President European Commission

 

Dear President,

I am writing to seek a solution to this case^[1], which is based on a complaint I received on 30 January 2024. The complainant has been waiting for a reply to his confirmatory application since 30 November 2023.

The complainant requested public access to documents[2] concerning the meetings of the Network and Information Systems (NIS) Cooperation Group established by the NIS Directive[3], namely the meeting agendas and minutes.

The Commission identified 24 documents as falling within the scope of the request, as well as all meeting agendas. It informed the complainant that the meeting agendas are already publicly available on the Commission’s webpage, and refused disclosure of the remaining 24 documents in their entirety, arguing that disclosure would undermine the protection of public security.

My Office opened an inquiry into this complaint and, in light of the ongoing delay, asked the Commission to provide my inquiry team with copies of the documents at issue.

Following the inspection of the documents, my view is that the Commission should have granted wide partial access to the documents.

First, while the EU institutions enjoy a wide margin of discretion when deciding on what the protection of public security calls for in terms of disclosure of documents, they are still required to demonstrate a risk to public security that is reasonably foreseeable and not purely hypothetical.[4] The inspection carried out by my inquiry team suggests that this is not the case. The documents inspected, to a very large extent,[5] do not seem to contain any sensitive content: the minutes are drafted in rather general terms and do not provide any sensitive details about concrete operational work by NIS authorities. Sensitive content or presentations appear to have been shared with members of the NIS Cooperation Group through a secure platform (REDACTED), and the documents contain only inaccessible links to that platform. Any personal data in the documents could be easily redacted.

In addition, a large part of the discussions concern updates from the Member States on their transposition of the first NIS Directive, or positions on the review of the directive, or updates on the transposition of the NIS2 Directive[6]. Given the passage of time, it is difficult to see how these aspects can be considered sensitive, and thus covered by the public security exception.

Second, the complainant argues, in his confirmatory application, that the Commission did not identify all documents falling within the scope of his request. In particular, he contends that the Commission should have identified (and granted access to) the minutes of the 16th, 17th, 27th and 28th meeting, as these meetings appear on the Commission’s website listing the agendas of all NIS Cooperation Group meetings.

Following my inquiry team’s inspection of these four additional documents, I find that the Commission should have indeed identified three of them, and granted wide partial access to them, for the reasons explained above. The minutes of the 28th meeting were finalised after the complainant made his request and therefore fall outside of its scope.

Finally, I note that the Commission, in its initial decision refusing access, argued that Commission Implementing Decision (EU) 2017/179 sets out explicitly that the Group’s discussions shall not be open to the public. However, as pointed out by the complainant, the same Implementing Decision lays down in Article 10(1) that “Requests addressed to the Group for access to the documents concerning its activities shall be handled by the Commission in accordance with Regulation (EC) No 1049/2001.” and in Article 10(3) that “Documents submitted to members of the Group, representatives of third parties and experts shall not be disclosed to the public, unless access is granted to those documents pursuant to paragraph 1 or they are otherwise made public by the Commission.” (emphasis added) As such, I trust that the Commission agrees that it should base its assessment of the complainant’s request for public access on the provisions of Regulation 1049/2001.

In light of the above, I would like to propose the following solution in this case:

The Commission should reconsider its position on the complainant’s request, with a view to granting the widest possible access to the documents, including the three additional documents that were not identified at initial stage.[7]

I would be grateful to receive your reply to my proposal within three months, that is by 21 June 2024.

At this stage, the solution proposal and its accompanying annex are confidential. My inquiry team has, however, informed the complainant of my intention to seek a solution in this case.^[8] Please note that our usual practice is to send a copy of the solution proposal to the complainant for comments, together with a copy of the institution’s reply to it, once we have received that reply. I would therefore ask the Commission to inform us if any information contained in the solution proposal, or in its reply, should not be shared with the complainant.^[9] In addition, since the complaint is in French, I would be grateful if the Commission could prepare its reply in French.

Yours sincerely,

Emily O'Reilly
European Ombudsman

Strasbourg, 21/03/2024

 

[1] In accordance with Article 2(10) of the Statute of the European Ombudsman (Regulation 2021/1163 of 24 June 2021 laying down the regulations and general conditions governing the performance of the Ombudsman’s duties) available at: https://www.ombudsman.europa.eu/en/legal-basis/statute/en.

[2] Under the rules set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32001R1049

[3] Article 11 of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, available at: https://eur-lex.europa.eu/eli/dir/2016/1148/oj

[4] See judgment of the Court of Justice of 3 July 2014 in case C-350/12 P, Council v in 't Veld, paragraphs 52 and 64, available at: https://curia.europa.eu/juris/liste.jsf?num=C-350/12

[5] My inquiry team did, however, identify several documents in which certain discussion points could reveal operational details. They relate among others to the war in Ukraine, the way Member States apply sanctions and penalties, activities by specific third countries, scenarios concerning large-scale attacks on the energy sector or Member States’ presentations about recent major cyber-attacks (documents 9, 13, 17, 20 and 21).

[6] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148, available at: https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[7] The minutes of the 16th, 17th and 27th meetings of the NIS Cooperation Group.

[8] In line with Article 2(10) of the Statute of the Ombudsman.

[9] If you wish to submit documents or information that you consider to be confidential, and which should not be disclosed to the complainant, please mark them ‚Confidential‘. Encrypted emails can be sent to our dedicated mailbox. Information and documents of this kind will be deleted from the European Ombudsman’s files shortly after the inquiry has ended.