Information Security and Data Protection Legal and Policy Frameworks Applicable to European Union Institutions and Agencies

This study reviews the legal and policy frameworks that govern the use of information and communications technology by European Union institutions and agencies in terms of the extent to which they account for information security and data privacy.

The first set of findings is presented in Chapter 2, which suggests that legacy equipment, path dependency when it comes to law and policymaking, and the natural conservativeness of a large and complex administrative machine may act as inhibitors to building greater information security in EU institutions and agencies.

Examining legal and policy frameworks that govern and regulate the use of ICT across EU institutions and agencies, Chapter 3 finds that the overall tone of EU policy and legal frameworks governing and regulating information security resonates with a model of security based on an internally secure organisation and insecure external environment, which appears to be inconsistent with the latest evolving canon of best practice concerning inter-organisational security. Moreover, key EU information security and data protection frameworks would appear poorly aligned with many modern models of technology service delivery and use, and the potential for security and privacy requirements to be built in from the start through Security Engineering or Privacy by Design principles appears to have little visibility in many EU legal and policy frameworks.

Mapping legal and policy frameworks, which cover policy domains that are unique to EU institutions and agencies, Chapter 4 reveals that there is a complex landscape of very specific information security and data protection requirements for different EU policy domains. The unique nature of some of these policy domains and their attendant security or privacy considerations seem difficult to reconcile with the appetite for more innovative types of technology provision. The Chapter concluded by highlighting that information security governance and data protection remains a challenge within many EU frameworks, which are often managed in a federated fashion through obligatory standards and rules set at a strategic EU level and implementation at the national level.