Examining the EU's Information Security and Data Protection Frameworks

Graphic design with blue globe

Overview

Has Brussels put its own house in order when it comes to information security and data privacy? RAND Europe research suggests that the EU institutions and agencies should review the rules that govern their information security and data privacy procedures if they want to be ahead of the ICT innovation curve.

Background

The legal and policy frameworks that govern and regulate the use of information and communication technology (ICT) within European Union (EU) institutions and agencies include varying information security and data privacy aspects. The research report Information Security and Data Protection Legal and Policy Frameworks Applicable to European Union Institutions and Agencies informs evolving debates about the complex range of information security and data protection obligations to which the EU institutions and agencies are increasingly subject.

At the same time, the report illustrates how these debates and actual law and policymaking within the EU institutions and agencies relate to some of the latest corporate ICT delivery and use trends, including cloud computing, the consumerisation of IT (‘bring your own device’), service-orientated architectures, and an open model of IT services mediated through cyberspace.

Methods

Our research followed a two-fold methodological approach. First, the report offers a systematic review of the existing legal and policy frameworks that govern and regulate the use of ICT by EU institutions and agencies. Second, the report analyses to what extent these frameworks are capable of governing and regulating potential EU institutional ICT delivery and use patterns associated with some of the latest developments in corporate ICT.

Findings

Examining legal and policy frameworks that govern and regulate the use of ICT across all EU institutions and agencies, the report finds that:

  • The overall tone of EU policy and legal frameworks governing and regulating information security resonates with a model of security based on an internally secure organisation and insecure external environment, which appears to be inconsistent with the latest evolving canon of best practice concerning inter-organisational security (as, for example, codified by the International Standards Organisation).
  • Key EU information security and data protection frameworks would appear poorly aligned with many modern models of technology service delivery and use, including cloud computing, the consumerisation of IT (‘bring your own device’), service-orientated architectures (SoA), and an open model of IT services mediated through cyberspace. For example, although the e-Commission Communication flags up the involvement of the European Commission in the Cloud Computing Strategy, the existing security frameworks do not seem to be aligned.
  • The potential for security and privacy requirements to be built in from the start through ‘Security Engineering’ or ‘Privacy by Design’ principles appears to have little visibility in many existing EU legal and policy frameworks.

Also examining legal and policy frameworks that cover domains specific to individual EU institutions and agencies, such as the management and processing of sector-specific data, the processing of personally identifiable nominal data for intelligence, border management, and criminal justice cooperation, or the processing of sensitive classified information for EU-led crisis management operations, the Research Report further argues that:

  • There is a complex landscape of very specific information security and data protection requirements for different EU policy domains.
  • The unique nature of some of these policy domains, their attendant security or privacy considerations, and the legacy ICT systems that underpin them seem difficult to reconcile with the appetite for more innovative types of ICT delivery and use trends, such as greater consumerisation of corporate IT assets or greater use of cloud computing.
  • Understanding information security governance and data protection remains a challenge within many EU policy and legal frameworks, which are often adopted and implemented in a rather complex federated fashion, with obligatory standards and rules being set at a common European level (either through the EU institutions or the Council of Europe) and implemented at the national level.

The study concludes that path dependency in the law and policymaking of a large and complex administrative machine, like the EU, and the specific ICT delivery and use requirements as well as legacy ICT assets of the different EU institutions and agencies, seem to act as inhibitors to equipping EU institutions and agencies with information security and data privacy frameworks that are on par with the latest developments in corporate ICT.

Publication