Explanatory Memorandum to COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. |
---|---|
source | COM(2022)122 |
date | 22-03-2022 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
This proposal establishes a framework for ensuring common cybersecurity rules and measures among the Union institutions, bodies and agencies. It aims at further improving all entities’ resilience and incident response capacities. It is in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people. Moreover, ensuring a secure and resilient public administration is a cornerstone in the digital transformation of society as a whole.
This proposal builds on the EU Security Union Strategy (COM(2020) 605 final) and the EU’s Cybersecurity Strategy for the Digital Decade (JOIN(2020) 18 final).
The proposal modernises the existing CERT-EU legal framework and takes account of the changed and increased digitisation of the institutions, bodies and agencies in recent years as well as the evolving cybersecurity threat landscape. Both developments have been further amplified since the onset of the COVID-19 crisis, while the number of incidents continues to rise, with increasingly sophisticated attacks coming from a wide range of sources.
The proposal renames CERT-EU from ‘Computer Emergency Response Team’ to ‘Cybersecurity Centre’ for the Union institutions, bodies and agencies, in line with developments in the Member States and globally, where many CERTs are renamed as Cybersecurity Centres, but keeps the short name ‘CERT-EU’ because of name recognition.
• Consistency with existing policy provisions in the policy area
This proposal is aimed at increasing the cybersecurity resilience of the Union institutions, bodies and agencies against cyber threats, while aligning with existing legislation:
·Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union. It also aligns with the proposal for a Directive (EU) XXXX/XXXX on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 [proposal NIS 2].
·Regulation (EU) 2019/881 on the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification (Cybersecurity Act).
·Proposal for a Regulation (EU) XXXX/XXXX on information security in the institutions, bodies, offices and agencies of the Union.
·Commission Recommendation of 23 June 2021 on building a Joint Cyber Unit.
·Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises.
The Annex to Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises sets out the Blueprint for coordinated response to large-scale cross-border cybersecurity incidents and crises.
In its resolution from 9 March 2021, the Council of the European Union stressed that cybersecurity is vital for the functioning of public administration at both national and EU level as well as for society and economy as a whole, underlining the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. In particular, this is to be achieved through enhanced resilience and improved security culture of the Union institutions, bodies and agencies. Sufficient resources and capabilities are to be made available, including in the context of the reinforcement of the mandate of CERT-EU.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
The legal basis for this Regulation is Article 298 of the Treaty on the Functioning of the European Union (TFEU) which provides that in carrying out their missions, the institutions, bodies, offices and agencies of the Union shall have the support of an open, efficient and independent European administration. In compliance with the Staff Regulations and the Conditions of Employment adopted on the basis of Article 336, the European Parliament and the Council, acting by means of regulations in accordance with the ordinary legislative procedure, shall establish provisions to that end.
Information technology has provided new ways for Union institutions, bodies and agencies to work, interact with citizens and improve overall operations. As technology continues to evolve, the cyber threat landscape evolves along with it. Union institutions, bodies and agencies have become highly attractive targets of sophisticated cyberattacks. The establishment of systems and requirements to ensure cybersecurity appears to be contributing to the efficiency and the independence of the European administration, so that Union institutions, bodies, offices and agencies can operate in a more efficient manner in a digital world in the conduct of their missions.
Moreover, current disparities, as explained in section 3 below, among Union institutions, bodies and agencies’ cybersecurity posture and approach in the area of cybersecurity are further obstacles to an open, efficient and independent European administration. Without a common approach, the cybersecurity posture among Union institutions, bodies and agencies would continue to develop in divergent directions. This legal basis is therefore appropriate given that the Regulation aims to create a common legal framework for cybersecurity within Union institutions, bodies, offices and agencies.
• Subsidiarity
The Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union is within the remits of the Union’s exclusive competence.
• Proportionality
The rules proposed in this Regulation do not go beyond what is necessary to meet the specific objectives satisfactorily. The envisaged measures will contribute to achieving a high common level of cybersecurity without exceeding what is necessary to achieve the objective in light of the increasingly high risks they face.
• Choice of the instrument
The choice of a Regulation, which is directly applicable, is considered the appropriate legal instrument to define and streamline the obligations imposed on Union institutions, bodies and agencies. In order to allow for targeted improvements, a regulation is the most appropriate legal instrument.
3. RESULTS OF EX-ANTE EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-ante evaluations
CERT-EU has conducted an assessment of the principal cyber threats to which Union institutions, bodies and agencies are currently exposed or are likely to be exposed to in the foreseeable future.
Three categories of observations were used in the analysis:
·Attempts to breach Union institutions, bodies and agencies’ IT infrastructure (when successful, they are treated as incidents, in the other cases they are still recorded as detected attempts).
·Threats detected in the proximity of Union institutions, bodies and agencies (e.g. in their related sectors, their stakeholder communities or in Europe).
·Major threat trends observed globally.
Furthermore, the analysis considered how major ongoing shifts are affecting the ways in which Union institutions manage and use their IT infrastructure and services. Such shifts include:
·Increased teleworking.
·Migration of systems to the cloud.
·Increased outsourcing of IT services.
From 2019 to 2021, the number of significant incidents 1 affecting Union institutions, bodies and agencies, authored by advanced persistent threat (APT) actors, has surged dramatically. The first half of 2021 saw the equivalent in significant incidents as in the whole of 2020. This is also reflected in the number of forensics images (snapshots of the contents of affected systems or devices) CERT-EU analysed in 2020, which tripled in comparison to 2019, while the number of significant incidents rose more than ten-fold since 2018.
In 2020, CERT-EU’s Steering Board set a new strategic aim for CERT-EU to guarantee a comprehensive level of cyber defence for all institutions, bodies and agencies with suitable breadth and depth and continuous adaptation to current or impending threats, including attacks against mobile devices, cloud environments and internet-of-things devices.
Complementary to the CERT-EU threat analysis, the Commission has carried out an evaluation of the cybersecurity functioning of 20 Union institutions, bodies and agencies. This provided insight into established cybersecurity practices, and cybersecurity management capabilities with external benchmarking of some technical security controls.
This evaluation was based on questionnaires to which these institutions, bodies and agencies responded, publicly available data, and data provided directly by the Union institutions, bodies and agencies themselves. It provides sufficient insights in the current situation to conclude:
·Cybersecurity maturity, IT infrastructure size and levels of capability vary substantially among the evaluated Union institutions, bodies and agencies.
·Whereas there are mature detection and response capabilities among many Union institutions, bodies and agencies in general, there are varying levels of integrated risk management in their cybersecurity governance capabilities.
·Whereas in general cybersecurity frameworks (strategy, policy and a base of rules) of the evaluated Union institutions, bodies and agencies are well established in the key cybersecurity domains, listed in the Annex I of the Regulation, some Union institutions, bodies and agencies lack mature business continuity management, compliance, audit and continuous improvement.
·Technical measures considered best practices were found to be unevenly applied by the evaluated Union institutions, bodies and agencies.
In summary, the analysis of the 20 Union institutions, bodies and agencies shows that their governance, cyber-hygiene, overall capability and maturity vary over a broad spectrum. Therefore, requiring all Union institutions, bodies and agencies to implement a baseline of cybersecurity measures is instrumental to address this disparity in maturity and to bring all Union institutions, bodies and agencies to a high common level of cybersecurity.
No Union legislation has so far focussed on the cybersecurity of Union institutions, bodies and agencies and has comprehensively tackled the cybersecurity threat landscape and the emerging IT risks driven by digitalisation.
• Stakeholder consultations
The Commission has consulted stakeholders throughout the Union institutions, bodies and agencies as well as representatives of Member States in the Council and stakeholders in the European Parliament. On 25 June 2021, representatives of Member States and relevant stakeholders from the Union institutions, bodies and agencies participated in a workshop organised by the Commission to discuss the content of the future proposal for Regulation.
•Impact assessment
The impact of the present proposal will fall on Union institutions, bodies and agencies. This renders a specific impact assessment not necessary as it will not apply to Member States.
• Fundamental rights
The European Union is committed to ensuring high standards of protection of fundamental rights. All information sharing based on this Regulation would be conducted in trusted environments in full respect of the right to the protection of personal data as laid down in Article 8 of the Charter of Fundamental Rights of the European Union and the relevant data protection legislation, notably Regulation (EU) 2018/1725 of the European Parliament and of the Council.
4. BUDGETARY IMPLICATIONS
Market benchmarks and studies 2 show that direct cybersecurity spending has tended to vary between 4 and 7% of the aggregated IT expenditures of organisations. However, the threat analysis undertaken by CERT-EU in support of this legislative proposal indicates that international bodies and political organisations face increased risks and therefore a level of 10% of IT spending on cybersecurity would seem a more adequate target. The exact cost of such efforts cannot be determined due to the lack of detailed information on IT expenditure of the Union institutions, bodies and agencies and the relevant share of cybersecurity spending.
While it is therefore likely that many Union institutions, bodies and agencies spend less on cybersecurity than they should, this Regulation will not cause as such an increase in that current expenditure. Even without the Regulation each entity would need to ensure an adequate level of cybersecurity. The Regulation continues the previous cooperation in the Steering Board of CERT-EU and formalises a layer of information exchange already partly existing today. As detailed in the legislative financial statement, CERT-EU will require additional resources to fulfil its expanded role and these resources should be reallocated from the Union institutions, bodies and agencies benefitting from CERT-EU’s services.
5. OTHER ELEMENTS
·Implementation, monitoring, evaluation and reporting arrangements
The Interinstitutional Cybersecurity Board (IICB), with the assistance of CERT-EU, should review the functioning of this Regulation, carry out evaluations, and present a report with its findings to the Commission. The Commission should ensure regular reporting to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions.
CERT-EU can draft a proposal for a guidance document or a recommendation, which the IICB can choose to adopt. A guidance document is an advisory directed towards all or a subset of the Union institutions, bodies and agencies whereas a recommendation is directed towards individual Union institutions, bodies and agencies. A call for action is a CERT-EU advisory describing urgent security measures which Union institutions, bodies and agencies are urged to take within a set timeframe.
·Detailed explanation of the specific provisions of the proposal
Contents
The Regulation lays down measures with a view to ensuring a high common level of cybersecurity and it applies to the Union institutions, bodies and agencies to enable them to carry out their respective missions in an open, efficient and independent way. (Articles 1-3, 23-25)
Measures for a high common level of cybersecurity
Union institutions, bodies and agencies are obliged to establish an internal cybersecurity risk management, governance and control framework that ensures an effective and prudent management of all cybersecurity risks. The institutions, bodies and agencies shall moreover adopt a cybersecurity baseline to address the risks identified under the framework, carry out regular cybersecurity maturity assessments and adopt a cybersecurity plan. (Articles 4-8)
Interinstitutional Cybersecurity Board
The Interinstitutional Cybersecurity Board is established and shall be responsible for monitoring the implementation of this Regulation by the Union institutions, bodies and agencies as well as supervising the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. (Articles 9-11).
CERT-EU shall contribute to the security of the IT environment of all Union institutions, bodies and agencies by advising them, by helping to prevent, detect, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub. (Articles 12-17)
Cooperation and reporting obligations
The Regulation ensures cooperation and the exchange of information among CERT-EU, and the Union institutions, bodies and agencies to develop trust and confidence. To this end CERT-EU may request Union institutions, bodies and agencies to provide it with relevant information and CERT-EU may exchange incident-specific information with Union institutions, bodies and agencies to facilitate detection of similar cyber threats or incidents without the consent of the affected constituent. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consent of the affected constituent.
Notably, all Union institutions, bodies and agencies shall notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them. (Articles 18-22)