ECA: EU institutions need to step up cyber security preparedness

The number of cyber attacks on EU institutions is growing rapidly. The degree of preparedness of these instruments in the field of cybersecurity varies and overall is not proportional to the growing threats. Given their strong interconnectedness, it is possible for one’s weaknesses to expose the other to threats to their security. This is the conclusion of a special report by the European Court of Auditors, which examines the level of preparedness of EU governance bodies against cyber threats.

The auditors recommend the establishment of binding rules on cybersecurity and the increase of resources available to the IT emergency team (CERT-EU). According to the auditors, the European Commission should also promote further cooperation between the Union institutions, while CERT-EU and the European Union Cybersecurity Agency should increase their focus on those with less experience in its management. cybersecurity.

Significant cyber security incidents in the various EU institutions more than increased tenfold between 2018 and 2021; teleworking significantly increased the number of potential access points for attackers. Significant incidents are usually caused by complex cyberattacks, which usually require the use of new methods and technologies and can take weeks, if not months, to investigate and recover from. An example was the cyber-attack on the European Medicines Agency, when sensitive data was leaked, which was falsified in order to undermine public confidence in vaccines.

“EU institutions and bodies are attractive targets for potential attackers, especially for groups capable of carrying out highly sophisticated invisible cyber-espionage or other malicious attacks,” said Bettina Jakobsen, EU Member of Parliament and of control. “Attacks like this can have significant political implications, damage the EU’s overall reputation and undermine confidence in its institutions. The EU must step up its efforts to protect its institutions.”

The main finding of the auditors was that it is not always sufficient to protect the EU institutions and bodies from cyber threats. Cybersecurity is not approached consistently, relevant key points and good practices are not always applied, and no relevant training is provided systematically. The resources available for cybersecurity vary widely, as some instruments have been found to spend much less than others of similar size. Although differences in cybersecurity levels could theoretically be justified by the different risk profiles of each organization and the different levels of data sensitivity they handle, auditors point out that the cyber security vulnerabilities of one EU institution may expose a number of other EU institutions are not only interconnected, but often have links to public and private bodies in the Member States).

The Computer Emergency Response Team (CCERT-EU) and the European Union Cybersecurity Agency (ENISA) are the two main entities responsible for providing cybersecurity support. However, they have not been able to provide the EU institutions with all the support they need, due to limited resources or the fact that other areas have been prioritized. According to the auditors, the exchange of information also has weaknesses: for example, not all EU institutions provide timely information on vulnerabilities and significant cybersecurity incidents that have affected themselves and may affect others.

General information

To date, no legal framework for information security and cybersecurity has been established in the EU institutions and agencies, as they are not subject to the wider EU cybersecurity legislation, the 2016 NIS Directive, or the proposed revision. the NIS2 Directive. Also, there is no complete information on the amounts they spend on cybersecurity. Common rules on information security and cybersecurity for all EU institutions are included in the Communication on the EU Security Union Strategy for 2020-2025, published by the Commission in July 2020. In the Cyber ​​Security Strategy Digital Decade, published in December 2020, the Commission undertook to propose a regulation on common cybersecurity rules for all EU institutions and bodies. It also proposed the introduction of a new legal basis for CERT to strengthen its mandate and funding.

The special report 05/2022, entitled “Cybersecurity in the EU institutions and bodies – The overall level of preparedness is not commensurate with the threats”, is available on the ECA website. The ECA had also outlined the challenges for an effective EU cybersecurity policy in a 2019 review.