Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 02021D1026-20230720

Consolidated text: Council Decision (CFSP) 2021/1026 of 21 June 2021 in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction

ELI: http://data.europa.eu/eli/dec/2021/1026/2023-07-20

02021D1026 — EN — 20.07.2023 — 001.001


This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document

►B

COUNCIL DECISION (CFSP) 2021/1026

of 21 June 2021

in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction

(OJ L 224 24.6.2021, p. 24)

Amended by:

 

 

Official Journal

  No

page

date

►M1

COUNCIL DECISION (CFSP) 2023/1515 of 20 July 2023

  L 184

37

21.7.2023




▼B

COUNCIL DECISION (CFSP) 2021/1026

of 21 June 2021

in support of the Cyber Security and Resilience and Information Assurance Programme of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the framework of the implementation of the EU Strategy against Proliferation of Weapons of Mass Destruction



Article 1

1.  

For the purpose of giving immediate and practical application to certain elements of the EU Strategy, the Union shall support a project of the OPCW with the following objectives:

— 
upgrading ICT infrastructure in line with the OPCW’s institutional business continuity framework, with a strong focus on resilience, and
— 
ensuring privileged access governance, as well as physical, logical and cryptographic information management and separation for all strategic and mission networks of the OPCW.
2.  

In the context of paragraph 1, the Union-supported activities of the project of the OPCW, which are in compliance with the measures set out in Chapter III of the EU Strategy, shall be the following:

— 
operationalisation of an enabling environment for ongoing cyber security and resilience efforts within multi-site OPCW operations,
— 
designing of customised solutions for on-premises and cloud-based system integration and configuration with OPCW ICT systems and privileged access management (PAM) solutions, and
— 
initiation and testing of PAM solutions.
3.  
A detailed description of the Union-supported activities of the OPCW referred to in paragraph 2 is set out in the Annex.

Article 2

1.  
The High Representative of the Union for Foreign Affairs and Security Policy (‘the HR’) shall be responsible for the implementation of this Decision.
2.  
Technical implementation of the project referred to in Article 1 shall be carried out by the OPCW Technical Secretariat (‘the Technical Secretariat’). It shall perform that task under the responsibility and the control of the HR. For that purpose, the HR shall enter into the necessary arrangements with the Technical Secretariat.

Article 3

1.  
The financial reference amount for the implementation of the project referred to in Article 1 shall be EUR 2 151 823 .
2.  
The expenditure financed by the amount set out in paragraph 1 shall be managed in accordance with the procedures and rules applicable to the general budget of the Union.
3.  
The Commission shall supervise the proper management of the expenditure referred to in paragraph 2. For that purpose, it shall conclude the necessary agreement with the Technical Secretariat. That agreement shall stipulate that the Technical Secretariat is to ensure visibility of the Union contribution, commensurate with its size, and specify measures to facilitate the development of synergies and to avoid the duplication of activities.
4.  
The Commission shall endeavour to conclude the agreement referred to in paragraph 3 as soon as possible after the entry into force of this Decision. It shall inform the Council of any difficulties in that process and of the date of conclusion of the agreement.

Article 4

The HR shall report to the Council on the implementation of this Decision on the basis of regular reports prepared by the Technical Secretariat. The HR reports shall form the basis for the evaluation carried out by the Council. The Commission shall provide information on the financial aspects of the project referred to in Article 1.

Article 5

1.  
This Decision shall enter into force on the date of its adoption.

▼M1

2.  
This Decision shall expire on 30 August 2024.

▼B




ANNEX

PROJECT DOCUMENT

1.   Background

The OPCW is required to maintain infrastructure that permits information sovereignty in a manner commensurate with privileged access classifications, appropriate handling routines and existing threats whilst remaining capable of defending against emerging risks. The OPCW continues to consistently face serious and emerging risks in relation to cyber-security and cyber-resilience. The OPCW is a target of highly skilled, resourced and motivated actors. These actors continue to attack the confidentiality and integrity of the OPCW’s information and infrastructure assets on a frequent basis. To respond to the concerns that recent cyber-attacks, current political considerations, and COVID-19 crisis underlined, and taking into account the unique requirements posed by the nature of the work of the OPCW to deliver on the mandate of the CWC, it is clear that essential investment in technical capabilities is necessary.

Under the OPCW’s Special Fund for CyberSecurity, Business Continuity, and Physical Infrastructure Security, the OPCW has designed its Cyber Security and Resilience and Information Assurance Programme (OPCW Programme) with 47 activities to address cyber security challenges that have been experienced in recent times. The OPCW Programme is aligned to best practice as promoted by entities such as the European Union Agency for Cyber Security (ENISA) or using concepts related to the European Directive on Security of Network and Information Systems (NIS) pertaining to Telecoms and Defence. Collectively the OPCW Programme covers the following thematic areas: classified and unclassified networks; policy and governance; detection and response; operations and maintenance; and telecommunications. Fundamentally the OPCW Programme is designed to enable OPCW to reduce opportunities for well-resourced and/or state-sponsored attackers to achieve their aims, and to mitigate risks from both external and insider threats from both a human and technical perspective. The Union support is structured as a Project of three activities that corresponds to two of the 47 OPCW Programme’s activities.

2.   Project Purpose

The overall purpose of the Project is to ensure that the OPCW Secretariat has the capacity to maintain appropriate level of cyber security and resilience in addressing recurrent and emerging cyber-security defence challenges at OPCW headquarters and auxiliary facilities, to enable delivery of OPCW’s mandate and effective implementation of the CWC.

3.   Objectives

— 
Upgrading ICT infrastructure in line with OPCW’s institutional business continuity framework, with a strong focus on resilience;
— 
Ensuring privileged access governance, as well as physical, logical and cryptographic information management and separation for all strategic and mission networks.

4.   Results

Expected results the Project contributes to are as follows:

— 
ICT equipment and services deliver robust system reliability (hybrid/geographical redundancy) and facilitate increased availability of ICT systems and services in support of business continuity;
— 
Minimization of abilities for any single factor or person to adversely impact confidentiality and integrity of information or systems within the OPCW.

5.   Activities

5.1.   Activity 1 – Operationalisation of an enabling environment for on-going cyber security and resilience efforts within multi-site OPCW operations

This activity seeks to ensure an enabling environment for smooth roll out of OPCW business continuity planning as related to cyber security and resilience. This will be achieved through addressing infrastructure upgrades – re-architecture and/or archival for OPCW business continuity across multi-site operations. As well as further facilitating and enabling the integration of privileged access governance into the business continuity planning and response processes.

5.2.   Activity 2 – Designing of customized solution for on premise and cloud based systems integration and configuration with OPCW ICT systems and Privileged Access Management (PAM) solutions

This activity focuses on translating the enabling environment into a customized design for on premise and cloud based systems integration and configuration with OPCW ICT systems and PAM solutions. This is expected to increase the efficiency of ICT systems infrastructure and lead to the design of an integrated PAM system for critical assets that can deter, detect, and is in line with commensurate threat hunting capabilities.

5.3.   Activity 3 – Initiation and testing of PAM solutions

This activity builds upon the infrastructure implemented and the PAM solutions designed to take integration and configuration from theory towards practice. Systems have to be mapped, profiled, and embedded into existing systems while taking associated policy and human factors into consideration. After which thorough testing verifies and assures the robustness of the system (all new systems have strong authentication for users and devices, appropriate information classification and protection, and advanced data loss prevention) in implementation and over time, will enable the OPCW Secretariat to identify and address gaps to the extent possible.

6.   Duration

The total estimated duration of implementation funded through this project are expected to be incurred and concluded over a 24-month period.

7.   Beneficiaries

Beneficiaries from the project will be OPCW Technical Secretariat personnel, policy-making organs, subsidiary bodies and CWC stakeholders including States Parties.

8.   EU Visibility

The OPCW shall take all appropriate measures, within reasonable security considerations, to publicise the fact that this project has been funded by the Union.

Top