Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document Ares(2020)7456550

Regulation EU XXXX/XX of the European Parliament and of the Council of XX XX 2021 laying down the Information security common rules in the EU institutions, bodies and agencies

ROADMAP

Roadmaps aim to inform citizens and stakeholders about the Commission's work in order to allow them to provide feedback and to participate effectively in future consultation activities. Citizens and stakeholders are in particular invited to provide views on the Commission's understanding of the problem and possible solutions and to make available any relevant information that they may have.

Title of the initiative

Regulation on Information Security in the EU institutions, bodies and agencies

Lead DG – responsible unit

HR.DS3

Likely Type of initiative

Legislative proposal

Indicative Planning

Q4 2021

Additional Information

-

This Roadmap is provided for information purposes only and its content might change. It does not prejudge the final decision of the Commission on whether this initiative will be pursued or on its final content. All elements of the initiative described by the Roadmap, including its timing, are subject to change.

A. Context, Problem definition and Subsidiarity Check

Context

·The Commission adopted its information security legal framework in 2015 1 . These rules only apply to the Commission, though they are very similar to the Council and EEAS rules when it comes to EU classified information.

·All EU institutions, bodies and agencies should have Information Security Rules, as a system is always as vulnerable as its weakest link. In the past years, HR.DS supported the adoption of relevant rules for several agencies 2 .

·The Member States are reporting hybrid attacks, combining for instance disinformation with information leaks and disruption of critical infrastructure. They are urging the EU institutions, bodies and agencies to enhance the security of EU information security and communication networks and of their decision-making processes from malicious activities of all kinds 3 .

·The Security Union Strategy 4 adopted by the COM on the 24th July 2020 provides for the adoption of common rules on Information security, applicable to all EU institutions, bodies and agencies.

Problem the initiative aims to tackle

·Lack of appropriate governance procedures for dealing with information security governance issues between EU institutions and national security services.

·Lack of coordination on information security issues, except in areas where a certain degree of harmonisation does exist (EUCI, alert states).

·Barriers to the exchange of sensitive non-classified information between EU institutions, bodies and agencies, due to a lack of an inter-institutional framework for exchange of such information.

·Lack of formal information security policies in small institutions, agencies and bodies.

·Lack of consistent strategies across EU institutions, bodies and agencies on security of information handled by outsourced systems.

·Gaps in the EU classified information framework, especially regarding handling of EUCI in the field, and regarding approved products for the handling of EU classified information.

·New working methods, teleworking and remote meetings’ impact on information security to be integrated in the new rules.

·Lack of tools and products for the exchange of EUCI and sensitive non-classified information across EU institutions and bodies.

Basis for EU intervention (legal basis and subsidiarity check)

·Article 298 TFEU. The initiative falls under the exclusive competence of the EU according to Article 298 of the TFEU. Therefore, the subsidiarity principle does not apply.

B. What does the initiative aim to achieve and how

The Commission will prepare the revision of its Information Security Rules and aim at establishing the same rules for all EU institutions, bodies and agencies, similar to the EU Data Protection Regulation or the Financial Regulation.

These rules will establish a common base line for information security and facilitate secure exchange of information by harmonising information security rules and principles covering both classified information and non-classified information. Additionally, this will reduce the burden of developing and maintaining information security rules, which is disproportionate for small EU bodies and agencies.

All aspects relating to cybersecurity will be addressed in close collaboration by DG DIGIT in the parallel strand on cybersecurity.

The other policy options are:

·To update only the Commission’s information security rules, without taking into consideration the needs of the other institutions, bodies and agencies without ensuring that the rules are applicable to all EU institutions and bodies.

·To favour non-regulatory/coordination projects to update the information security posture and to harmonise practices between other EU institutions, bodies and agencies.

C. Better regulation

Consultation of citizens and stakeholders

As the proposal for such Regulation is exclusively applicable to EUIs, bodies and agencies, there is no reason to consult the citizens.

The consultation process will only concern the EU entities above mentioned and will be conducted through the existing cooperation groups (such as the Commission Security Expert Group, Decentralised Agencies Network, Inter Institutional Committee for Digital Transformation etc.)

The consultation process will be performed in line with the consultation processes for internal legislation within the main EU institutions, bodies and agencies.

·In order to ensure buy-in for the project, strong cooperation will be sought with the other institutions, taking into account that security policy is part of the corporate culture of each institution.

Evidence base and data collection

As this initiative has a limited impact to the EUIs, bodies and agencies themselves, a throughout impact assessment is not necessary as it would not create clearly identifiable or significant impacts on citizens and businesses.

Instead, the COM will provide an analytical Staff Working Document (SWD) focusing on the potential impacts of the initiative on each EU institution, body and agency concerned. Such SWD will be based on findings from a study on new and emerging threats to the information security in the EU entities mentioned above and from various surveys conducted in their respective security departments.

(1)      Commission Decisions (EU, Euratom) 2015/443 and 2015/444, complemented by Commission Decision (EU/Euratom) 2017/46 on the security of communication and information systems.
(2)      Such as EMCDDA, EMSA, CEPOL, EU-Lisa; ECBGA (Frontex).
(3)      General Affairs Council Conclusions (10 December 2019), ref. 14972/19.
(4)      EU Security Union Strategy (COM/2020/605)
Top