Collaborative Governance, Trust Building and

(1)

Collaborative Governance, Trust Building and

Community Development

Editors:

Cristina HIN̎EA Bianca RADU Raluca SUCIU

Conference Proceedings

‘Transylvanian International Conference in Public Administration’, October 24-26, 2019, Cluj-Napoca, Romania

(2)

(3)

(4)

Collaborative Governance, Trust Building and

Community Development

Editors:

Cristina HINȚEA Bianca RADU Raluca SUCIU

Conference Proceedings

‘Transylvanian International Conference in Public Administration’, October 24-26, 2019, Cluj-Napoca, Romania

(5)

ISBN 978-606-561-211-2

www.accentpublisher.ro Descrierea CIP a Bibliotecii Naţionale a României

Collaborative governance, trust building and community development : conference proceedings „Transylvanian international conference in public administration”, October 24-26, 2019, Cluj-Napoca, Romania / editors: Cristina Maria Hinţea, Bianca Veronica Radu, Raluca Maria Suciu. - Cluj-Napoca : Accent, 2020

Conţine bibliografie ISBN 978-606-561-211-2 I. Hinţea, Cristina (ed.) II. Radu, Bianca Veronica (ed.) III. Suciu, Raluca-Maria (ed.) 351

(6)

Foreword

Public Administration and Management Department (PAMD) at Babeș-Bolyai University, Romania, has been since its establishment in the mid-1990s at the fore- front of the movement to reinstate and redevelop higher education programs and research in public administration in Central and Eastern Europe (CEE). In most of the CEE countries, public administration education during the communist regimes was done by party schools and was clearly subordinated to political influences and political doctrine. After the collapse of the communist regime in Romania, PAMD, with the support of Western European and American partner universities, has been instrumental in the development of an interdisciplinary curriculum for public administration programs and for supporting empirical research as an important com- ponent of their mission. PAMD at Babes Bolyai-University is currently recognized at both national and international level as a leading teaching, research, and training entity in public administration. For two consecutive years, 2018 and 2019, DAMP was ranked in the quartile 150-200 in the Shanghai academic ranking, surpassing many other similar PA programs from other countries in the CEE region.

Cluj-Napoca, the city which houses Babes-Bolyai University, is currently expe- riencing tremendous economic and social growth. Universities are a key engine for the growth of the city, together with the IT sector and creative industries. Cluj is currently regarded at both national and regional level as a positive example of ur- ban growth which is the result of cooperation among the city, on the one hand, and other relevant stakeholders, on the other hand. The city is praised for implementing participatory mechanisms which allow citizens and interest groups to have a say- ing in how the city develops and in how decides its strategy for the years to come.

DAMP has provided pro-bono consultancy for the city regarding the drafting of local master plans and sectorial comprehensive plans since mid-2000s. Current- ly, PAMD is deeply involved in conducting different analyses and studies for the city and its metropolitan area regarding quality of life and moreover factors which make the city of Cluj-Napoca more resilient and sustainable in how it develops compared to other cities.

Due to its leading role in the CEE region in the area of public administration higher education, PAMD organizes dissemination and networking events for PA scholars and practitioners. One important tool for bringing together academics, re-

(11)

searchers, and practitioners in public administration is the Transylvanian Interna- tional Conference in Public Administration, held annually in Cluj-Napoca, Romania, in the months of October or November. The conference allows PAMD to use the city of Cluj-Napoca as a living lab for illustrating different practical implications of relevant scientific topics and paradigms. This is why, the conference is organized in partnership with the City Hall of Cluj-Napoca and the mayor of the city usually offers in his welcoming message the municipality’s vision on the topic of the conference.

In 2019, the Transylvanian International Conference in Public Administration took place from 24 to 26 October. This event was envisioned to bring together academics, researchers and practitioners in the field of public administration from all over the world and to create the framework in which they can exchange ideas, disseminate best practices and develop networking opportunities for future teaching, research, and capacity building projects.

The overarching topic for 2019 is collaborative governance, trust building and community development. Increasingly, governments and public sector organiza- tions at all levels are no longer the sole actors involved in shaping the future of their communities. The paradigm of governance has implied a transition to multi-actor networks which function based on collaboration/partnerships. These networks are constantly reshaped through the action of their members as well as under the influence of contextual factors. Success or failure of such networks often depends on complex issues such as building trust among partners and developing a culture for shared visions. The conference is designed as a venue for identifying how partners belonging to different sectors can cooperate better and to share success stories of communities that managed to improve service delivery, to increase cooperation among sectors, and to empower their citizens through meaningful participation to decision-making processes.

An impressive body of renowned academics and practitioners took part in the conference. Their expertise in shaping policies and enhancing the quality of governance both in their home countries and worldwide is significant.

As part of this conference several separate workshops were held. One workshop was addressed to PhDs and young researchers. The workshop on PA journals and research included a roundtable discussion on cooperation between two PA journals – Teaching Public Administration (Sage) and Transylvanian Review of Adminis- trative Sciences, produced by the Department of Public Administration and Man- agement at Babeș-Bolyai University. More broadly, challenges and opportunities pertaining to research and teaching in PA were discussed and how different EU and American universities can cooperate in this field. The panel on Japan-Romania cooperation: Japanese business and academic presence in Romania. Future developments looked at linkages and cooperation strategies among universities, businesses, and public authorities from Japan and Romania.

(12)

The present book includes a selection of the papers presented in all sections of the conference. The intention of the conference organizers is to disseminate the materials discussed during the conference and to generate scientific debates beyond the two days event. Papers presented by the PhD students are included, as an opportunity given to young researchers to publish the results of their work, even if it is still work in progress.

Our hope is to be able to increase the visibility and reputation of international conferences organized by universities/departments. While we acknowledge that big and well known conferences such as EGPA (European Group in Public Adminis- tration) and NISPAcee (Network of Institutes and Schools in public Administration from Central and Eastern Europe) play an important role, smaller conferences are also crucial for not only their scientific value but also for providing venues for interaction between academia and practice, between practice and PhD students, and among a variety of scholars who call public administration their area of interest. The book is a natural extension of the conference and serves similar purposes. Moreover, PAMD has significant experience in publication of scientific papers. The Depart- ment publishes independently a prestigious journal in PA, namely, Transylvanian Review of Administrative Sciences, a publication indexed by Thompson Reuters in Web of Science since 2008.

We would like to thank all conference participants for attending Transylvanian International Conference in Public Administration, 2019 edition, and for their contri- bution to this book.

Local conference organizers Cluj-Napoca,

4^th of August, 2020

(13)

(14)

THE NIS DIRECTIVE AND THE SMART CITY Domenica BAGNATO

Domenica BAGNATO

Managing Director, Hierodiction Software GmbH, Austria E-mail: domenica.bagnato@hierodiction.com

Abstract

This contribution attempts to apply the EU NIS Directive (EU 2016/1148) and the corresponding EU cyber-security strategy to the smart city. It will present the NIS framework and show in how far it aids in meeting its cyber-security challenges – but also where its limits lie for it has to be supplemented by national or even sectorial, frameworks. The paper also provides concrete suggestions for developing the directive further.

Keywords: NIS Directive, cyber-security, smart city, European Union, cyberattack.

(15)

1. Smart cities – a bright new future with some things to heed

The Internet has forced nations to look well beyond themselves in an effort to protect their critical infrastructure, as the internet knows no boundaries and a cyberattack can occur from anywhere in the world destroying infrastructure and crip- pling nations. Member States have been relying on each other for the supply of goods or services long before the internet, but it is the nature of the internet open cyberspace that has in effect caused Member States to unify their interests, taking national security to a new level. National security now means working with Member States as never before to find common ground and solutions for defense that go well beyond territorial space. This is the framework in which the NIS Directive came into being and this paper attempts to put it in the context of the smart cities concept.

There are a number of definitions of the ‘Smart City’ (see Smart Cities Coun- cil, undated) that provide a good overview. The technical essence arguably is:

(i) the combination of connected sensors (and to a lesser extent actuators)¹, (ii) in- terconnected applications including internet – and app-based service delivery to citizens, and (iii) business analytics, the latter being increasingly augmented by the combination of in-memory computing (Prosser, 2018) and artificial intelligence.

In-memory provides the capability to quickly search terabyte quantities of individual transactional data (not just aggregates as in a data warehouse, see Prosser (2014) for numerical considerations), and at the same time run algorithms of artificial intelligence over this data².

2. The NIS Directive

On the July 6, 2016, the European Parliament passed Directive (EU) 2016/1148, commonly known as the ‘Network and Information Systems’ Directive (NIS Direc- tive)³. The NIS Directive formulates a defense strategy to combat and respond to cyberattacks that would endanger the critical infrastructure of Member States. At the heart of the problem is not just that critical infrastructure can be tampered, but that there is no way to make cybercriminals responsible for their actions without the cooperation of Member States. If criminals cannot be made responsible for their actions⁴, then nothing can be done about the crimes they commit, leaving nations open to be abused and exploited.

1 Also referred to as the Internet of Things (Holdowsky et al., 2015), whereby hitherto closed infrastructures are opened up (Ross, 2017).

2 For a relevant commercial application example see SAP Leonardo (SAP, undated).

3 See Directive (EU) 2016/1148 of the European Parliament and of the Council. In this paper, article, annex or recital references without further indication refer to this directive.

4 This notion is most clearly addressed in the UK’s national cyber security strategy (UK Government, undated).

(16)

We should also be aware that cyber security is no longer merely a national task.

Technology, including the internet, has made the trade of goods and services seam- less across borders and, hence, the supply of goods and services in all its forms need not be limited by its physical location. This has also caused Member States to reflect upon their dependency on other Member States in this regard⁵.

The NIS Directive also asks that Member States consult with the European Union Agency for Network and Information Security (ENISA) in relation to cyber issues in order to force Member States to inform themselves of the standard expected for cyber-security and -management, so there is no mistake as to the minimum obliga- tory requirements (Articles 36 and 4).

The directive distinguishes between ‘operators of essential services’ (OES) and

‘digital service providers’ (DSP). Article 5 gives the criteria for defining OES with Annex II listing them (in pursuance of Article 4.4, essentially as (i) electricity and energy, (ii) transport⁶, (iii) banking, (iv) healthcare providers, (v) drinking water supply, and (vi) ‘digital infrastructure’. The last point however does not include Internet Service Providers, but only (some) of its core functions (cf. Annex II.7)⁷, namely:

– IXPs, that is nodes to ‘interconnect networks’ (Recital 18) of ‘autonomous systems’ (Article 4.13)⁸;

– Domain Name System (DNS) services; and – Top-level-domain (TLD) name registries.

Then, there are Digital Service Providers (DSPs), for whom less stringent requirements apply (see below). These services are outlined in Annex III as: (i) online marketplaces, (ii) search engines, and (iii) cloud computing. Whereas the first two are clearly defined terms, ‘cloud’,however, appears to be a rather nebulous term and is used for a number of technical arrangements⁹. A more stringent technical terminology is recommended.

The NIS Directive fails to mention Internet Service Providers (ISP) in the list of digital infrastructures in Annex II. Internet Exchange Points (IXP) are only the junction between ‘autonomous systems’ (Article 4.13); however, the autonomous

5 This includes inter-twined infrastructures such as the electricity grids or transnational logistic chains for fuels; these interdependencies are explicitly recognised in Recital 3.

6 In the context of road transport, however, only road authorities and operators of ‘intelligent transport systems’ (Annex II.2.d).

7 Another notable omission refers to trust service providers (Recital 7).

8 ‘Internet exchange point (IXP)’ means a network facility which enables the interconnection of more than two independent autonomous systems, primarily for the purpose of facilitating the exchange of internet traffic; an IXP provides interconnection only for autonomous systems’.

9 The National Institute of Standards and Technology (NIST) defines the evolving paradigm of the

‘cloud services’ (National Institute of Standards and Technology, 2001).

(17)

system itself is not included, neither as an OES nor as DSP. ‘Autonomous system (AS)’ is a clearly defined terminus technicus in the Internet world as:

‘[...] a set of routers under a single technical administration, using an interior gateway protocol (IGP) and common metrics to determine how to route pack- ets within the AS, and using an inter-AS routing protocol to determine how to route packets to other ASes.’ (RFC 4271)

The above definition corresponds to the function of an ISP. Internet Assigned Numbers Authority (IANA) also assigns AS numbers to regional internet registries, a decentralized process that ultimately ends up at the individual service providers¹⁰. The directive hence only includes the IXP between ISPs, not the ISPs (‘autonomous systems’) themselves. In regards to ‘undertakings providing public communication networks or publicly available electronic communication services’, Recital 7 refers to Directive 2002/21/EC, which applies to a large number of audio-visual networks including TV and radio. This directive mainly deals with fair market conditions, frequency allocation and other regulatory requirements. The only reference to network security is given in Article 8.4 (f) whereby national regulators are obliged to ensure ‘that the integrity and security of public communications networks are maintained’ (Directive 2002/21/EC of the European Parliament and of the Council).

This glaring omission is neither understandable nor reproducible. It plainly does not make any sense. Considering the importance of DSP availability for the Annex II services, we would argue to include ISPs in the list of services in Annex II in future editions of the Directive (cf. the review clause in Article 23.2).

It should also be noted that there are other inter-dependencies between the OES in Annex II:

– Electricity and water, both for drinking and hygienic purposes, are inter-twined:

in most cases, the water supply depends on the availability of electricity be- cause pumps are needed to produce the necessary pressure in the pipes to de- liver the water (Petermann et al., 2011, pp. 14, 125). There are only a few excep- tions, for instance in Alpine areas (e.g., Vienna), where the water supply works with the natural pressure of communicating vessels (City of Vienna, undated).

– Another example would be banking (and thereby the ability to obtain cash) and electricity (Sweden, undated). In this context, a cash-less society would pose enormous risks in the case of a blackout. In this context, the Swedish decision to move to a cash-less society should seriously be reconsidered.

The NIS Directive recognizes the importance of a coordinated approach (as em- bodied by ENISA), but it does not in the least disregard the responsibility of the

10 Internet Assigned Numbers Authority (undated); for a list of Austrian Autonomous System Num- bers assigned to Internet Service Providers see IPinfo (undated).

(18)

Member States:

– In the first place, this concerns national security (Article 4.3) which also has to be seen in the context of the Treaty of the European Union (TEU), Article 4.2:

‘In particular, national security remains the sole responsibility of each Member State’.

– Even beyond that, Article 3 of the NIS Directive determines a ‘minimum har- monization’ in that Member States may implement measures beyond the minimum level required by the directive.

– The entire Chapter II of the directive finally outlines the national responsibility of the Member States.

3. National strategies 3.1. General considerations

The Directive calls for national initiatives (Article 7.1) most importantly in regards to:

– The establishment of a national strategy for network and information system security, a risk assessment and a governance framework for achieving it;

– Measures for preparedness and response; and

– Education and awareness-raising measures and pertinent research activities.

The key organizational element in this context is the establishment of computer security incident response teams (CSIRT, cf. Article 9). Annex I details their tasks, most importantly:

– Incident monitoring on a national level;

– Alerts and early warning, situational awareness;

– Incident response; and

– Cooperation with the private sector, other CSIRT (cf. Article 12) as well as ENISA and the Commission (Article 11).

In this context, ‘situational awareness’ and ‘incident response’ appear to be the key elements in any real-world cyber-defense, whereby the former is the key pre- requisite of the latter. From a practical point of view this imposes the following practical requirements:

– Establish smooth working conditions between entities covered by the CSIRT and the CSIRT to ensure a timely flow of information in both directions; this includes non-disruptable channels of communication between CSIRT and the entities;

– A sufficient number of highly qualified personnel to provide the situational awareness, to identify threat patterns early on, to devise effective counter measures and to coordinate and guide entities to limit damage and ultimately re- solve the security issue;

(19)

– Forensic activities to support law enforcement in tracking down the source of the disruption; and

– Design and disseminate preventive measures.

The key element here is ‘sufficient number of highly qualified personnel’. We argue that this is the key factor between a CSIRT that monitors, advises and co- ordinates and a CSIRT that provides effective incident response as required in the directive.

3.2. Austria

There are seven CSIRTs listed in the ENISA directory for Austria (European Union Agency for Cybersecurity, undated): A national CSIRT (cert.at), two for financial institutions, the Austrian energy CSIRT, one ISP and two government CSIRTs (federal and general public administration and one for Vienna). cert.at also lists seven additional CERT (computer emergency response teams (Online Sicher- heit, undated)) that are however not registered with ENISA. They cover diverse areas, such as social security, telecom companies or the Vienna transport system (in addition to the Vienna administration CERT). Two observations can be made:

– The approach is fragmented and not systematically structured; and – It may be doubtful if the institutions are sufficiently staffed.

The staff directory of cert.at, the national CSIRT, lists seven team members (Austrian National CERT, undated), which is barely sufficient to provide a 24x7 shift service. This is certainly sufficient for observation, education and information dissemination activities, but not even remotely sufficient for incidence response in the case of a severe attack on the national infrastructure. It remains to be seen whether the situation is substantially different in other Member States.

3.3. The way forward 3.3.1. The NIS Directive

The first step appears to be to include ISPs as OES. Not only are ISP services essential in themselves, they are integral part of a number of OES already listed in Annex II, such as financial services, electricity or transportation.

Another point concerns the liability of OES. The NIS Directive neglects to address the issue of liability to the extent that it would ensure that OES are protected (cf. Recital 50). Liability is a decisive factor in ensuring that the best quality of goods and services are supplied to the OES and liability should be proportional to the impact that a disruption of an Essential Service (ES) would cause. In this way, private industry is forced to take responsibility for what it produces and to whom it supplies what it produces.

(20)

3.3.2. Security-sensitive solutions

Standardization means accessibility to technology giving cybercriminals opportunities to study the technology for security leaks. In this way variation and a move away from standard industry software is an advantage¹¹, even if the technology may be less sophisticated.On the other hand, it is important to distinguish between the latest advancements technologically and that which is proven to be stable and secure yet may lack convenient functionality¹².

3.3.3. Soft factors

There is no such thing as a secure information system, however, security is not only defined by ‘hard’ technological factors. There are at least three other elements:

(i) education of users, (ii) proactive measures preventing cyber-crime, and (iii) edu- cating cyber experts to fill the ranks needed.

It should become mandatory and a matter-of-fact to teach new (and also ex- isting) employees cyber-security basics. An example may be the hacking of the email server of the Democratic Party in 2016, which reportedly originated from a spear-phishing attack on John Podesta, Ms. Clinton’s campaign manager (Murnane, 2016). Cyber-security training for everybody should become corporate standard.

Among the proactive measures, the most important seems to be a respectful and appreciative work climate. The worst cyber attacker is a disenfranchised, disgrun- tled or even genuinely maltreated employee who then constitutes a security risk (Izuakor, 2019). Proactive measures should be taken to create a positive workplace climate to avoid these developments.

The NIS Directive calls for CSIRTs to be established. However, these response teams need to be properly staffed, which requires a trained workforce (cf. also Annex I). University but also sub-university level educational institutions should be called upon to produce this skilled workforce.

11 There are, for instance, Linux derivatives specifically geared to non-standard security-sensitive applications, such as enGardeLinux (undated). Running security-sensitive applications on general-purpose (and possibly even outdated) software is not an advisable approach, yet it happens in some rather astonishing contexts (Boyle and Farmer, 2017).

12 A technical example may be X-terminals instead of personal computers. X-terminals are display/

entry-only devices without any local software installed. The entire application is run on a server, which is then calibrated accordingly. There is no opportunity to attach local devices, such as USB sticks, and in most cases, the minimal local software (mainly graphics drivers) is installed on ROM (Linux, undated) and hence cannot be altered. Since all user interaction is processed at the server, there is a complete log on every user activity including online checks monitoring user activity on a real-time basis.

(21)

3.3.4. Criminal law

The NIS Directive takes a defensive standpoint, and although we do need to look at the problem from this perspective, very little has been done to tackle the problem from an offensive standpoint, except to adopt measures that deter possible cybercrime as in Article 21. This means that Member States are free to decide on the penalties for cybercrimes pertaining to critical infrastructure that are committed in their state. A European wide penalty system would be more appropriate in this context.

4. Conclusion

The NIS Directive – with all its shortcomings – is a milestone towards a common European cyber-security space. It provides a common organizational framework and standards, and it provides for cooperation and information exchange. We have listed some potential for improvement in the last sections. However, the most important conclusion is that the directive does not and cannot be a substitute for properly equipped and staffed response teams on the operational level. We would encourage Member States to invest in this resource, as the costs incurred are negli- gible compared to those of a severe incident.

References:

1. Austrian National CERT (Computer Emergency Response Team), Team, [Online] available at https://www.cert.at/about/team/team.html, accessed on September 14, 2019.

2. Boyle, D. and Farmer, B., ‘HMS Queen Elizabeth is ‘Running Outdated Windows XP’, Raising Cyber Attack Fears’, June 27, 2017, [Online] available at https://www.tele graph.co.uk/news/2017/06/27/hms-queen-elizabeth-running-outdated-windows-xp-soft ware-raising/, accessed on September 9, 2019.

3. City of Vienna, Water Supply, [Online] available at https://www.wien.gv.at/wienwass er/versorgung/weg/, accessed on September 14, 2019.

4. Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016 concerning measures for a high common level of security of network and information systems across the Union, published in Official Journal of the European Communities, no. L 194, from July 19, 2016.

5. Directive 2002/21/EC of the European Parliament and of the Council of March 7, 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), published in Official Journal of the European Communities, no.

L 108/33, from April 24, 2002.

6. enGardeLinux, Guardian Digital, [Online] available at http://www.engardelinux.org/, accessed on September 16, 2019.

(22)

7. European Union Agency for Cybersecurity, CSIRTs by Country Interactive Map:

Austria, undated, [Online] available at https://www.enisa.europa.eu/topics/csirts-in-eu rope/csirt-inventory/certs-by-country-interactive-map#country=Austria, accessed on September 16, 2019.

8. Holdowsky, J., Mahto, M., Raynor, M.E. and Cotteleer, M., ‘Inside the Internet of Things (IOT). A Primer on the Technologies Building the IoT’, Deloitte, August 21, 2015, [On- line] available at https://www2.deloitte.com/insights/us/en/focus/internet-of-things/

iot-primer-iot-technologies-applications.html, accessed on September 15, 2020.

9. Internet Assigned Numbers Authority, Autonomous System Numbers, [Online] available at https://www.iana.org/assignments/as-numbers/as-numbers.xhtml, accessed on September 14, 2019.

10. IPinfo, Austria ASN Summary, [Online] available at https://ipinfo.io/countries/at, accessed on September 14, 2019.

11. Izuakor, C., ‘Breaches That Started with and Insider Threat’, June 19, 2019, [Online]

available at https://www.the20.com/blog/breaches-that-started-with-an-insider-threat/, accessed on September 14, 2019.

12. Linux, ‘X Terminal Definition’, [Online] available at http://www.linfo.org/x_terminal.

html, accessed on September 9, 2019.

13. Murnane, K., ‘How John Podesta’s Emails Were Hacked and How to Prevent It from Happening to You’, October 21, 2016, [Online] available at https://www.forbes.com/

sites/kevinmurnane/2016/10/21/how-john-podestas-emails-were-hacked-and-how-to- prevent-it-from-happening-to-you/#3049f6f02476, accessed on September 15, 2019.

14. National Institute of Standards and Technology, ‘The NIST Definition of Cloud Comput- ing’, Special Publication 800-145, September 2001, [Online] available at https://nvlpubs.

nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf, accessed on September 12, 2019.

15. Online Sicherheit, Austrian National Safety Portal, ‘Computer Emergency Response Team (CERTs)’, [Online] available at https://www.onlinesicherheit.gv.at/erste_hilfe/

certs/249343.html, accessed on September 12, 2019.

16. Petermann, T., Bradke, H., Lüllmann, A., Poetzsch, M. and Riehm, U., ‘Was bei einem Blackout geschieht. Folgen eines langandauernden und großräumigen Stromausfalls’, (What Happens during a Blackout. Consequences of a Long-term and Large-scale Power Failure), 2011, [Online] available at http://www.tab-beim-bundestag.de/de/pdf/publika tionen/buecher/petermann-etal-2011-141.pdf, accessed on September 14, 2019.

17. Prosser, A., ‘What the Smart City in the Danube Region Can Learn from Industry 4.0’, in Hansen, H., Müller-Török, R., Nemeslaki, A., Prosser, A., Scola, D. and Szádeczky, T. (eds.), Conference Proceedings Central and Eastern European eDem and eGov Days 2018, Vienna-Budapest: Austrian Computer Society, 2018, pp. 191-201.

18. Public Utilities Board Singapore, ‘Managing the Water Distribution Network with a Smart Water Grid’, 2016, Smart Water, vol. 1, no. 4, pp. 1-13.

19. RFC 4271, ‘A Border Gateway Protocol 4 (BGP-4)’, January 2006, [Online] available at https://tools.ietf.org/html/rfc4271, accessed on September 14, 2020.

(23)

20. Ross, M., IoT-Sicherheitskonferenz: Unsichere Smart-Meter, Mirai und seine Klone und die Genfer Konvention (IoT Security Conference: Unsafe Smart Meters, Mirai and Its Clones and the Geneva Convention), October 26, 2017, [Online] available at https://

www.heise.de/ix/meldung/IoT-Sicherheitskonferenz-Unsichere-Smart-Meter-Mi rai-und-seine-Klone-und-die-Genfer-Konvention-3872793.html, accessed on September 15, 2020.

21. SAP, [Online] available at https://www.sap.com/products/leonardo.html, accessed on September 15, 2020.

22. Smart Cities Council, Definitions and Overviews, [Online] available at https://smartciti escouncil.com/smart-cities-information-center/definitions-and-overviews, accessed on September 15, 2020.

23. Sweden, ‘Sweden – The First Cashless Society?’, [Online] available at https://sweden.se/

business/cashless-society/, accessed on September 15, 2020.

24. UK Government, ‘National Cyber Security Strategy 2016-2021’, [Online] available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attach ment_data/file/567242/national_cyber_security_strategy_2016.pdf, accessed on Septem- ber 15, 2019.

(24)

CHALLENGES OF TRUST-BUILDING IN EU INSTITUTIONS:

SERVICES OF GENERAL INTERESTS BEFORE THE COURT OF JUSTICE OF THE EUROPEAN UNION*

¹

Ildikó BARTHA

Ildikó BARTHA

Senior Research Fellow, MTA-DE Public Service Research Group

of the Hungarian Academy of Sciences (HAS) and the University of Debrecen Associate Professor, Department of European and International Law,

Faculty of Law and Political Studies, University of Debrecen, Debrecen, Hungary Tel.: 0036-52-512.701 extension 77114

E-mail: bartha.ildiko@law.unideb.hu

∗ Aknowledgement. The research leading to this article was financed by the project ‘Reassessment of State Roles in Regulation of Services’, implemented by the MTA-DE Public Service Research Group supported by the Hungarian Academy of Sciences (under Grant No. 05216).

Abstract

The article examines the link between public trust and effective enforcement of legal rules, in the context of regulation and management of public services/services of general interests (SGIs). Considering the severe challenges that the European Union and its Member States have to overcome nowadays, trust in institutions being responsible for public service delivery at different governance level is a crucial issue.

Due to the evolution of the legal framework in this area, the EU is an important supranational actor in the regulation of such services today, even for those provided at local level. The present paper aims to highlight the enforcement problems of those EU law obligations which directly or indirectly concern public service provision in the Member States. We will see that the operation of judicial proceedings and other enforcement instruments raises many questions on the effectiveness of EU rules in this particular area. These are able to influence the level of trust in the actions of the EU institutions (the European Commission and the EU judicial bodies in this context). The paper is based on comparative policy investigations and analysis of the European legal framework including the case-law of the Court of Justice of the European Union.

Keywords: Services of General Interest (SGI), Services of General Economic Interest (SGEI), enforce- ment of EU law, Court of Justice of the European Union (CJEU), public trust.

(25)

1. Introduction

The article examines the link between public trust and effective enforcement of legal rules, in the context of regulation and management of public services/services of general interests (SGIs). Considering severe challenges that the European Union and its Member States have to overcome nowadays, trust in institutions being responsible for public service delivery at different governance levels is a crucial issue.

Due to the evolution of the legal framework in this area, the EU is an important supranational actor in regulation of such services today, even for those provided at local level. The present paper aims to highlight the enforcement problems of those EU law obligations which directly or indirectly concern public service provision in the Member States.

The first part of the paper explores the substantial and procedural rules of the relevant EU legal framework. In this context, a particular emphasis is laid to the role and degree of discretionary powers left to national authorities in defining the underlying concepts and measures needed to take to fulfil the Member States’ public service obligations.

We will see that enforcement challenges may also be derived from the terminology itself. The operation of judicial proceedings and other enforcement instruments raises further questions on the effectiveness of EU rules concerning public service provision in the Member States. The second part of the paper focuses on the most challenging issues in this field.

Finally, those factors will be examined and tested on the SGI related case-law of the Court of Justice of the European Union (hereinafter CJEU or Court depending on the context) which may influence public trust in judicial bodies. In this respect, not only the citizens’ perspectives will be focused, but also those of the companies/

other legal entities as actual and potential service providers in the internal market of the European Union. We argue that sector specific analysis of trust in EU institutions would have relevance in order to better identify those factors which may have an impact on the level of public confidence.

2. Conceptual background

EU law, though it also uses terms evolved at national level (i. e. public utilities or/and public services), has a distinct conceptual framework (for details, see Szyszczak, 2017). The EU terminology is based on the categories of Services of Gen- eral Economic Interest (SGEI), Services of General Interest (SGI) and Services of Social General Interest (SSGI) (European Commission, 2006). The former (SGEI) is used in primary law texts, without being defined in the Treaty or in secondary legislation. However, in the case-law of the CJEU and EU Commission practice there is broad agreement that SGEI refers to services of an economic nature, with the

(26)

Member States or the EU being subject to specific public service obligations (PSO) as compared to other economic activities by virtue of a general interest criterion (Cases C-179/90 Merci convenzionali porto di Genova and C-242/95 GT-Link). The term SGI, the closest EU law equivalent to the traditional notion of public services (Sauter, 2014, p. 17), is also derived from the practice. It is broader than SGEI and covers both market and non-market services which the public authorities classify as being of general interest and subject to specific public service obligations (Euro- pean Commission, 2011).

3. Methodology

The present paper is based on comparative policy investigations and analysis of the European legal framework including the case-law of the CJEU. For the empirical part of the research, we obtained data from Eurobarometer surveys (European Commission, 2013; European Commission, 2018), as well as a specific CJEU case- law database containing a thematic collection of all CJEU cases relating EU Member States’ legislation and administrative practice in the provision of services of general interests (non-published database of the MTA-DE Public Service Research Group, hereinafter SGI case-law database). Annual reports of the CJEU (CJEU, 2000-2018) have been also used for statistical analysis.

4. Services of general interest in the European integration

As a general rule, EU internal market and competition rules apply to services of general economic interest as well, save where they fall under specific regulations or exceptional clauses of the EU Treaties. In this section, we will briefly outline the legal fundamentals relevant to SGIs including those provisions escaping them from the generally applicable market rules.

Article 106(1) of the Treaty on Functioning of the European Union (hereinafter TFEU) generally states that public undertakings and those entrusted with special or exclusive rights are not exempted from EU competition rules. Article 106(2), however, lays down a derogatory regime for services of general economic interest (Bauby and Similie, 2016, p. 19), providing that these undertakings are subject to EU competition law provisions (that is Articles 101, 102 and 107 TFEU) only in so far as the application of such provisions does not obstruct the performance of their particular public service obligation.

Most cases concerning the conflict between EU competition rules and public services have been examined in the context of dominance abuse, state aid rules (Sauter, 2014, p. 75). Granting exclusive or special rights to an undertaking often generates the dominant position itself that is the precondition for unlawful con-

(27)

duct under Article 102 TFEU which, as Article 106(2) suggests, may nevertheless be saved by referring to the ‘particular tasks assigned to them’. The legality of public monopolies and other entities (often operating as state-owned companies) enjoying exclusive or special rights is supported by the freedom of Member States to choose their system of property ownership, guaranteed by Article 345 TFEU (Sauter, 2014, p. 44).

State aids are in principle prohibited under Article 107(1) TFEU, unless they are found to be compatible with the internal market due to their specific objectives under paragraphs (2) or (3) of the same provision. In the case of SGEI, however, public service obligation compensation (see below) does not qualify as state aid.

In addition, non-economic SGI a priori fall outside the scope of Article 107 TFEU, since state aid rules only extend to services that qualify as economic activities (Sauter, 2014, p. 76).

General internal market and competition rules do not apply (or only as background rules/principles) if SGIs are subject to secondary legislation on specific sectors like electricity, telecommunication, etc.

Although the above provisions existed from the very beginning of the European integration process, their role and significance have changed over time. The ‘Euro- peanization of public services’ started only in the mid-eighties with the entry into force of the Single European Act (SEA). The process of creation of a single market engaged by the SEA led to a progressive liberalization, sector by sector (Bauby and Similie, 2016, p. 3). As the national markets in transport and energy have become integrated with this conception, public service obligations have been obstacles to market creation (Opinion of AG Colomer in case C-265/08 Federutility; Prosser, 2005, p. 121).

Critical movements against this free market orientation led to the first Commis- sion Communication on services of general interest of 1996 (European Commission, 1996), which laid a particular emphasis on the social elements of public services as well as the limits of market forces (Prosser, 2005, p. 156). Then, the Treaty of Amsterdam of 1997 has been amended by a new Article 16 of the Treaty of Euro- pean Community (TEC) which, among the fundamental principles of the EU, rein- forces the constitutional importance of the role and protection of SGEI obligations.

As safeguarding public services is primarily the interest of the Member States, the provision can be seen as a confirmation of the Member States’ traditional prerog- atives and discretionary power in the organization of such services (Rusche, 2013, p. 102; Schweitzer, 2011, p. 55).

The ‘safeguarding’ provision introduced by the Amsterdam Treaty (ex-Article 16 TEC, now Art. 14 TFEU) has been slightly (but importantly) modified by the Lisbon Treaty, with an express reference to the protection of national autonomy.

The new provision expressly pointed out the Member States’ competence to provide, to commission and to fund such services. A Protocol on Services of General

(28)

Interest (No. 26) was also added to the Treaties (TEU and TFEU). Reading Article 14 and the Protocol together, there is an even higher emphasis on national and local interests and a more state-centered approach seems to be applied to the protection of public service values. Moreover, the Charter of Fundamental Rights including the right to access to SGEI became binding with equal effect to the Treaties by entering into force of the Lisbon Treaty in 2009. These provisions reflect a political signal from the authors of the Lisbon Treaty that there is a need for protection of SGEI and particular local interests attached to them against the efforts of liberalization (Rusche, 2013, p. 106; Krajewski, 2011, p. 186).

The Commission’s legislative activity from the mid-2000s was largely influenced by the case-law of the ECJ. The leading decision is the Altmark judgment of 2003 (C-280/00 Altmark Trans) in which the Court held that the discharge of PSO is not covered by Article 107(1) TFEU where it merely compensates the provider of a public service mission for the costs that arise due to the performance of the PSO and determined four cumulative criteria which have to be met for not qualifying public service compensation as state aid. By declaring this group of financial compensa- tions out of the realm of the state aid concept, the Court, in essence, largely reduced the monitoring and decision-making competence of the Commission over national measures granting compensation for public services (Bauby and Similie, 2016, pp.

8-9), as the judgment allows for a self-assessment by Member States of that issue.

5. Enforcement challenges in SGI cases

All the above specific features of substantive SGI regulation at the EU level – in particular, the strong emphasis on the national competences – have a significant impact on procedural aspects as well. Enforcement challenges may be derived from the terminology (SGEI, SGI, SSGI) itself since there is a quite unclear borderline between the respective terms. The ambiguity of the relevant concepts may raise several problems as we will see in the following section.

5.1. Concepts as enforcement challenges

First of all, neither the ECJ nor the Commission provide further precision for the concept elements of ‘general interest’ and ‘special characteristics’ of SGEI (Bauby and Similie, 2016, p. 20). Within the framework established by fundamental rules of EU law, the case law acknowledge that Member States have a wide margin of discretion when defining what they consider to be an SGEI or SGI (Case T-106/95 FFSA and Others). Definitions given by Member States may be subject to control of the European Commission only for manifest error (European Commission, 2012) and in most cases, these definitions were validated by the CJEU case law (see for

(29)

instance Cases T-289/03 BUPA and T-17/02 Fred Olsen) and the European Commis- sion’s practice (Bauby and Similie, 2016, p. 21). Member States thus remain relatively free in determining the scope of those activities which, by reference on the SGI-exception clauses examined above, may be ‘saved’ from the generally applicable EU law rules.

Secondly, delimitation between SGEI and non-economic SGI (NESGI) would be especially important as only the latter category is exempted from EU internal market and competition law rules, though NESGIs are also subject to the most fundamental principles of EU law such as transparency, non-discrimination, propor- tionality or citizenship provisions of the Treaties (Szyszczak, 2017). However, the concept of ‘non-economic’ services is not clearly defined in EU law due to political choice, economic developments or evolution of users’ needs, the classification of a given service can change over time (European Commission, 2012) and therefore it is not possible to draw up an exhaustive list of activities that a priori would never be economic. Thus, a large ‘grey area’ exists between these two categories (SGEI – NESGI), in particular in the field of health, education, social services and housing (Bauby and Similie, 2016, p. 16).

5.2. Procedures available at the EU level

In this section, we summarize the most relevant procedural tools at EU and national level being used for the enforcement of the Member States’ SGI-related obligations explained above. As was already mentioned, the majority of cases have been examined in the context of dominance abuse, state aid rules or sector specific legislation.

5.2.1. Enforcement of state aid and competition rules

The effective enforcement of EU state aid rules very much depends on the scope of those measures which are notified to the European Commission. As a main rule, all new aids must be notified before putting them into effect. There are, however, ex- ceptions to mandatory notification. As was mentioned above, the Altmark judgment largely reduced the monitoring and decision-making competence of the Commis- sion over national measures granting compensation for public services since aids meeting the Altmark criteria became exempted from the notification obligation. The Commission’s legislative activity, although it was not its declared aim, definitely followed that line raising several concerns for Member States’ compliance.

The Commission is also authorized to investigate cases of suspected infringement of Article 102 TFEU (prohibiting abuse of dominant position) and to prohibit the infringement or impose fines on the firm(s) concerned. Before 2004, the enforcement of antitrust procedure has been only a matter for the Commission. Since then,

(30)

however, the system has been decentralized by giving the primary enforcement role to national competition authorities (NCAs) in the Member State and national courts. The reform is significant given the fundamental divergences in attitudes to the treatment of public services between different Member States; therefore, on the one hand, decentralization could be seen as promoting greater responsiveness to national sensitivities but, on the other, it makes a consistent approach more difficult given the major differences in national law and policies (Prosser, 2010, pp. 316-317).

The practice also shows that it is very often a difficult task for the national courts to find the right balance between economic and social factors in competition law cases concerning public services (especially welfare services) and sometimes even the ECJ’s preliminary rulings leave important issues to be solved by the national courts (Nistor, 2011, p. 203).

5.2.2. Enforcement before the CJEU

The CJEU has four main procedures: (1) preliminary references from Member State’s courts (preliminary ruling procedures), (2) enforcement actions by the Com- mission (or rather rarely by a Member State) against a Member State (infringement procedures), (3) review of the legality of actions of the EU institutions (annulment procedures), and (4) the actions for damages against the EU institutions (Conway, 2018, p. 235). In SGI case-law, the first three (1–3) procedures are relevant, the fourth one plays a rather marginal role if any.

The preliminary ruling procedure not only gives an opportunity for national courts of being assisted by the Court’s interpretation in the individual case, but also serves as a platform for sending message to the Member State concerned on the EU-law compatibility of its legislation (or administrative practice) being applicable in the national court’s proceeding. The final judgment is, however, issued by the national court deciding the concrete case and its impact on the Member State’s infringement is only indirect.

At the EU level, infringement proceedings under Articles 258-260 TFEU are the classic methods of supervision of Member States’ obligations under EU law. Decid- ing whether or not to initiate the procedure and bring an action before the Court under Article 258 falls within the discretionary power of the Commission (or another Member State under Article 259 TFEU). If the Court finally concludes that the Member State has failed to fulfil its EU law obligations, a declaratory judgment is issued which gives no further guidance as to what steps the Member State must take to put an end to the infringement. Article 260 infringement proceeding, where the Court has the competence to impose fines or penalties, may be initiated only at this stage, if the Commission considers that the Member State concerned has not taken the necessary measures to comply with the judgment under the previous (Article 258 TFEU) proceeding.

(31)

The parties subject to a Commission decision under the state aid or antitrust procedure, have the right to appeal to the General Court for the decision to be annulled. Judgments of the General Court can be appealed before the Court of Justice by the unsuccessful party, however, these appeals are limited to questions of law only.

6. Discussion: public trust and CJEU procedures in SGI related cases One of the key factors of measuring the effectiveness of mechanisms examined above is the level of public trust in institutions being responsible for the enforcement of EU law obligations which directly or indirectly concern Member States’

tasks of providing public services to their citizens. In the following, we examine survey results related to public trust in CJEU as well as the academic debate on these surveys. This analysis enables us to supplement our findings based on the SGI case-law database and to draw further conclusions on the nature of EU enforcement instruments in this particular area. This is the reason why we focus on CJEU surveys only and do not extend our analysis on the European Commission or national authorities.

In the academic literature, there is a widespread discussion about the level of public trust in and the legitimacy of the CJEU. The findings are quite controversial, however, some general conclusion can be drawn on the basis of these. Before going into details, it is important to note that surveys examined above cover the whole activity of the CJEU since there have been no sector specific survey on trust in EU institutions so far, neither at the European nor at the national level. This factor will be taken into consideration when formulating our final conclusions on SGI related enforcement instruments.

In the absence of systematic information about the attitudes of national courts and governments about the CJEU (which goes beyond indirect evidences like frequency of submitting preliminary references to the Court or compliance rate with CJEU decisions), the empirical literature on CJEU legitimacy focuses almost exclu- sively on public opinion data testing public knowledge of and trust in the Court (Pollack, 2018, pp. 163-164). These data primarily come from Eurobarometer surveys where the respondents have to answer three overall questions addressing the (1) public awareness of, (2) the importance of, and (3) the public trust in the CJEU (‘… tell me if you tend to trust or tend not to trust it?’ – The CJEU). The overall pic- ture on the basis of these surveys is that the CJEU has generated a relatively high level of public confidence throughout many decades, declining precipitously after the 2008 financial and economic crises (Pollack, 2018, p. 164).

On the basis of Eurobarometer data conducted between 1999 and 2010, net public trust (the percentage of those tending to trust in an institution minus those

(32)

tending not to trust) in the CJEU had been consistently positive during this period (Kelemen, 2012, p. 48). At the same time, the percentage of expressions of trust in the CJEU have decreased significantly, from a high of 63% in 1993 to a low of 48%

in 2013 among all EU respondents, while distrust has more than doubled over the same period, from 15% in 1993 to 35% in 2013 (European Commission, 2013; Pollack, 2018, p. 171).

As Pollack points out, levels of trust have declined in nearly every Member State between 1993 and 2013, but, in terms of percentages, there are large differences across the countries. In most Northern European countries, including Belgium, Denmark, France, Germany, the Netherlands and the Member States (Austria, Finland and Sweden) joined the EU in 1995, support for the CJEU remains high and has been largely stable over time. Among the new Member States that joined in 2004 and 2007, a majority (Czech Republic, Estonia, Hungary, Lithuania, Malta, Poland, Slovakia and Slovenia) show somewhat lower but consistently positive levels of net trust in the CJEU over time. The UK has been ‘an outlier’ from the basical- ly positive trends (Voeten, 2013, p. 425): ‘don’t trust’ responses of UK citizens have increased steadily and consistently outpace trust in the Court since 2007 (Pollack, 2018).

The most striking result has been the collapse of public trust in the CJEU (along with other EU institutions) in South European countries like Greece, Italy, Spain and Portugal (European Commission, 2013, p. 95). These states began with fair- ly strong levels of trust in 1993, however, in the years following the 2008 financial crisis, ‘don’t trust’ responses predominate in all four countries (plus Cyprus) (Pollack, 2018). Such a dramatic decline in support of CJEU has been explained by

‘the generalized resentment of EU-mandated austerity’ which had ‘infected’ popu- lar views of the Court in those countries and these changes in trust levels are rather independent from the actions and decisions of the CJEU itself (Pollack, 2018, p. 173).

By 2018, the balance of opinion between trust and distrust in the CJEU has im- proved slightly since 2013 at the EU level. Trust is unchanged at 48%, while distrust has decreased by four percentage points to 31%, with an equivalent rise in the ‘Don’t know’ rate (21%). Similar to the above tendencies before 2013, trust in the CJEU has evolved in the EU countries in sharply contrasting ways (European Commission, 2018, p. 95). Since 2013, it has increased in ten Member States, with striking rises in South European countries like Portugal (52%, +18 percentage points), Cyprus (49%, +18), Spain (39%, +13) and Greece (48%, +11). However, it has decreased in 16 countries, very sharply in those joined in 2004, such as the Czech Republic (32%, -24 percentage points), Slovakia (40%, -21), Bulgaria (41%, -18), Poland (41%, -18), Croatia (34%, -14), Hungary (45%, -13), Estonia (52%, -12) and Slovenia (45%, -9) (European Commission, 2018, p. 95).

(33)

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

DK NL SE LU FI DE LT BE AT IE PT LV EE RO MT CY EL SI HU BG PL FR SK UK ES IT HR CZ EU28

Tend to trust Tend not to trust Don't know

Figure 1: Public trust in CJEU in 2018 Source: European Commission (2018)

In general, studies based on Eurobarometer data and other CJEU trust surveys conclude that the CJEU is one of the most trusted institutions in Europe. Howev- er, the level of public support can change over time (sometimes rapidly), as it was demonstrated in the state by state survey results. It is also observed that the CJEU is quite sensitive towards a broader legitimacy crisis in the EU (Pollack, 2018, p. 173).

As we have seen from the above analysis, CJEU trust surveys do not address specific parameters determining public confidence, most of them raise overall questions to the respondents. Nevertheless, certain indicators are generally accepted in the academic literature and empirical studies as those being able to influence public trust in the judiciary. These are especially the outcome of a case, the reasoning of the judgment, level of judicial independence, knowledge about an institution, transparency (Team Finland, 2019). Also, efficiency factors (length of proceedings, annual number of closed cases etc.) correlate with higher levels of public confidence.

Most of these factors also serve as quality indicators to measure the performance of the judiciary. The concept of ‘quality’ needs, however, further explanation at this point. Although there is no single agreed way of measuring the quality of judicial decision-making (European Commission, 2017, p. 4; Bencze and Yein Ng, 2018, p. 2), certain common standards must be always considered in this context. Effi- ciency issues are mostly focused on when it comes to objective evaluations of the performance of judicial systems (Bencze and Yein Ng, 2018, p. 1).

As for national judiciary, the European Commission annually publishes its scoreboards (hereinafter EU Justice scoreboards) providing comparative data on quality indicators at Member States’ level. Quality, independence and efficiency are the

(34)

guiding principles of presenting specific metrics like the accessibility of justice for citizens and businesses, various dimensions of independency as well as the length of judicial proceedings. The scoreboards also lay a strong emphasis on the link between the efficiency of judicial systems and the economic performance of the EU as a whole. ‘Across the EU, mutual understanding and trust in justice systems – their quality, independence and efficiency – is essential to the functioning of the internal market.’ Quality is also highlighted by the Commission as ‘a driver for citizens’ and businesses’ trust in the justice system’ (European Commission, 2017, p. 4).

These factors are also relevant when assessing the public trust in and the performance of international courts. However, special circumstances must always be considered in the evaluation of a particular judicial practice (Bencze and Yein Ng, 2018, p. 1). Regarding the CJEU, these circumstances are mostly determined by the rules governing its jurisdiction, the specific ‘work-sharing’ relation between the EU courts and national courts, as well as the style of the jurisprudence, which is influenced by different legal traditions in Europe. As we already established, there are three main CJEU procedures where most SGI cases are disposed of: (1) preliminary ruling, (2) infringement and (3) annulment procedures.

These procedures are fundamental to the CJEU’s role (Conway, 2018, p. 235) as they determine the ways in which citizens and businesses can get access to judicial protection at EU level. It is true for all the three types that they can provide rather limited or indirect access to CJEU for individuals (i. e. citizens and companies).

Preliminary ruling procedures (1) are always initiated by a national court which may request the CJEU to give a ruling on the interpretation of certain EU law provision(s) if it is necessary to decide in a case pending before it. Although parties to the dispute may initiate that the court requests preliminary ruling, such initiatives do not oblige the national court which has a full autonomy to decide whether it needs a ruling from the CJEU or not. Infringement procedures, as we have seen, can never be launched by individuals. The only thing they can do is the submission of a

‘complain’ to the European Commission in which they indicate the alleged failure of compliance with the Member State(s)’ EU law obligation(s). And finally, actions for annulment (3) can be brought by individuals under very strict conditions. It makes their opportunities to access to justice in this procedure much more limited than for EU institutions or Member States.

The limits for access to justice for individuals are also reflected by the nature of legal issues brought before the CJEU in SGI related cases. In this regard, it is inter- esting to note that Article 36 of the EU Charter of Fundamental Rights declaring the right to access to SGEIs, although it has binding legal effect since the entry into force of the Treaty of Lisbon in 2009, was invoked and examined on substance in one single case of the CJEU (C285/18 Irgita). In all other cases, this provision was only mentioned as supporting argument in the Court’s reasoning or in Advocate General opinions.