Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document Ares(2020)7500404

Regulation EU XXXX/XX of the European Parliament and of the Council of XX XX 2021 laying down the cybersecurity common rules in the EU institutions, bodies and agencies

ROADMAP

Roadmaps aim to inform citizens and stakeholders about the Commission's work in order to allow them to provide feedback and to participate effectively in future consultation activities. Citizens and stakeholders are in particular invited to provide views on the Commission's understanding of the problem and possible solutions and to make available any relevant information that they may have.

Title of the initiative

Regulation on Common Cybersecurity Rules for EU institutions, bodies and agencies.

Lead DG – responsible unit

DIGIT S

Likely Type of initiative

Legislative proposal

Indicative Planning

Q4 2021

Additional Information

-

This Roadmap is provided for information purposes only and its content might change. It does not prejudge the final decision of the Commission on whether this initiative will be pursued or on its final content. All elements of the initiative described by the Roadmap, including its timing, are subject to change.

A. Context, Problem definition and Subsidiarity Check

Context

·The current rules on the security of the communication and information systems in the Commission were adopted in 2017 1 . The rules apply only to the Commission.

·The cyber threat landscape is increasingly hostile. In particular, and as reported by CERT-EU, the number of major attacks on the EU institutions, bodies and agencies has steadily and significantly increased in the last two years.

·Member States are urging the EU institutions, bodies and agencies to update their security framework and decision-making procedures in order to take into account these threats 2 .

·The Security Union Strategy 3 adopted by the COM on the 24th July 2020 provides for the adoption of common rules on cybersecurity, applicable to all EU institutions, agencies and other bodies.

·In September 2020, The Inter-Institutional Committee on Digital Transformation (ICDT) established a standing subgroup on cybersecurity, which is chaired by DIGIT.

·In recognition of the cybersecurity challenges faced by all EUIBAs, the CERT-EU Steering Board set in February 2020 a strategic aim for CERT-EU to dramatically improve the cyber resilience, cyber hygiene and cyber awareness of EUIBAs while giving CERT-EU the means to defend its constituency against the increasing major attacks.

·In addition, the structured cooperation with ENISA, as mandated by the EU Cybersecurity Act of 2019 4 , should allow CERT-EU to build up the cybersecurity capacity of EUIBAs and improve the existing operational cooperation.

Problem the initiative aims to tackle

The current situation in which each EUIBA develops its own rules has given rise to the following issues:

·Each EU institutions, bodies and agency has its own internal IT security rules, leading to an inconsistent approach, a lack of a common cybersecurity baseline and cyber hygiene gaps. At the moment, there is no overview on the security maturity of the EU institutions, bodies and agencies or its constituent parts. There is only informal and voluntary sharing for example in the CERT-EU Steering Board, the CERT-EU technical taskforce or the ICTAC (the ICT Advisory Committee for Agencies)

·EU institutions, bodies and agencies need to increase their cybersecurity maturity and resilience to cyberattacks.

·Some EU institutions, bodies and agencies, including the Commission, have developed internal rules and standards to guide the progressive maturing of its cybersecurity posture and methods, services and tooling. However, these developments are not reflected across the board, which increases the risk of incidents and potential material or reputational damage to all the EU institutions, bodies and agencies.

·The current CERT-EU’s legal base and budget does not allow it to perform the role and duties requested by its Steering Board

·There is under investment and / or inefficient investment in cybersecurity tools and services, e.g. in incident detection and response capabilities.

·Inconsistent and incomplete cyber threat monitoring which significantly hampers the detection of and the response to cyberattacks

·Lack of effective governance procedures, including procedures pertaining to effective information sharing, for assuring the coordination between EU institutions, bodies and agencies and CERT-EU for responding to cybersecurity incidents, and, when applicable, the collaboration of CERT-EU with national authorities (inter alia the CSIRT Network).

Basis for EU intervention (legal basis and subsidiarity check)

Article 298 TFEU (Treaty of the functioning of the European Union) could be used as a legal basis for laying down common rules on the security of the communication and information systems for all EU institutions, bodies and agencies. Therefore, the subsidiarity principle does not apply.

B. What does the initiative aim to achieve and how

The Commission and aim at establishing a common set of cybersecurity rules for all EU institutions, bodies and agencies, similar to the EU Data Protection Regulation or the Financial Regulation.

These rules will establish a common base line for cybersecurity and thus reduce the risk of incidents that cause material or reputational damage to the EU institutions, bodies and agencies. It will do this by raising the cyber maturity of all EU institutions, bodies and agencies, fostering the sharing of threat information, raising efficiency of prevention and response efforts.

All aspects relating to information security will be addressed in close collaboration with DG HR in the parallel strand on information security.

The other policy options are:

·To work on a best effort basis with only informal and voluntary sharing of cyber maturity through benchmarking, sharing of methods and technical cooperation. 

·To establish a common set of guidelines that are not binding

C. Better regulation

Consultation of citizens and stakeholders

As the proposal for such Regulation is exclusively applicable to EUIs, bodies and agencies, there is no reason to consult the citizens.

The consultation process will only concern the EU entities above mentioned and will be conducted through the existing cooperation groups (such as the Commission Security Expert Group, Decentralised Agencies Network, Inter Institutional Committee for Digital Transformation etc.)

The consultation process will be performed in line with the consultation processes for internal legislation within the main EU institutions bodies and agencies.

·In order to ensure buy-in for the project, strong cooperation will be sought with the other EU entities, taking into account that risk management is a prerogative of each entity.

Evidence base and data collection

As this initiative has an impact limited to the EUIs, bodies and agencies, a detailed impact assessment is not necessary, as it would not create clearly identifiable or significant impacts on citizens and businesses.

Instead, the COM will provide an analytical Staff Working Document (SWD) focusing on the potential impacts of the initiative on all EU institutions, bodies and agencies. The SWD will be based upon findings from a study benchmarking the current situation and the analysis of impacts based on information from CERT-EU, ENISA and the security and IT departments of EU entities. It will reflect the results of stakeholder consultations, developed from an Inter institutional taskforce on cybersecurity. This work will be carried out in close coordination with the analysis conducted by HR.DS for the common information security rules.

(1)      Commission Decision (EU/Euratom) 2017/46
(2)      Complementary efforts to enhance resilience and counter hybrid threats - Council Conclusions (10 December 2019), ref. 14972/19.
(3)      EU Security Union Strategy (COM/2020/605)
(4)  Cybersecurity Act: (EU) 2019/881 REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013.
Top