s request for public access on the provisions of Regulation 1049/2001.

12. The Ombudsman proposed the following solution:

The Commission should reconsider its position on the complainant’s request, with a view to granting the widest possible access to the documents, including the three additional documents that were not identified at initial stage.[12]

13. Following the Ombudsman’s solution proposal, in August 2024, the Commission replied to the complainant’s confirmatory application. The Commission granted access to parts of 27 documents: the 24 meeting minutes identified at initial stage and the three additional minutes mentioned in the Ombudsman’s proposal for a solution.

14. The Commission refused to disclose certain parts of the documents on the grounds that their disclosure would undermine the protection of the public interest as regards public security. It argued that the documents contain detailed and sensitive information about cybersecurity, including security measures adopted in response to specific crises and exchanges between cybersecurity authorities about potential risks and threats. For the Commission, disclosing this information would undermine the EU’s public security because it would provide the public, including malevolent groups, with useful information about cybersecurity and would thus weaken the Member States’ preparedness. The Commission also redacted certain parts of the documents because, even though the information might appear harmless at first sight, it could provide valuable insights to potential cybercriminals.

15. The Commission also redacted some personal data of Commission staff members and members of other authorities. In addition, the Commission informed the complainant that the Commission guidelines on the NIS Directive (which the complainant requested in his initial request) are publicly available on its website.^[13]

16. Following a delay, the Commission adopted its reply to the Ombudsman’s proposal for a solution in October 2024.[14] The Commission considered that it had fulfilled the Ombudsman’s proposal by granting the widest possible access to the documents concerned, taking into account the risks for public security that wider disclosure would create, as explained in detail in the confirmatory decision.

17. The Commission disagreed with the Ombudsman’s views, made in the proposal for a solution, that most of the documents do not seem to contain any sensitive content. As explained in the confirmatory decision, parts of the documents contain opinions and views of Member States on current and future actions and discussions at national and cross-border level. They also contain information on incidents and other actions taking place in the Member States. They reflect discussions on cybersecurity on specific related issues, such as the 2019 European elections, the implementation of Commission recommendations, the state of play and updates of different actions, including the implementation of the group’s recommendations, work concerning the Computer Security Incident Response Teams (CSIRT) network and the EU Cybersecurity Strategy.[15]

18. The Commission took the view that public disclosure of these parts of the documents would undermine the protection of public security as it would provide the wider public, including malicious individuals or groups, with relevant information on the fight against cyberattacks. The Commission considered that this would make Member States and Europe vulnerable to security incidents and threats.

19. The Commission insisted that its internal rules[16] set out that the group’s discussions should not be open to the public. The Commission took the view that, in the assessment of the request for public access under Regulation 1049/2001, it could not ignore the sensitive character of the activities reflected in the documents and the purposes of cooperation in the field.

20. The overall mission of the NIS Cooperation Group, as set out in the NIS Directive, is to support strategic cooperation and exchange of information, and to enhance trust between Member States. As cybersecurity cannot be achieved without the cooperation of Member States’ authorities, the Commission considered that the disclosure of the discussions reproduced in the requested documents would jeopardise trust and cooperation in the field of cybersecurity. The fact that some documents date from 2017 does not change the level of risk if the documents were disclosed, as they are closely linked to the current discussions.

21. In addition, the Commission disagreed with the Ombudsman’s view that the parts in the documents related to updates concerning the transposition of the NIS and NIS2 directives are not sensitive. The Commission argued that the transposition of the NIS2 directive is still ongoing. Additionally, while the transposition of the NIS directive has been finalised, the discussions summarised in the minutes concern the various actions taken by the Member States in that regard, including options that have not been adopted. Disclosing these parts of the documents would have a negative impact on public security as regards the actions taken at national level. The passage of time does not change the level of the risk since the actions described are still relevant for the fight against cybercrime.

The Ombudsman's assessment after the proposal for a solution

22. The EU institutions enjoy a wide margin of discretion when determining whether disclosing a document would undermine the protection of the public interest as regards public security. However, they are still required to demonstrate a ‘specific and actual risk’ that is reasonably foreseeable and not purely hypothetical.[17]

23. The Commission has now given partial access to the documents at issue, which the Ombudsman welcomes. The Ombudsman also welcomes the reasoning provided by the Commission as regards the remaining redactions.

24. Based on the explanations provided, the Ombudsman considers that it was not manifestly wrong for the Commission to argue that certain discussions on specific cybersecurity-related issues, such as the 2019 European elections or cyber-preparedness exercises (CyCLONe and Blue OLEx), contain sensitive elements that could undermine public security. In addition, the redactions of personal data appear reasonable, and the complainant has not challenged them.

25. That said, the Ombudsman notes that the Commission refused access to entire sections concerning summaries of discussions among members of the NIS Cooperation Group about ongoing work.

26. The inspection carried out demonstrated that the summaries are drafted in a general way, describing the main challenges and opportunities of a topic or possible convergences. It is difficult for the Ombudsman to understand how such general summaries could undermine public security if disclosed. It is therefore difficult to see how and why there would be a specific and actual risk for public security were these parts of the documents to be disclosed.

27. The Commission contended that these parts of the documents could provide valuable information to potential cybercriminals if disclosed. However, this explanation is at odds with the fact that some of the redacted parts contain information that is already publicly available.

28. The Ombudsman thus considers that the Commission could have better reasoned some of the redactions, in particular those covering the general summaries of the NIS Cooperation Group’s discussions. However, given that the Commission has now granted partial access to the meeting minutes, and the complainant has not provided further comments on the Commission’s reply, the Ombudsman considers that further inquiries into this matter are not justified.

29. The Ombudsman notes that, in the initial decision refusing access, the Commission relied on internal rules[18] in order to refuse access to the documents in their entirety. In reply to the Ombudsman’s proposal for a solution, the Commission explained that it based its assessment of the request for public access on Regulation 1049/2001, but that it could not ignore the sensitive character of the discussions of the NIS Cooperation Group, maintaining that the internal rules set out that the discussions shall not be open to the public. The Ombudsman is satisfied that, in this case, the Commission’s assessment was in line with the provisions of Regulation 1049/2001 and that the Commission accepts that the internal rules applied in this case in no way can be interpreted as an indirect presumption of non-disclosure, or even reason to refuse public access. Thus, the Ombudsman welcomes the Commission clarification that public access requests to documents concerning the meetings of the NIS Cooperation Group should be based only on the provisions contained in Regulation 1049/2001.[19]

30. The Ombudsman is concerned about the serious delay in replying to the complainant’s access request in this case. According to Regulation 1049/2001, an EU institution should, within 15 working days from registration of the confirmatory application, either grant access to the document requested or, in a written reply, state the reasons for the total or partial refusal. The time limit of 15 working days may be extended by a further 15 working days in exceptional circumstances.[20]

31. In this case, the Commission took almost eleven months to take a decision on the complainant’s confirmatory application.

32. The Ombudsman has already urged the Commission to address the systemic delays in this area and to respect the time limits in Regulation 1049/2001.[21]

33. The Ombudsman regrets the significant delay incurred by the Commission in replying to the complainant’s request, and again urges the Commission to deal with the issue of delays in this area.

Conclusions

Based on the inquiry, the Ombudsman closes this case with the following conclusions:

As the Commission has now granted wider access to the documents at issue, the Ombudsman considers that the solution proposal has been partially accepted, and closes the case.

The Ombudsman regrets the significant delay incurred by the Commission in replying to the complainant’s request. A clear failure to comply with the time limits established by the legislature in Regulation 1049/2001 cannot be good administration.

The complainant and the Commission will be informed of this decision.

Teresa Anjinho
European Ombudsman

Strasbourg, 14/04/2025

 

[1] The group was established on the basis of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), available at: https://eur-lex.europa.eu/eli/dir/2016/1148/oj/eng .

[2] More information available at: https://digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group

[3] Under the rules set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32001R1049

[4] Recitals 20 and 21 as well as Article 4 of the NIS2 Directive, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555

[5] See https://digital-strategy.ec.europa.eu/en/library/nis-cooperation-group-meetings-agendas

[6] Article 4(1)(a), first indent of Regulation 1049/2001.

[7] The scope of the Ombudsman’s inquiry covered the meeting minutes only, as the complainant had not challenged the Commission’s handling of the other aspects of his initial request (which concerned the meeting agendas and the guidelines and guidance notes).

[8] See judgment of the Court of Justice of 3 July 2014 in case C-350/12 P, Council v in 't Veld, paragraphs 52 and 64, available at: https://curia.europa.eu/juris/liste.jsf?num=C-350/12

[9] Directive (EU) 2016/1148 and Directive (EU) 2018/1972, respectively NIS and NIS2 directives, see footnotes 1 and 4.

[10] The minutes of the 16th, 17th, and 27th meeting of the NIS Cooperation Group, as these meetings appear on the Commission’s website listing the agendas of all NIS Cooperation Group meetings but were not identified by the Commission in its initial reply to the complainant.

[11] Commission Implementing Decision (EU) 2017/179 of 1 February 2017 laying down procedural arrangements necessary for the functioning of the Cooperation Group pursuant to Article 11(5) of the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union, available at https://eur-lex.europa.eu/eli/dec_impl/2017/179/oj/eng

[12] The full text of the Ombudsman’s proposal for a solution is available at: https://www.ombudsman.europa.eu/solution/200856

[13] https://digital-strategy.ec.europa.eu/en/library/commission-guidelines-application-article-34-directive-eu-20222555-nis-2-directive and https://digital-strategy.ec.europa.eu/en/library/commission-guidelines-application-article-4-1-and-2-directive-eu-20222555-nis-2-directive

[14] The Commission’s reply is available at: https://www.ombudsman.europa.eu/doc/correspondence/200857

[15] https://digital-strategy.ec.europa.eu/en/policies/cybersecurity

[16] Article 10 of the Commission Implementing Decision (EU) 2017/179 (see footnote 11).

[17] Judgment of the General Court of 27 November 2019, Izuzquiza and Semsrott v Frontex, case T-31/18, paragraphs 65-66: https://curia.europa.eu/juris/liste.jsf?num=T-31/18.

[18] Commission Implementing Decision (EU) 2017/179 (see footnote 11).

[19] In its Pollinis ruling, the General Court clarified that internal rules of procedure adopted by the Commission for specific committees do not prevail over Regulation 1049/2001 on public access to EU documents, which means that these internal rules cannot generally preclude disclosure of the individual positions of Member States expressed during comitology discussions. See the Judgment of the General Court of 14 September 2022, Pollinis France v European Commission, Joined Cases T‑371/20 and T‑554/20, paragraph 96, available at: https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=T-371/20

[20] Article 8 of Regulation 1049/2001.

[21] Recommendation on the time the European Commission takes to deal with requests for public access to documents (strategic inquiry OI/2/2022/OAM), available at: https://www.ombudsman.europa.eu/en/recommendation/en/167661.