Explanatory Memorandum to COM(2022)119 - Information security in the institutions, bodies, offices and agencies of the Union - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)119 - Information security in the institutions, bodies, offices and agencies of the Union. |
|---|---|
| source | COM(2022)119  |
| date | 22-03-2022 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
This proposal is part of the EU Security Union Strategy 1 adopted by the Commission on 24 July 2020 and laying down its commitment to bring the European Union's added value to the national efforts in the area of security. Part of this engagement is the initiative to streamline the internal legal frameworks for information security in all Union institutions and bodies.
A key feature of the Strategic Agenda for 2019-2024 adopted by the European Council in June 2019 is to protect our societies from the ever evolving threats targeting the information handled by institutions and bodies. In its conclusions 2 , the European Council called in particular on ‘the EU institutions, together with the Member States, to work on measures to enhance the resilience and improve the security culture of the European Union against cyber and hybrid threats from outside the EU, and to better protect the EU’s information and communication networks, and its decision-making processes, from malicious activities of all kinds’.
In the same line, the General Affairs Council of December 2019 3 concluded that the EU institutions and bodies, supported by Member States, should develop and implement a comprehensive set of measures to ensure their security. This echoes a long standing request from the Council Security Committee to investigate a common core of security rules for the Council, the Commission and the European External Action Service 4 .
Currently, the Union institutions and bodies either have their own information security rules, based on their Rules of procedure or founding act, or they do not have information security rules at all. This is mostly the case of some small entities, which lack any formal information security policies.
Due to the ever-increasing amounts of sensitive non-classified and European Union classified information (‘EUCI’) that the Union institutions and bodies need to share between themselves and considering the dramatic development of the threat landscape, the European administration is exposed to attack in all its areas of activity. The information handled by our institutions and bodies is very attractive for the threat actors and needs to be appropriately protected. This requires swift action aiming at enhancing its protection.
Therefore and in order to increase the protection of the information handled by the European administration, this initiative aims to streamline the different legal frameworks of the Union institutions and bodies in the field by:
• Establishing harmonised and comprehensive categories of information, as well as common handling rules for all Union institutions and bodies,
• Setting up a lean cooperation scheme on information security between Union institutions and bodies able to foster a coherent information security culture across the European administration,
• Modernising the information security policies at all levels of classification/categorisation, for all Union institutions and bodies, taking into account the digital transformation and the development of teleworking as a structural practice.
• Consistency with existing policy provisions in the policy area
This initiative is in accordance with a wide range of EU policies in the area of security and information security.
Back in 2016, the European Parliament and the Council adopted a Directive 5 concerning measures for a high common level of security of network and information systems across the Union. This Directive was the first EU wide legislative measure meant to increase the cooperation between Member States on cybersecurity. While the Commission has adopted in December 2020 a proposal for the review of this instrument, introducing supervisory measures for the national authorities, the Union administration remains outside its scope.
In the same vein and to complement the efforts of Member States in the area of security, it is of paramount importance that the Union institutions and bodies achieve a high level of protection for their information and their related Information and Communication Systems with a view to safeguarding the information security.
In July 2020, the Commission adopted the Security Union Strategy 6 , with a comprehensive commitment from the EU to complement Member States’ efforts in all areas of security. This Strategy runs from 2020 to 2025 and outlines four main pillars of action: a future-proof security environment, tackling evolving threats, protecting Europeans from terrorism and organised crime and a strong European security ecosystem. Several of the topics addressed under these pillars focus on security of information, cybersecurity, cooperation and information exchange, and critical infrastructure.
In line with the Security Union Strategy, the European Commission proposes the creation of a minimum set of rules on information security across all the Union institutions and bodies, which will trigger mandatory and high common standards for the secure exchange of information. This initiative represents the engagement of the institutions and bodies to set within the European administration the same level of ambition in the field of security as required from the Member States.
On 16 December 2020, the Commission and the High Representative for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy 7 . It set out priorities and key actions to build up Europe’s resilience, autonomy, leadership and operational capacity in the face of growing and complex threats to its network and information systems, and to advance a global and open cyberspace and its international partnerships thereof. It is equally important that the Union institutions and bodies contribute to the achievement of these priorities by establishing equivalent requirements in the field of both information security and cybersecurity.
This proposal together with the proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, seek to complete the regulatory picture of the Security Union Strategy with dedicated requirements for the European administration. In view of the interlinkages between information security and cybersecurity, a coherent approach to the protection of non-classified information should be ensured between these two proposals.
• Consistency with other Union policies
Contents
- This initiative also takes account of other Union policies that are relevant to the information security.
- According to Article 298 TFEU, the European Parliament and the Council shall act by means of a regulation and in accordance with the ordinary legislative procedure.
- Not Applicable
- 1. Union institutions, bodies, offices and agencies;
- Not Applicable
- Subject and scope (Article 1 and Article 2)
- Definitions and general principles (Articles 3 to 5)
- Governance and organisation of security (Articles 6 to 8)
- Information assurance and communication and information systems (Articles 9 to 11)
- Non-classified information (Articles 12 to 17 and Annex I)
- EUCI (Articles 18 to 58 and Annexes II to VI)
- Final provisions (Articles 59 to 62)
This initiative also takes account of other Union policies that are relevant to the information security.
In the area of data protection and applicable to the European Union and European Atomic Energy Community ('Euratom') administration there is Regulation (EU) 2018/1725 8 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. In the same line, we need to mention that for some Union institutions and bodies the EU legislators have adopted specific relevant rules for the protection of personal data.
In the area of transparency, this proposal builds on the principles enshrined in the Regulation (EC) No 1049/2001 9 regarding public access to European Parliament, Council and Commission documents, with respect to other relevant rules.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
Considering the objective and the content of this proposal, its most appropriate legal basis is Article 298 of the Treaty on the Functioning of European Union (TFEU) and Article 106a of the Treaty establishing the European Atomic Energy Community.
Article 298 TFEU was introduced by the Lisbon Treaty and enables the legislators to establish provisions with a view to creating an efficient and independent administration that will support the institutions, bodies, offices and agencies in carrying out their mission.
An efficient and independent administration relies on the security of its information. With a view to achieving their mission, the Union institutions and bodies shall benefit from a secure environment for the information they handle and store on a daily basis. In addition, providing a common baseline of standards mandatory for all would guarantee a high level of security, reduce the risk of weak links in supporting interoperability among institutions and bodies and leverage synergies thus enhancing the administration’s resilience facing evolving threats.
Furthermore, with an overall aim to achieve a high common level of security for the EUCI and non-classified information handled and stored by the Union institutions and bodies, this proposal enables the European administration to better protect from external interferences and spying activities.
Article 298 TFEU enables the Union to establish common rules for the whole of the European administration to ensure that all Union institutions and bodies treat the EUCI and the non-classified information similarly. As such, this Regulation lays down rules applicable to the administration and may indirectly impose obligations only to the individuals performing tasks on behalf of this administration or on a contractual basis (not including the Commissioners, the Representatives of Member States acting within the Council, the Members of the European Parliament, the Judges of the Union Courts or the Members of the European Court of Auditors).
According to Article 298 TFEU, the European Parliament and the Council shall act by means of a regulation and in accordance with the ordinary legislative procedure.
This proposal needs an additional legal basis as it also covers the information related to some activities of the European Atomic Energy Community. Such information is not Euratom Classified Information, but it is treated by the Union institutions and bodies under the general regime of EUCI.
This additional legal basis is Article 106a of the Treaty establishing the European Atomic Energy Community, which renders Article 298 TFEU applicable to the above mentioned Euratom activities as well.
• Subsidiarity (for non-exclusive competence)
According to the principle of subsidiarity laid down in Article 5(3) of the Treaty on European Union, action at EU level should be taken only when the aims envisaged cannot be achieved sufficiently by Member States alone and can therefore, by reason of the scale or effects of the proposed action, be better achieved by the EU.
Since only the Union can adopt rules governing EUCI and sensitive non-classified information handled and stored by the Union institution and bodies, the subsidiary principle does not apply.
• Proportionality
The establishment of a common baseline of information security to all Union institutions and bodies is necessary to contribute to an independent and efficient administration.
In accordance with the principle of proportionality laid down in Article 5 i TEU, the provisions of the Regulation are not overly prescriptive and leave room for different levels of specific action, in line with the security maturity level of each Union institution and body.
Furthermore, the solution has limited impact on fundamental rights of individuals. Hence, the proposal does not go beyond what is necessary to address the problem of not having a common set of information security rules for all Union institutions and bodies.
• Choice of the instrument
A regulation based on Article 298 of the TFEU is considered the appropriate legal instrument.
It is justified by the predominance of elements that require a uniform application that does not leave margins of implementation to the Union institutions and bodies and that creates a minimum horizontal framework.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluations/fitness checks of existing legislation
• Stakeholder consultations
The Commission has carried out a broad consultation of the key stakeholders on various aspects related to information security rules of the Union institutions and bodies. The overall aim of the consultation activities was to collect relevant input for the preparation of a legislative initiative on information security rules common to all Union institutions and bodies. The consultations sought to collect inputs on:
• Problems related to the existing framework of information security within the Union institutions and bodies that stakeholders consider should be addressed in the initiative;
• The relevance, effectiveness, efficiency and added value of the initiative;
• The anticipated impacts of the initiative and possible other consequences for the stakeholders.
In preparation of this legislative proposal, the Commission has consulted the following categories of stakeholders:
2. National security authorities in the Member States;
3. Research experts from JRC.
Given the particular characteristic of this initiative, which is exclusively applicable to the Union institutions and bodies, with little impact on the European citizens and businesses, Commission services chose to prioritise the collection of viewpoints from the relevant stakeholder groups. As such, no public consultation was conducted specifically for this legislative initiative.
Over the course of the consultation process, Commission services used the following methods and forms of consultation:
1. An opportunity for all interested parties to provide feedback on the Inception Impact Assessment via the Commission’s ‘Have your say’ platform;
2. A targeted questionnaire addressed to the information security experts within the Union institutions and bodies via online EU survey;
3. A targeted questionnaire addressed to the Member States national security authorities via online EU survey;
4. A request for a tailored risk assessment of the core information security assets and,
5. Numerous meetings and exchanges with counterparts from institutions, bodies, offices and agencies, as well as from the Member States national security authorities.
As main inputs from the consultation activities, the Commission highlights the following:
• The fragmentation of the relevant legal frameworks between our institutions and bodies creates significant duplication of efforts for creating and maintaining internal rules as well as non-interoperable practices in handling information. For the Member States, the diversity of these rules increases the risks of misunderstanding, misinterpreting and non-compliance;
• While establishing a baseline of information security for all Union institutions and bodies would create an ecosystem with standardised security rules and implemented best practices, the diversity and the different business environment of each Union institution and body shall be taken into account and local solutions should be allowed;
• This initiative needs to respect the autonomy and the different security maturity levels of each Union institution and body, which will remain fully responsible for their organisation of information security;
• Collection and use of expertise
The Commission used its own resources to perform the stakeholders’ consultation. The Security Directorate of DG HR has done the related work on the surveys, videoconferences and other workshops. This task involved both the selection of participants and the organisation of events and the processing of the input received.
The Joint Research Center (JRC) performed a risk assessment of the main information security assets, used as a basis for the Impact analysis.
• Impact assessment
This initiative is exclusively addressed to the Union institutions and bodies and has a limited impact to the Member States and individuals. Therefore, it was not necessary to perform a throughout impact assessment as there were no clearly identifiable or significant impacts on citizens and businesses. A comprehensive Roadmap was published on Europa website and gathered feedback from the relevant stakeholders.
• Regulatory fitness and simplification
• Fundamental rights
The EU is committed to ensuring high standards of protection of fundamental rights. This initiative ensures full compliance with the fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union 10 , as follows:
• The right to good administration 11
By enhancing the security of information they handle when treating the affairs of European citizens, the Union institutions and bodies contribute to the achievement of the principle of good administration.
• Protection of personal data 12
All processing of personal data in the framework of this proposal would be conducted in trusted environments and in full respect of the Regulation (EU) 2018/1725 of the European Parliament and of the Council.
• Right of access to documents 13
Public access to EUCI and sensitive non-classified documents remains fully governed by Regulation (EC) 1049/2001 of the European Parliament and of the Council.
• Right to intellectual property 14
While handling and storing non-classified information and EUCI, the Union institutions and bodies protect the intellectual property in accordance with Directive 2001/29/EC of the European Parliament and of the Council 15 .
• Freedom of expression and information 16
While everybody has the freedom to receive and share information and ideas without interference by public authority, this shall not prevent the Union from establishing the conditions for accessing, handling and storing certain types of information, based on their confidentiality level.
The exercise of these freedoms may be subject to conditions and restrictions provided by law and necessary in a democratic society, in order to prevent the disclosure of information received in confidence and in the interest of EU security.
4. BUDGETARY IMPLICATIONS
This proposal requires the assignment of one AD official and one AST assistant for the permanent Secretariat of the Coordination Group which is provided by the Commission, in the Security Directorate of the Directorate-General for Human Resources and Security.
For the institutions and bodies there are cost savings expected in terms of the shared and collaborative tasks as well as from preventing potential economic damages resulted from security incidents, due to improvements in information security. On the other side, the financial efforts required for the implementation of the new legislation can be covered as part of the existing information security improvement programmes in each Union institution and body.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The proposal provides for the obligation of the Commission to report each 3 years to the European Parliament and to the Council on the implementation of this Regulation, including the functioning of the governance set up by this Regulation.
Moreover and every 5 years, the Commission shall evaluate this Regulation with a view to assessing its actual performance and based on this, whether any modification to the legislation is necessary.
• Detailed explanation of the specific provisions of the proposal
This proposal is structured around the requirements for handling and storing non-classified information and EUCI, which are the main subjects of the initiative and whose enhanced protection represents its underlying purpose.
This Regulation is set to create a minimum set of information security rules applicable to all Union institutions and bodies.
It applies to all information handled and stored by the Union institutions and bodies, including the information related to European Atomic Energy Community activities, other than Euratom Classified Information. Both the non-classified information and the EUCI are covered by this Regulation.
The definitions provided under Article 3 are based on the current rules on information security adopted separately by the Union institutions and bodies.
Besides the general principles of the Union legislation: transparency, proportionality, efficiency and accountability, this Regulation provides for the main binding guiding lines, such as separate information security risk management process carried out by each Union institution and body and the assessment of their information in order to be properly categorised.
All Union institutions and bodies shall cooperate in an Interinstitutional Information Security Coordination Group, which acts by consensus and in the common interest of the Union institutions and bodies.
The Coordination Group gathers the Security Authorities of all institutions and bodies and establishes guidance documents on the implementation of this Regulation. It liaises regularly with the National Security Authorities of the Member States, gathered in an Information Security Committee.
Five sub-groups composed by experts representing different institutions and bodies are set up with a view to streamlining the procedures and other practical aspects related to the information security.
Each Union institution and body is required to designate a Security Authority, which is responsible for defining internal policies on the Information security and for implementing them. The Security Authority establishes specific functions such as the Information Assurance Authority, the Information Assurance Operational Authority, the Security Accreditation Authority, the TEMPEST Authority, the Crypto Approval Authority and the Crypto Distribution Authority, which may be delegated to another institution or body for efficiency or resources reasons.
The Regulation establishes a sub-group on information assurance with the objective of enhancing the coherence across the Union institutions and bodies between the information security rules and the cybersecurity baseline as defined by the Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
The Union institutions and bodies are required to comply with the principles mentioned under these articles and adopt separate internal rules for specific security measures, adjusted to their own security environment.
The Regulation provides for 3 categories of non-classified information: information for public use, normal information and sensitive non-classified information. All categories are defined, while markings and handling conditions are stipulated for protecting such information.
With a view to coordinating the work on equivalence between particular categories established by some Union institutions and bodies and common categories provided by the Regulation, the proposal sets up a sub-group on non-classified information.
As the most voluminous of the proposal, this chapter is structured in seven sections, as follows: General provisions, Personnel security, Physical security, Management of EUCI, Protection in communication and information systems, Industrial security and Sharing EUCI and exchanging classified information.
The section on general provisions provides for four levels of EUCI: TRES SECRET UE/EU TOP SECRET, SECRET UE/EU SECRET, CONFIDENTIEL UE/EU CONFIDENTIAL, RESTREINT UE/EU RESTRICTED and provides for an obligation of Union institutions and bodies to take the necessary security measures in accordance with the results of an information security risk management process.
Each of the remaining sections focus on the standards of EUCI protection, related to their specific area. The details for this protection of EUCI are specified in the Annexes II to V. Annex VI provides for the table of equivalence of EUCI with the security classifications of Member States and European Atomic Energy Community.
With the aim to streamline the relevant processes in the field and to avoid duplication of effort, the Regulation sets up sub-groups on information assurance, on non-classified information, on physical security, on accreditation of communication and information systems handling and storing EUCI and on EUCI sharing and exchange of classified information.
The final provisions ensure the transition from the current rules and procedures to the new legal framework set by this Regulation. They concern the internal rules on information security currently applicable in the Union institutions and bodies, the recognition of assessment visits carried out before the start of application of the Regulation, the treatment of previously concluded administrative arrangements and the continuation of specific security frameworks applicable to grant agreements.
This Regulation is set to apply after 2 years from the date of its entry into force.