EU institutions are not sufficiently prepared for the increasing number of cyberattacks, a new special report by the European Court of Auditors on Tuesday (29 March) reads. EURACTIV Germany reports.
In their report, the auditors recommend setting more binding rules, improving IT emergency team resources and increasing intensive cross-institutional cooperation.
“The EU institutions, bodies and agencies are attractive targets for potential attackers and especially for groups capable of carrying out technically sophisticated covert attacks for the purpose of cyber espionage and other malicious purposes,” said Bettina Jakobsen, who was in charge of the audit.
Besides being costly, attacks could damage the EU’s reputation and undermine trust in its institutions, she added.
Unfortunately, the cyber-resilience of EU institutions is still lacking in practice despite the Commission’s commitment to strengthening it, according to the same report. It continues that the institutions still have no coherent strategy and lack basic controls and procedures.
This could lead to significant damage, so the court’s auditors have called for an overhaul of the institutions’ cybersecurity architecture.
“The EU needs to do more to protect its own authorities,” Jakobsen urged.
The Commission’s proposal made on 22 March to strengthen cybersecurity across the bloc’s institutions is a follow-up to the auditors’ previous recommendations, the court also stated.
A massive increase in attacks
The number of serious cyberattacks on EU institutions increased more than tenfold between 2018 and 2021.
While the upward trend can be explained by more staff working from home, the regular training provided to staff on cyberthreats is also lacking. Only 29% of senior staff in EU institutions responsible for sensitive data receive training.
The report also writes that the institutions have developed their cyber-defences to varying degrees and are fundamentally underprepared for possible cyber attacks.
Because EU institutions are so closely linked, a successful attack that targets one institution could lead to a domino effect and spread to others.
There is no legal framework for information and cybersecurity in EU bodies. Neither the NIS Directive – the first piece of EU-wide cybersecurity legislation – nor its revised version, the NIS 2 Directive, apply to them.
Recommendations to EU institutions
The report also states that a robust, consistent cybersecurity approach and essential controls are needed to ensure information security. Awareness-raising programmes are an integral component of an effective security framework. For example, simulated phishing campaigns can be a powerful training tool, but they are not yet systematically employed.
Synergies between institutions are also not sufficiently explored. Both the exchange of information on projects and security assessments between institutions and the increased focus on interoperable communication tools thus still leave room for improvement, according to auditors.
The report assesses the main cybersecurity support bodies, namely, the European Union Agency for Cybersecurity (ENISA) and the IT Security Incident Response Team (CERT-EU), as insufficient and underfunded. The bodies are recommended to identify areas that require the greatest deal of support and develop capacity-building measures. Moreover, the Commission is urged to increase funding for these cybersecurity bodies.
The Commission’s proposal
In light of these deficiencies, the Commission proposed on 22 March new rules improve cybersecurity in the EU institutions, bodies, agencies and offices.
The regulation aims to improve their resilience and responsiveness to cyberattacks by establishing a governance, risk management and control framework and setting up a new inter-institutional cybersecurity advisory board. The mandate for CERT-EU will also be strengthened with resources. While retaining its acronym, CERT-EU is to be rebranded as the “Cybersecurity Centre”.
The project has been described by EU Budget and Administration Commissioner Johannes Hahn as a “milestone in the EU’s cyber and information security landscape”.
MEPs also call for cybersecurity systems to be readjusted across all EU institutions.
“All EU institutions have been attacked by nation-states and others, so it is not a minute too early to strengthen the EU’s cyber defences,” Bart Groothuis, rapporteur of the NIS-2 Directive, told EURACTIV.
Groothuis had been calling for the drafting of this new regulation that would also apply to the institutions. According to him, the growing threat faced by the cybersecurity sector also calls for “military security precautions here in Brussels”, the MEP added.
[Edited by Oliver Noyan/Alice Taylor/Luca Bertuzzi]