New rules to boost cybersecurity and information security in EU institutions, bodies, offices and agencies

Today, the Commission proposed new rules to establish common cybersecurity and information security measures across the EU institutions, bodies, offices and agencies. The proposal aims to bolster their resilience and response capacities against cyber threats and incidents, as well as to ensure a resilient, secure EU public administration, amidst rising malicious cyber activities in the global landscape.

Commissioner for Budget and Administration, Johannes Hahn, said: “In a connected environment, a single cybersecurity incident can affect an entire organisation. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act. The regulations we are proposing today are a milestone in the EU cybersecurity and information security landscape. They are based on reinforced cooperation and mutual support among EU institutions, bodies, offices and agencies and on a coordinated preparedness and response. This is a real EU collective endeavour.”

In the context of the COVID-19 pandemic and the growing geopolitical challenges, a joint approach to cybersecurity and information security is a must. With this in mind, the Commission has proposed a Cybersecurity Regulation and an Information Security Regulation. By setting common priorities and frameworks, these rules will further strengthen inter-institutional cooperation, minimise risk exposure and further strengthen the EU security culture.

Cybersecurity Regulation

The proposed Cybersecurity Regulation will put in place a framework for governance, risk management and control in the cybersecurity area. It will lead to the creation of a new inter-institutional Cybersecurity Board, boost cybersecurity capabilities, and stimulate regular maturity assessments and better cyber-hygiene. It will also extend the mandate of the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies (CERT-EU), as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider.

Key elements of the proposal for a Cybersecurity Regulation:

  • Strengthen the mandate of CERT-EU and provide the resources it needs to fulfil it;
  • Require from all EU institutions, bodies, offices and agencies to:
    • Have a framework for governance, risk management and control in the area of cybersecurity;
    • Implement a baseline of cybersecurity measures addressing the identified risks;
    • Conduct regular maturity assessments;
    • Put in place a plan for improving their cybersecurity, approved by the entity’s leadership;
    • Share incident-related information with CERT-EU without undue delay.
  • Set up a new inter-institutional Cybersecurity Board to drive and monitor the implementation of the regulation and to steer CERT-EU;
  • Rename CERT-EU from ‘Computer Emergency Response Team’ to ‘Cybersecurity Centre’, in line with developments in the Member States and globally, but keep the short name ‘CERT-EU’ for name recognition.

Information Security Regulation

The proposed Information Security Regulation will create a minimum set of information security rules and standards for all EU institutions, bodies, offices and agencies to ensure an enhanced and consistent protection against the evolving threats to their information. These new rules will provide a stable ground for a secure exchange of information across EU institutions, bodies, offices and agencies and with the Member States, based on standardised practices and measures to protect information flows.

Key elements of the proposal for Information Security Regulation:

  • Set up an efficient governance to foster the cooperation across all EU institutions, bodies, offices and agencies, namely an inter-institutional Information Security Coordination Group;
  • Establish a common approach to information categorisation based on the level of confidentiality;
  • Modernise the information security policies, fully including digital transformation and remote work;
  • Streamline current practices and achieve greater compatibility between the relevant systems and devices.

Background

In its resolution from March 2021, the Council of the European Union stressed the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. This can only be achieved through enhanced resilience and improved security culture of the EU institutions, bodies, offices and agencies.

Following the EU Security Union Strategy and the EU Cybersecurity Strategy, the Cybersecurity Regulation proposed today will ensure consistency with existing EU cybersecurity policies, in full alignment with current European legislation:

Considering the ever-increasing amounts of sensitive non-classified and EU classified information handled by EU institutions, bodies, offices and agencies, the proposed Information Security Regulation aims to increase the protection of the information, by streamlining the different legal frameworks of the Union institutions, bodies, offices and agencies in the field. The proposal is in line with:

  • The EU Security Union Strategy, which includes a comprehensive EU commitment to complement Member States’ efforts in all areas of security;
  • The key feature of the Strategic Agenda for 2019-2024, adopted by the European Council in June 2019, to protect our societies from the ever-evolving threats targeting the information handled by EU institutions, bodies, and agencies;
  • The Conclusions of the General Affairs Council of December 2019calling on the EU institutions, bodies and  agencies, supported by Member States, to develop and implement a comprehensive set of measures to ensure their security.

For More Information

Proposal for a Regulation of the European Parliament and of the Council laying down measures on a high level of cybersecurity at the institutions, bodies, offices and agencies of the Union

Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union