EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 02021D1026-20230720
Council Decision (CFSP) 2021/1026 of 21 June 2021 in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction
Consolidated text: Council Decision (CFSP) 2021/1026 of 21 June 2021 in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction
Council Decision (CFSP) 2021/1026 of 21 June 2021 in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction
02021D1026 — EN — 20.07.2023 — 001.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
|
COUNCIL DECISION (CFSP) 2021/1026 of 21 June 2021 (OJ L 224 24.6.2021, p. 24) |
Amended by:
|
|
|
Official Journal |
||
|
No |
page |
date |
||
|
L 184 |
37 |
21.7.2023 |
||
COUNCIL DECISION (CFSP) 2021/1026
of 21 June 2021
in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction
Article 1
For the purpose of giving immediate and practical application to certain elements of the EU Strategy, the Union shall support a project of the OPCW with the following objectives:
In the context of paragraph 1, the Union-supported activities of the project of the OPCW, which are in compliance with the measures set out in Chapter III of the EU Strategy, shall be the following:
Article 2
Article 3
Article 4
The HR shall report to the Council on the implementation of this Decision on the basis of regular reports prepared by the Technical Secretariat. The HR reports shall form the basis for the evaluation carried out by the Council. The Commission shall provide information on the financial aspects of the project referred to in Article 1.
ANNEX
PROJECT DOCUMENT
1. Background
The OPCW is required to maintain infrastructure that permits information sovereignty in a manner commensurate with privileged access classifications, appropriate handling routines and existing threats whilst remaining capable of defending against emerging risks. The OPCW continues to consistently face serious and emerging risks in relation to cyber-security and cyber-resilience. The OPCW is a target of highly skilled, resourced and motivated actors. These actors continue to attack the confidentiality and integrity of the OPCW’s information and infrastructure assets on a frequent basis. To respond to the concerns that recent cyber-attacks, current political considerations, and COVID-19 crisis underlined, and taking into account the unique requirements posed by the nature of the work of the OPCW to deliver on the mandate of the CWC, it is clear that essential investment in technical capabilities is necessary.
Under the OPCW’s Special Fund for CyberSecurity, Business Continuity, and Physical Infrastructure Security, the OPCW has designed its Cyber Security and Resilience and Information Assurance Programme (OPCW Programme) with 47 activities to address cyber security challenges that have been experienced in recent times. The OPCW Programme is aligned to best practice as promoted by entities such as the European Union Agency for Cyber Security (ENISA) or using concepts related to the European Directive on Security of Network and Information Systems (NIS) pertaining to Telecoms and Defence. Collectively the OPCW Programme covers the following thematic areas: classified and unclassified networks; policy and governance; detection and response; operations and maintenance; and telecommunications. Fundamentally the OPCW Programme is designed to enable OPCW to reduce opportunities for well-resourced and/or state-sponsored attackers to achieve their aims, and to mitigate risks from both external and insider threats from both a human and technical perspective. The Union support is structured as a Project of three activities that corresponds to two of the 47 OPCW Programme’s activities.
2. Project Purpose
The overall purpose of the Project is to ensure that the OPCW Secretariat has the capacity to maintain appropriate level of cyber security and resilience in addressing recurrent and emerging cyber-security defence challenges at OPCW headquarters and auxiliary facilities, to enable delivery of OPCW’s mandate and effective implementation of the CWC.
3. Objectives
4. Results
Expected results the Project contributes to are as follows:
5. Activities
5.1. Activity 1 – Operationalisation of an enabling environment for on-going cyber security and resilience efforts within multi-site OPCW operations
This activity seeks to ensure an enabling environment for smooth roll out of OPCW business continuity planning as related to cyber security and resilience. This will be achieved through addressing infrastructure upgrades – re-architecture and/or archival for OPCW business continuity across multi-site operations. As well as further facilitating and enabling the integration of privileged access governance into the business continuity planning and response processes.
5.2. Activity 2 – Designing of customized solution for on premise and cloud based systems integration and configuration with OPCW ICT systems and Privileged Access Management (PAM) solutions
This activity focuses on translating the enabling environment into a customized design for on premise and cloud based systems integration and configuration with OPCW ICT systems and PAM solutions. This is expected to increase the efficiency of ICT systems infrastructure and lead to the design of an integrated PAM system for critical assets that can deter, detect, and is in line with commensurate threat hunting capabilities.
5.3. Activity 3 – Initiation and testing of PAM solutions
This activity builds upon the infrastructure implemented and the PAM solutions designed to take integration and configuration from theory towards practice. Systems have to be mapped, profiled, and embedded into existing systems while taking associated policy and human factors into consideration. After which thorough testing verifies and assures the robustness of the system (all new systems have strong authentication for users and devices, appropriate information classification and protection, and advanced data loss prevention) in implementation and over time, will enable the OPCW Secretariat to identify and address gaps to the extent possible.
6. Duration
The total estimated duration of implementation funded through this project are expected to be incurred and concluded over a 24-month period.
7. Beneficiaries
Beneficiaries from the project will be OPCW Technical Secretariat personnel, policy-making organs, subsidiary bodies and CWC stakeholders including States Parties.
8. EU Visibility
The OPCW shall take all appropriate measures, within reasonable security considerations, to publicise the fact that this project has been funded by the Union.