New rules on information security
Proposal for a Regulation on information security in the institutions, bodies, offices and agencies of the Union
Background
Due to the ever-increasing amounts of sensitive non-classified and European Union classified information (‘EUCI’) that the institutions, bodies, offices and agencies of the Union need to share between themselves and considering the dramatic development of the threat landscape, the European administration is exposed to attack in all of its areas of activity. The information handled by our institutions, bodies, offices and agencies has high value for many different threat actors and needs appropriate protection.
Member States have already called on our institutions to move in this direction. A key feature of the Strategic Agenda for 2019-2024 adopted by the European Council in June 2019 is to protect our societies from the threats targeting the information handled by the European administration. In its conclusions, the European Council called on ‘the EU institutions, together with the Member States, to work on measures to enhance the resilience and improve the security culture of the EU against cyber and hybrid threats from outside the EU, and to better protect the EU’s information and communication networks, and its decision-making processes, from malicious activities of all kinds’
In July 2020, the Commission adopted its EU Security Union Strategy, by which it committed to complement the national efforts in the area of security. Part of this engagement is the initiative to harmonise the internal legal frameworks for information security in all institutions, bodies, offices and agencies of the Union.
Objectives
The general objective of this proposal is to create a standard set of high-level information security rules for all institutions, bodies, offices and agencies of the Union to ensure an enhanced and consistent degree of protection against the evolving threats to their information.
The general objective is translated into four specific objectives:
- Establish harmonised and comprehensive categories of information based on the level of confidentiality;
- Identify security gaps and implement measures required;
- Establish an efficient forum for cooperation on information security between the institutions, bodies, offices and agencies of the Union;
- Modernise the information security policies, taking account of current trends such as digital transformation and remote working.
Questions and Answers
Why is the Commission proposing a Regulation on information security in the institutions, bodies, offices and agencies of the Union?
The institutions, bodies, offices and agencies of the Union currently have their own information security rules or have not adopted such rules at all. The fragmentation of the applicable legal framework has led to significant differences between the levels of security that these organisations can ensure for the information they handle. This situation increases the risks of attackers creating a security breach in the weakest link and using that as a starting point for further attacks on other institutions or bodies.
By creating a single set of rules on information security across all the institutions, bodies, offices and agencies of the Union, the Commission proposes a common baseline of high standards for the protection of the information handled. In addition, the harmonised rules will facilitate the sharing of information between the institutions, bodies, offices and agencies, and also with Member States.
To whom will the proposed Regulation apply?
This proposal lays down rules applicable to the Union administration (institutions, bodies, offices and agencies). It may indirectly impose obligations on the individuals performing tasks on behalf of this administration or on a contractual basis (not including the Commissioners, the Representatives of Member States acting within the Council, the Members of the European Parliament, the Judges of the Union Courts or the Members of the European Court of Auditors).
This proposed Regulation does not apply to Member States.
Which categories of information are covered by this proposed Regulation?
This proposal covers non-classified and EU classified information and applies to the following confidentiality levels:
- three levels of non-classified information: public use, normal and sensitive non-classified;
- four levels of EUCI: RESTREINT UE/EU RESTRICTED, CONFIDENTIEL UE/EU CONFIDENTIAL, SECRET UE/EU SECRET, TRES SECRET UE/EU TOP SECRET.
Will the proposed rules be reviewed?
Every 5 years after the start date of application, the Commission will evaluate the Regulation in order to assess its actual effects and the need for any further action.
Moreover, the Commission will regularly report to the European Parliament and to the Council on the implementation of this Regulation.
What are the next steps?
The Commission proposal will follow the ordinary legislative process in the European Parliament and Council for adoption.
The Informal Meeting of the Telecommunication Ministers in Nevers on the 9th March 2022 called the “EU institutions, agencies and bodies to further strengthen their cyber and information security as the EU has become a key strategic player whose role on the international stage requires to secure its data and networks against cyber threats.”
Documents
Impact analysis accompanying the proposal
JRC study on information security in the age of EU institutions digitalisation
Related links
The EU Security Union Strategy: European Security Union
Commission decisions
The EU Security Union Strategy: European Security Union | European Commission (europa.eu)
The objective of security in the Commission is to enable the Commission to operate in a safe and secure environment. Thus, the Commission needs to provide security of persons, assets and information in the Commission on the basis of Commission Decision (EU,Euratom) 2015/443 on Security in the Commission and Commission Decision (EU,Euratom) 2015/444 on the security rules for protecting EU classified information. This particularly includes the physical integrity of persons and assets, the integrity, confidentiality and availability of information and communication and information systems, as well as the unobstructed functioning of Commission operations.
In this context the Commission may need to process personal data. Any of such processing activities comply with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance).
Privacy statements on security relevant procedures are listed below:
Documents
- 19 APRIL 2022
- Downloadfrançais(731.92 KB - PDF)
- 6 MAY 2020
- Downloadfrançais(495.62 KB - PDF)
- 19 APRIL 2022
- 2 MAY 2020
- 7 APRIL 2022