Annexes to COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union

Please note

This page contains a limited version of this dossier in the EU Monitor.

agreements: 24 FTE,

- total 38 FTE.

CERT-EU budget in 2020 was: EUR 250 000 under the Commission Budget, EUR 3.5 million through assigned revenues from service level agreements. Total: EUR 3.75 million. This constituted the entire CERT-EU budget covering training, hardware, software, missions, support, contract agents and conferences.

Once the regulation is into force the future resources of CERT-EU are foreseen to be:

- permanent posts: 34 FTE,

- contract agents: 15 FTE,

- total 49 FTE, thus a net increase of 11 FTE.

The change in ratio between permanent posts and contract agents addresses the pertinent stumbling block of hiring and retaining senior cybersecurity professionals due to their scarcity on the labour market.

In addition, 1 FTE contract agent will be required within the Commission’s Directorate-General for Informatics to support the IICB (Interinstitutional Cybersecurity Board).

In total 21 FTE additional will thus be required to implement the Regulation (20 FTE for CERT-EU and 1 for the Commission’s Directorate-General for Informatics). This will be compensated by a parallel reduction of 9 FTE contract agents in CERT-EU which were previously financed through assigned revenue from service level agreements.

The CERT-EU non-human resources budget in 2024 after transition period will cover the tasks listed above under (a) through (e) and is foreseen to be funded as follows:

- EUR 8.921 million per year from the Union institutions financed under Union budget Heading 7,

- EUR 2.459 million from Union institutions, bodies and agencies financed under Union budget Headings 1 to 6,

- EUR 2.670 million from self-financed Union institutions, bodies and agencies.

- Total CERT-EU budget: EUR 14.05 million.

The tasks listed in Article 12.5 are not described in its service catalogue, these are chargeable services. These are ancillary, represent relatively low amounts, are mostly temporary, and the costs of these services will be recovered from beneficiaries of the services through service level agreements or written agreements.

With regards to contributions to staff of CERT-EU: the Union institutions and main bodies shall contribute a fair share which is in proportion to the respective share of permanent AD posts of the organisation. It should be seen whether ECB and EIB can also contribute a fair share through secondment of permanent staff.

2. MANAGEMENT MEASURES 

2.1.Monitoring and reporting rules 

Specify frequency and conditions.

The Commission, with the help of the IICB and CERT-EU, will periodically review the functioning of the Regulation and report to the European Parliament and the Council, the first time no later than 48 months after the entry into force of this Regulation, and thereafter every three years.

The data sources used for the reviews would mostly be from the IICB and CERT-EU. In addition, specific data gathering tools could be used when needed, e.g. surveys of the Union institutions, bodies and agencies, ENISA or the CSIRTs Network.

2.2.Management and control system(s) 

2.2.1.Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed

Actions deriving from the Regulation will be managed within each Union institution, body and agency in accordance with their relevant applicable rules and regulations.

Administrative and financial management of CERT-EU activities is embedded within the Commission administration and follows its applicable management and implementation mechanisms, payment modalities and controls.

The Commission’s internal auditor exercises the same powers over CERT-EU as over the Commission departments.

2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them

Very low risk, as CERT-EU is already attached administratively as a Commission Taskforce to the Director-General for Informatics, and the IICB is modelled on the current CERT-EU Steering Board. The ecosystem for financial management and internal control is thus already in place.

2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio of ‘control costs ÷ value of the related funds managed’), and assessment of the expected levels of risk of error (at payment & at closure) 

Procedures for procurement, financial management and control are already in place and well tested. Cost-effectiveness of controls and the levels of risk of error correspond to those in each Union institution, body or agency, and to those of the Commission for CERT-EU activities.

2.3.Measures to prevent fraud and irregularities 

Specify existing or envisaged prevention and protection measures, e.g. from the Anti-Fraud Strategy.

The financial management and internal control systems of the Commission apply for CERT-EU activities.

In order to combat fraud, corruption and other unlawful activities the provisions of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-fraud Office (OLAF) applies without restriction.

3. ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE 

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected 

·Existing budget lines

In order of multiannual financial framework headings and budget lines.

Heading of multiannual financial frameworkBudget lineType of
expenditure
Contribution
NumberDiff./Non-diff. 13from EFTA countries 14

from candidate countries 15

from third countrieswithin the meaning of Article 21(2)(b) of the Financial Regulation
1 to 6Budget lines covering Union contributions to decentralised agencies and bodiesDiff.NONONONO
7Budget lines covering staff remunerations, IT expenditure and other administrative expenditure in the different Sections of the EU budgetNon-diff.NONONONO

·New budget lines requested

In order of multiannual financial framework headings and budget lines.

Heading of multiannual financial frameworkBudget lineType of
expenditure
Contribution
NumberDiff./Non-diff.from EFTA countriesfrom candidate countriesfrom third countrieswithin the meaning of Article 21(2)(b) of the Financial Regulation
None

YES/NOYES/NOYES/NOYES/NO

3.2.Estimated financial impact of the proposal on appropriations 

3.2.1.Summary of estimated impact on operational appropriations 

–    The proposal/initiative does not require the use of operational appropriations

–    The proposal/initiative requires the use of operational appropriations, as explained below:

EUR million (to three decimal places)

Heading of multiannual financial
framework
1 to 6Headings covering contributions to decentralised agencies and bodies

DG: SeveralYear
2023
Year
2024
Year
2025
Year
2026
Year
2027
TOTAL
□ Operational appropriations
Budget lines covering Union contributions to decentralised agencies (xx 10 xx xx) 16Commitments(1a)2.4592.4592.4592.4592.45912.293
Payments(2a)2.4592.4592.4592.4592.45912.293
Appropriations of an administrative nature financed from the envelope of specific programmes 17  

Budget line(3)
TOTAL appropriations
for DG: Several
Commitments=1a+1b +32.4592.4592.4592.4592.45912.293
Payments=2a+2b

+3
2.4592.4592.4592.4592.45912.293


□ TOTAL operational appropriations
Commitments(4)2.4592.4592.4592.4592.45912.293
Payments(5)2.4592.4592.4592.4592.45912.293
□ TOTAL appropriations of an administrative nature financed from the envelope for specific programmes(6)
TOTAL appropriations
under HEADINGS 1 to 6
of the multiannual financial framework
Commitments=4+ 62.4592.4592.4592.4592.45912.293
Payments=5+ 62.4592.4592.4592.4592.45912.293

If more than one operational heading is affected by the proposal / initiative, repeat the section above:

□ TOTAL operational appropriations (all operational headings)Commitments(4)2.4592.4592.4592.4592.45912.293
Payments(5)2.4592.4592.4592.4592.45912.293
TOTAL appropriations of an administrative nature financed from the envelope for specific programmes (all operational headings)
(6)
TOTAL appropriations
under HEADINGS 1 to 6
of the multiannual financial framework
(Reference amount)
Commitments=4+ 62.4592.4592.4592.4592.45912.293
Payments=5+ 62.4592.4592.4592.4592.45912.293


Heading of multiannual financial
framework
7‘Administrative expenditure’

This section should be filled in using the 'budget data of an administrative nature' to be firstly introduced in the Annex to the Legislative Financial Statement (Annex V to the internal rules), which is uploaded to DECIDE for interservice consultation purposes.

EUR million (to three decimal places)

Year
2023
Year
2024
Year
2025
Year
2026
Year

2027 
TOTAL
DG: DIGIT (CERT-EU)
□ Human resources 1.1842.126 2.7543.225 3.225 12.514
□ Other administrative expenditure7.9388.9218.9218.9218.92143.622
TOTAL DG DIGIT (CERT-EU)Appropriations9.12211.04711.67512.14612.14656.136

TOTAL appropriations
under HEADING 7
of the multiannual financial framework 
(Total commitments = Total payments)9.12211.04711.67512.14612.14656.136

EUR million (to three decimal places)

Year 2023Year
2024
Year 2025Year 2026Year 2027TOTAL
TOTAL appropriations
under HEADINGS 1 to 7
of the multiannual financial framework (*) 
Commitments11.58113.50614.13414.60514.60568.429
Payments11.58113.50614.13414.60514.60568.429

(*) Contributions from self-financed Union institutions, bodies and agencies are estimated at EUR 2.670 million per year (total for the five years, EUR 13.350 million). The contributions will constitute assigned revenues for CERT-EU. The tables above only include the estimated total impact on the Union budget and do not include those contributions.

3.2.2.Estimated output funded with operational appropriations 

Commitment appropriations in EUR million (to three decimal places)

Indicate objectives and outputs



Year
N
Year
N+1
Year
N+2
Year
N+3
Enter as many years as necessary to show the duration of the impact (see point 1.6)TOTAL
OUTPUTS
Type 18

Average costNoCostNoCostNoCostNoCostNoCostNoCostNoCostTotal NoTotal cost
SPECIFIC OBJECTIVE No 1 19
- Output
- Output
- Output
Subtotal for specific objective No 1
SPECIFIC OBJECTIVE No 2 ...
- Output
Subtotal for specific objective No 2
TOTALS

3.2.3.Summary of estimated impact on administrative appropriations 

–    The proposal/initiative does not require the use of appropriations of an administrative nature

–    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

EUR million (to three decimal places)

Year

2023
Year

2024
Year

2025
Year

2026
Year 2027TOTAL

HEADING 7
of the multiannual financial framework
Human resources
Permanent staff (AD Grades)1.0992.0412.6693.143.1412.089
Contract staff0.0850.0850.0850.0850.0850.425
Other administrative expenditure7.9388.9218.9218.9218.92143.622
Subtotal HEADING 7
of the multiannual financial framework
9.12211.04711.67512.14612.14656.136

Outside HEADING 7 20
of the multiannual financial framework

Human resources
Other expenditure
of an administrative nature
Subtotal
outside HEADING 7
of the multiannual financial framework

TOTAL9.12211.04711.67512.14612.14656.136

The appropriations required for human resources and other expenditure of an administrative nature will be met by appropriations from the DG that are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.

3.2.3.1.Estimated requirements of human resources

–    The proposal/initiative does not require the use of human resources.

–    The proposal/initiative requires the use of human resources, as explained below:

Estimate to be expressed in full time equivalent units

Year

2023
Year

2024
Year

2025
Year

2026
Year 2027
□ Establishment plan posts (officials and temporary staff)
20 01 02 01 (Headquarters and Commission’s Representation Offices)713172020
20 01 02 03 (Delegations)
01 01 01 01  (Indirect research)
01 01 01 11 (Direct research)
Other budget lines (specify)
□ External staff (in Full Time Equivalent unit: FTE) 21

20 02 01 (AC, END, INT from the ‘global envelope’)11111
20 02 03 (AC, AL, END, INT and JPD in the delegations)
XX 01 xx yy zz   22

- at Headquarters

- in Delegations
01 01 01 02 (AC, END, INT - Indirect research)
01 01 01 12 (AC, END, INT - Direct research)
Other budget lines (specify)
TOTAL814182121

XX is the policy area or budget title concerned.

The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.

Description of tasks to be carried out:

Officials and temporary staffOfficials will implement the tasks and activities of CERT-EU as per the Regulation, in particular Chapters IV and V.
External staffThe Contractual Agent will assist the secretarial functions of the Interinstitutional Cybersecurity Board.

3.2.4.Compatibility with the current multiannual financial framework 

The proposal/initiative:

–    can be fully financed through redeployment within the relevant heading of the Multiannual Financial Framework (MFF).

Explain what reprogramming is required, specifying the budget lines concerned and the corresponding amounts. Please provide an excel table in the case of major reprogramming.

–    requires use of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation.

Explain what is required, specifying the headings and budget lines concerned, the corresponding amounts, and the instruments proposed to be used.

–    requires a revision of the MFF.

Explain what is required, specifying the headings and budget lines concerned and the corresponding amounts.

3.2.5.Third-party contributions 

The proposal/initiative:

–    does not provide for co-financing by third parties 23

–    provides for the co-financing by third parties estimated below:

Appropriations in EUR million (to three decimal places)

Year
N 24
Year
N+1
Year
N+2
Year
N+3
Enter as many years as necessary to show the duration of the impact (see point 1.6)Total
Specify the co-financing body 
TOTAL appropriations co-financed


3.3.Estimated impact on revenue 

–    The proposal/initiative has no financial impact on revenue.

–    The proposal/initiative has the following financial impact:

–    on own resources

–    on other revenue

–please indicate, if the revenue is assigned to expenditure lines     

EUR million (to three decimal places)

Budget revenue line:Appropriations available for the current financial yearImpact of the proposal/initiative 25
Year
N
Year
N+1
Year
N+2
Year
N+3
Enter as many years as necessary to show the duration of the impact (see point 1.6)
Article ………….

For assigned revenue, specify the budget expenditure line(s) affected.


Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).


(1) ‘Significant incident’ means any incident unless it has limited impact and is likely to be already well understood in terms of method or technology.
(2) Source: Gartner, ‘Identifying the Real Information Security Budget’ (2016). This is in addition to indirect spending IT security such as on network security such as firewalls, antivirus and system owner responsibilities such as risk assessment and the implementation of security controls. A 2020 paper puts cybersecurity spending at financial institutions at 10-11% of IT spending, source: DI_2020-FS-ISAC-Cybersecurity.pdf (deloitte.com) .
(3) OJ C 12, 13.1.2018, p. 1–11.
(4) Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
(5) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(6) Commission Recommendation C(2021) 4520 of 23.6.2021 on building a Joint Cyber Unit.
(7) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(8) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
(9) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(10) As referred to in Article 58(2)(a) or (b) of the Financial Regulation.
(11) Reference: [ECA Special Report on cybersecurity at the Union institutions, bodies and agencies].
(12) Details of management modes and references to the Financial Regulation may be found on the BudgWeb site: https://myintracomm.ec.europa.eu/budgweb/EN/man/budgmanag/Pages/budgmanag.aspx  
(13) Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.
(14) EFTA: European Free Trade Association.
(15) Candidate countries and, where applicable, potential candidates from the Western Balkans.
(16) According to the official budget nomenclature.
(17) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
(18) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).
(19) As described in point 1.4.2. ‘Specific objective(s)…’
(20) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
(21) AC= Contract Staff; AL = Local Staff; END= Seconded National Expert; INT = agency staff; JPD= Junior Professionals in Delegations.
(22) Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).
(23) The assigned revenues steaming from the sporadic provision of services to non-constituent organisations foreseen in Article 12.5(c) have not been estimated because should be marginal.
(24) Year N is the year in which implementation of the proposal/initiative starts. Please replace ‘N’ by the expected first year of implementation (for instance: 2021). The same for the following years.
(25) As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 20 % for collection costs.