Considerations on COM(2022)119 - Information security in the institutions, bodies, offices and agencies of the Union

Please note

This page contains a limited version of this dossier in the EU Monitor.

 
dossier COM(2022)119 - Information security in the institutions, bodies, offices and agencies of the Union.
document COM(2022)119 EN
date March 22, 2022
 
(1) Union institutions and bodies currently have their own information security rules, based on their rules of procedure or their founding act, or do not have such rules at all. In that context, each Union institution and body invests significant efforts in adopting different approaches, leading to a situation where exchange of information is not always reliable. The lack of a common approach hinders the deployment of common tools building on an agreed set of rules depending on the security needs of the information to be protected.

(2) While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. Further efforts should therefore be made to enable an interinstitutional approach to the sharing of EUCI and sensitive non-classified information, with common categories of information and common key handling principles. A baseline should also be envisaged to simplify procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States.

(3) Therefore, relevant rules ensuring a common level of information security in all Union institutions and bodies should be laid down. They should constitute a comprehensive and coherent general framework for protecting EUCI and non-classified information, and should ensure equivalence of basic principles and minimum standards. 

(4) The recent pandemic caused a significant change in working practices with remote communication tools becoming the rule. Therefore, many procedures that were still at least partly paper-based were rapidly adjusted to enable electronic processing and exchanges of information. These developments require changes in the handling and protection of information. This Regulation takes account of the new working practices. 

(5) By creating a minimum common level of protection for EUCI and non-classified information, this Regulation contributes to ensuring that the Union institutions and bodies have the support of an efficient and independent administration in carrying out their missions. At the same time, each Union institution and body retains its autonomy in determining how to implement the rules laid down in this Regulation, in line with its own security needs. This Regulation shall in no case prevent Union institutions and bodies to fulfil their mission, as entrusted by the EU legislation, or encroach on their institutional autonomy.

(6) This Regulation is without prejudice to Regulation (Euratom) No 3/1958 17 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community 18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council 20 , Council Regulation (EEC, EURATOM) No 354/83 21 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 22 , Regulation (EU) 2021/697 of the European Parliament and of the Council 23 , Regulation (EU) [...] of the European Parliament and of the Council 24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

(7) In order to preserve the specific nature of the European Atomic Energy Community activities regulated by Regulation 3/1958 of the Council of the European Atomic Energy Community 25 , this Regulation should not apply to Euratom Classified Information. However, all information related to other Euratom activities not covered by Regulation 3/1958 should fall within the scope of this Regulation.

(8) With a view to establishing a formal structure for cooperation between Union institutions and bodies in the field of information security, it is necessary to set up an Interinstitutional Coordination Group (the ‘Coordination Group’) in which all Union institutions’ and bodies’ Security Authorities are represented. Without having decision-making powers, the Cordination Group should enhance the coherence of policies in the field of information security and should contribute to the harmonisation of the information security procedures and tools across the Union institutions and bodies.

(9) The Coordination Group’s work needs the support of experts in different areas of information security: categorisation and marking, communication and information systems, accreditation, physical security and sharing EUCI and exchanging classified information. In order to prevent duplication of effort across the Union institutions and bodies, thematic sub-groups should be therefore established. Moreover, where needed, the Coordination Group should be able to set up other subgroups with specific tasks.

(10) The Coordination Group should closely cooperate with the National Security Authorities of the Member States with a view to enhancing information security in the Union. An Information Security Committee of the Member States should therefore be set up to provide advice to the Coordination Group.

(11) While the common bodies representing all Union institutions and bodies are set up based on the cooperation principle, each institution and body should remain fully responsible for the security of information within its organisation. Each Union institution and body should have a Security Authority and where necessary, other authorities in charge of specific responsibilities related to information security.

(12) The principle of information security risk management should be at the core of the policy to be developed in the field by each Union institution and body. While the minimum requirements laid down in this Regulation must be met, each Union institution and body should adopt specific security measures for protecting information in accordance with the results of an internal risk assessment. In the same way, the technical means to protect the information should be adapted to the specific situation of each institution and body.

(13) Given the diversity of categories of non-classified information that the Union institutions and bodies have developed based on their own security information rules and in order to avoid delay in the implementation of this Regulation, Union institutions or bodies should be able to maintain their own marking system for internal purposes or in the exchange of information with their particular counterparts from other institutions and bodies or from the Member States.  

(14) With the purpose of adjusting to the new teleworking practices, the networks used for connecting to the Union institution’s or body’s remote access services should be protected by adequate security measures.

(15) Since Union institutions and bodies frequently make use of contractors and outsourcing, it is important to establish common provisions relating to contractors’ personnel carrying out tasks related to information security.

(16) The substantive rules regarding access to EUCI in the internal rules of various Union institutions and bodies are currently aligned, but there are significant differences as regards denominations and required procedures. This creates a burden for the National Security Authorities of the Member States who need to adjust to different requirements. Thus it is necessary to provide for a common glossary and common procedures in the area of personnel security, thereby simplifying cooperation with the National Security Authorities of the Member States and limiting the risk of compromising EUCI.

(17) Given the disparity of resources amongst Union institutions and bodies and in order to streamline their relevant procedures and practices, the security clearance tasks can be entrusted to the Commission in order to provide a continuation of a long-standing practice in the field of security clearance and contribute to the centralisation of the tasks assigned to each Security Authority.

(18) The protection of EUCI is also ensured by technical and organisational measures which apply to the premises, buildings, rooms, offices or facilities of the Union institutions and bodies where EUCI is discussed, handled or stored. This Regulation provides for the implementation of an information security management process in the area of physical security which would allow Union institutions and bodies to select the appropriate security measures for their sites.

(19) All Union institutions and bodies handling and storing EUCI should establish physically protected areas in their sites, in order to ensure the same level of protection for the relevant levels of EUCI classification handled and stored within. Those areas should be designated as Administrative Areas and Secured Areas and respect common minimum standards for the protection of EUCI.

(20) Originator control is an important principle in the EUCI management, therefore it needs to be clearly stipulated and developed. In that regard, the creation of EUCI confers to the originator a responsibility which should cover the entire life cycle of the relevant EUCI document.

(21) Union institutions and bodies have been traditionally developed their communication and information systems autonomously, with insufficient attention to their interoperability across all Union institutions and bodies. It is therefore necessary to establish minimum security requirements concerning the Communication and Information Systems (CISs) handling and storing both EUCI and non-classified information with the aim to guarantee a seamless exchange of information with the relevant stakeholders. 

(22) With the objective of achieving a single standard of accreditation of CISs handling and storing EUCI, the Union institutions and bodies should work together in a group set up for that purpose. It is recommended that all of them use that standard in order to contribute to a general level of EUCI protection. However, as regards organisational autonomy, the decision remains with the competent authority of each institution or body.

(23) All Union institutions and bodies should follow the same procedures and apply the same measures when awarding and implementing classified contracts or grant agreements. Thus it is necessary to clearly stipulate both the mandatory and the optional elements of a classified contracts and grant agreements. However, the measures for the protection of EUCI in relation with classified contracts and grant agreements should take into account the rules already developed separately in the area by the Union institutions and bodies together with the Member States.

(24) The close cooperation between Union institutions and bodies as well as the multitude of synergies developed among them involve the sharing of a large amount of information. For the sake of the classified information security, the trustworthiness of a Union institution or body should be assessed before they handle and store a specified level of EUCI. 

(25) Furthermore, the sharing of EUCI between the Union institutions and bodies and the exchange of classified information with international organisations and third countries should also be regulated by appropriate security measures for the protection of that information. Where agreements on security of information are envisaged, the provisions of Article 218 of the Treaty should apply. 

(26) The agreements on security of information are meant to ensure the overall legal framework for the exchange of classified information of the Union with the third countries and international organisations, it is also necessary to provide for the possibility of Union institutions and bodies to enter into administrative arrangements with a specific counterpart of a third country or of an international organisation for the purpose of exchanging EUCI. 

(27) This Regulation establishes a framework common to all Union institutions and bodies. In order to avoid imposing an excesive administrative burden on the Union institutions and bodies in the process of adapting their internal security rules to the rules laid down in this Regulation, this Regulation should apply from 2 years after its entry into force.

(28) In accordance with paragraphs 22 and 23 of the Interinstitutional Agreement of 13 April 2016 on Better Law-Making 26 , the Commission should evaluate this Regulation in order to assess its actual effects and the need for any further action. The Commission should submit to the European Parliament and to the Council a report on the implementation of this Regulation, at the latest 3 years from the date of application.

(29) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council 27 and delivered an opinion on ...