Annexes to COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. |
|---|---|
| document | COM(2022)122  |
| date | December 13, 2023 |
- total 38 FTE.
CERT-EU budget in 2020 was: EUR 250 000 under the Commission Budget, EUR 3.5 million through assigned revenues from service level agreements. Total: EUR 3.75 million. This constituted the entire CERT-EU budget covering training, hardware, software, missions, support, contract agents and conferences.
Once the regulation is into force the future resources of CERT-EU are foreseen to be:
- permanent posts: 34 FTE,
- contract agents: 15 FTE,
- total 49 FTE, thus a net increase of 11 FTE.
The change in ratio between permanent posts and contract agents addresses the pertinent stumbling block of hiring and retaining senior cybersecurity professionals due to their scarcity on the labour market.
In addition, 1 FTE contract agent will be required within the Commission’s Directorate-General for Informatics to support the IICB (Interinstitutional Cybersecurity Board).
In total 21 FTE additional will thus be required to implement the Regulation (20 FTE for CERT-EU and 1 for the Commission’s Directorate-General for Informatics). This will be compensated by a parallel reduction of 9 FTE contract agents in CERT-EU which were previously financed through assigned revenue from service level agreements.
The CERT-EU non-human resources budget in 2024 after transition period will cover the tasks listed above under (a) through (e) and is foreseen to be funded as follows:
- EUR 8.921 million per year from the Union institutions financed under Union budget Heading 7,
- EUR 2.459 million from Union institutions, bodies and agencies financed under Union budget Headings 1 to 6,
- EUR 2.670 million from self-financed Union institutions, bodies and agencies.
- Total CERT-EU budget: EUR 14.05 million.
The tasks listed in Article 12.5 are not described in its service catalogue, these are chargeable services. These are ancillary, represent relatively low amounts, are mostly temporary, and the costs of these services will be recovered from beneficiaries of the services through service level agreements or written agreements.
With regards to contributions to staff of CERT-EU: the Union institutions and main bodies shall contribute a fair share which is in proportion to the respective share of permanent AD posts of the organisation. It should be seen whether ECB and EIB can also contribute a fair share through secondment of permanent staff.
2. MANAGEMENT MEASURES
2.1.Monitoring and reporting rules
Specify frequency and conditions.
The Commission, with the help of the IICB and CERT-EU, will periodically review the functioning of the Regulation and report to the European Parliament and the Council, the first time no later than 48 months after the entry into force of this Regulation, and thereafter every three years.
The data sources used for the reviews would mostly be from the IICB and CERT-EU. In addition, specific data gathering tools could be used when needed, e.g. surveys of the Union institutions, bodies and agencies, ENISA or the CSIRTs Network.
2.2.Management and control system(s)
2.2.1.Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed
Actions deriving from the Regulation will be managed within each Union institution, body and agency in accordance with their relevant applicable rules and regulations.
Administrative and financial management of CERT-EU activities is embedded within the Commission administration and follows its applicable management and implementation mechanisms, payment modalities and controls.
The Commission’s internal auditor exercises the same powers over CERT-EU as over the Commission departments.
2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them
Very low risk, as CERT-EU is already attached administratively as a Commission Taskforce to the Director-General for Informatics, and the IICB is modelled on the current CERT-EU Steering Board. The ecosystem for financial management and internal control is thus already in place.
2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio of ‘control costs ÷ value of the related funds managed’), and assessment of the expected levels of risk of error (at payment & at closure)
Procedures for procurement, financial management and control are already in place and well tested. Cost-effectiveness of controls and the levels of risk of error correspond to those in each Union institution, body or agency, and to those of the Commission for CERT-EU activities.
2.3.Measures to prevent fraud and irregularities
Specify existing or envisaged prevention and protection measures, e.g. from the Anti-Fraud Strategy.
The financial management and internal control systems of the Commission apply for CERT-EU activities.
In order to combat fraud, corruption and other unlawful activities the provisions of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-fraud Office (OLAF) applies without restriction.
3. ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE
3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected
·Existing budget lines
In order of multiannual financial framework headings and budget lines.
| Heading of multiannual financial framework | Budget line | Type of expenditure | Contribution | |||
| Number | Diff./Non-diff. 13 | from EFTA countries 14 | from candidate countries 15 | from third countries | within the meaning of Article 21(2)(b) of the Financial Regulation | |
| 1 to 6 | Budget lines covering Union contributions to decentralised agencies and bodies | Diff. | NO | NO | NO | NO |
| 7 | Budget lines covering staff remunerations, IT expenditure and other administrative expenditure in the different Sections of the EU budget | Non-diff. | NO | NO | NO | NO |
·New budget lines requested
In order of multiannual financial framework headings and budget lines.
| Heading of multiannual financial framework | Budget line | Type of expenditure | Contribution | |||
| Number | Diff./Non-diff. | from EFTA countries | from candidate countries | from third countries | within the meaning of Article 21(2)(b) of the Financial Regulation | |
| None | YES/NO | YES/NO | YES/NO | YES/NO |
3.2.Estimated financial impact of the proposal on appropriations
3.2.1.Summary of estimated impact on operational appropriations
– The proposal/initiative does not require the use of operational appropriations
– The proposal/initiative requires the use of operational appropriations, as explained below:
EUR million (to three decimal places)
| Heading of multiannual financial framework | 1 to 6 | Headings covering contributions to decentralised agencies and bodies |
| DG: Several | Year 2023 | Year 2024 | Year 2025 | Year 2026 | Year 2027 | TOTAL | ||
| □ Operational appropriations | ||||||||
| Budget lines covering Union contributions to decentralised agencies (xx 10 xx xx) 16 | Commitments | (1a) | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
| Payments | (2a) | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 | |
| Appropriations of an administrative nature financed from the envelope of specific programmes 17 | ||||||||
| Budget line | (3) | |||||||
| TOTAL appropriations for DG: Several | Commitments | =1a+1b +3 | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
| Payments | =2a+2b +3 | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
□ TOTAL operational appropriations | Commitments | (4) | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
| Payments | (5) | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 | |
| □ TOTAL appropriations of an administrative nature financed from the envelope for specific programmes | (6) | |||||||
| TOTAL appropriations under HEADINGS 1 to 6 of the multiannual financial framework | Commitments | =4+ 6 | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
| Payments | =5+ 6 | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
If more than one operational heading is affected by the proposal / initiative, repeat the section above:
| □ TOTAL operational appropriations (all operational headings) | Commitments | (4) | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
| Payments | (5) | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 | |
| TOTAL appropriations of an administrative nature financed from the envelope for specific programmes (all operational headings) | (6) | |||||||
| TOTAL appropriations under HEADINGS 1 to 6 of the multiannual financial framework (Reference amount) | Commitments | =4+ 6 | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
| Payments | =5+ 6 | 2.459 | 2.459 | 2.459 | 2.459 | 2.459 | 12.293 |
Heading of multiannual financial framework | 7 | ‘Administrative expenditure’ |
This section should be filled in using the 'budget data of an administrative nature' to be firstly introduced in the Annex to the Legislative Financial Statement (Annex V to the internal rules), which is uploaded to DECIDE for interservice consultation purposes.
EUR million (to three decimal places)
| Year 2023 | Year 2024 | Year 2025 | Year 2026 | Year 2027 | TOTAL | |||
| DG: DIGIT (CERT-EU) | ||||||||
| □ Human resources | 1.184 | 2.126 | 2.754 | 3.225 | 3.225 | 12.514 | ||
| □ Other administrative expenditure | 7.938 | 8.921 | 8.921 | 8.921 | 8.921 | 43.622 | ||
| TOTAL DG DIGIT (CERT-EU) | Appropriations | 9.122 | 11.047 | 11.675 | 12.146 | 12.146 | 56.136 |
| TOTAL appropriations under HEADING 7 of the multiannual financial framework | (Total commitments = Total payments) | 9.122 | 11.047 | 11.675 | 12.146 | 12.146 | 56.136 |
EUR million (to three decimal places)
| Year 2023 | Year 2024 | Year 2025 | Year 2026 | Year 2027 | TOTAL | |||
| TOTAL appropriations under HEADINGS 1 to 7 of the multiannual financial framework (*) | Commitments | 11.581 | 13.506 | 14.134 | 14.605 | 14.605 | 68.429 | |
| Payments | 11.581 | 13.506 | 14.134 | 14.605 | 14.605 | 68.429 |
(*) Contributions from self-financed Union institutions, bodies and agencies are estimated at EUR 2.670 million per year (total for the five years, EUR 13.350 million). The contributions will constitute assigned revenues for CERT-EU. The tables above only include the estimated total impact on the Union budget and do not include those contributions.
3.2.2.Estimated output funded with operational appropriations
Commitment appropriations in EUR million (to three decimal places)
| Indicate objectives and outputs | Year N | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | TOTAL | ||||||||||||
| OUTPUTS | ||||||||||||||||||
| Type 18 | Average cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | No | Cost | Total No | Total cost | |
| SPECIFIC OBJECTIVE No 1 19 … | ||||||||||||||||||
| - Output | ||||||||||||||||||
| - Output | ||||||||||||||||||
| - Output | ||||||||||||||||||
| Subtotal for specific objective No 1 | ||||||||||||||||||
| SPECIFIC OBJECTIVE No 2 ... | ||||||||||||||||||
| - Output | ||||||||||||||||||
| Subtotal for specific objective No 2 | ||||||||||||||||||
| TOTALS |
3.2.3.Summary of estimated impact on administrative appropriations
– The proposal/initiative does not require the use of appropriations of an administrative nature
– The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:
EUR million (to three decimal places)
| Year 2023 | Year 2024 | Year 2025 | Year 2026 | Year 2027 | TOTAL |
| HEADING 7 of the multiannual financial framework | ||||||
| Human resources | ||||||
| Permanent staff (AD Grades) | 1.099 | 2.041 | 2.669 | 3.14 | 3.14 | 12.089 |
| Contract staff | 0.085 | 0.085 | 0.085 | 0.085 | 0.085 | 0.425 |
| Other administrative expenditure | 7.938 | 8.921 | 8.921 | 8.921 | 8.921 | 43.622 |
| Subtotal HEADING 7 of the multiannual financial framework | 9.122 | 11.047 | 11.675 | 12.146 | 12.146 | 56.136 |
| Outside HEADING 7 20 of the multiannual financial framework | ||||||
| Human resources | ||||||
| Other expenditure of an administrative nature | ||||||
| Subtotal outside HEADING 7 of the multiannual financial framework |
| TOTAL | 9.122 | 11.047 | 11.675 | 12.146 | 12.146 | 56.136 |
The appropriations required for human resources and other expenditure of an administrative nature will be met by appropriations from the DG that are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
3.2.3.1.Estimated requirements of human resources
– The proposal/initiative does not require the use of human resources.
– The proposal/initiative requires the use of human resources, as explained below:
Estimate to be expressed in full time equivalent units
| Year 2023 | Year 2024 | Year 2025 | Year 2026 | Year 2027 | ||||
| □ Establishment plan posts (officials and temporary staff) | ||||||||
| 20 01 02 01 (Headquarters and Commission’s Representation Offices) | 7 | 13 | 17 | 20 | 20 | |||
| 20 01 02 03 (Delegations) | ||||||||
| 01 01 01 01 (Indirect research) | ||||||||
| 01 01 01 11 (Direct research) | ||||||||
| Other budget lines (specify) | ||||||||
| □ External staff (in Full Time Equivalent unit: FTE) 21 | ||||||||
| 20 02 01 (AC, END, INT from the ‘global envelope’) | 1 | 1 | 1 | 1 | 1 | |||
| 20 02 03 (AC, AL, END, INT and JPD in the delegations) | ||||||||
| XX 01 xx yy zz 22 | - at Headquarters | |||||||
| - in Delegations | ||||||||
| 01 01 01 02 (AC, END, INT - Indirect research) | ||||||||
| 01 01 01 12 (AC, END, INT - Direct research) | ||||||||
| Other budget lines (specify) | ||||||||
| TOTAL | 8 | 14 | 18 | 21 | 21 |
XX is the policy area or budget title concerned.
The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
Description of tasks to be carried out:
| Officials and temporary staff | Officials will implement the tasks and activities of CERT-EU as per the Regulation, in particular Chapters IV and V. |
| External staff | The Contractual Agent will assist the secretarial functions of the Interinstitutional Cybersecurity Board. |
3.2.4.Compatibility with the current multiannual financial framework
The proposal/initiative:
– can be fully financed through redeployment within the relevant heading of the Multiannual Financial Framework (MFF).
Explain what reprogramming is required, specifying the budget lines concerned and the corresponding amounts. Please provide an excel table in the case of major reprogramming.
– requires use of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation.
Explain what is required, specifying the headings and budget lines concerned, the corresponding amounts, and the instruments proposed to be used.
– requires a revision of the MFF.
Explain what is required, specifying the headings and budget lines concerned and the corresponding amounts.
3.2.5.Third-party contributions
The proposal/initiative:
– does not provide for co-financing by third parties 23
– provides for the co-financing by third parties estimated below:
Appropriations in EUR million (to three decimal places)
| Year N 24 | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | Total | |||
| Specify the co-financing body | ||||||||
| TOTAL appropriations co-financed |
3.3.Estimated impact on revenue
– The proposal/initiative has no financial impact on revenue.
– The proposal/initiative has the following financial impact:
– on own resources
– on other revenue
–please indicate, if the revenue is assigned to expenditure lines
EUR million (to three decimal places)
| Budget revenue line: | Appropriations available for the current financial year | Impact of the proposal/initiative 25 | ||||||
| Year N | Year N+1 | Year N+2 | Year N+3 | Enter as many years as necessary to show the duration of the impact (see point 1.6) | ||||
| Article …………. |
For assigned revenue, specify the budget expenditure line(s) affected.
Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).
(1) ‘Significant incident’ means any incident unless it has limited impact and is likely to be already well understood in terms of method or technology.
(2) Source: Gartner, ‘Identifying the Real Information Security Budget’ (2016). This is in addition to indirect spending IT security such as on network security such as firewalls, antivirus and system owner responsibilities such as risk assessment and the implementation of security controls. A 2020 paper puts cybersecurity spending at financial institutions at 10-11% of IT spending, source: DI_2020-FS-ISAC-Cybersecurity.pdf (deloitte.com) .
(3) OJ C 12, 13.1.2018, p. 1–11.
(4) Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
(5) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(6) Commission Recommendation C(2021) 4520 of 23.6.2021 on building a Joint Cyber Unit.
(7) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(8) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
(9) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(10) As referred to in Article 58(2)(a) or (b) of the Financial Regulation.
(11) Reference: [ECA Special Report on cybersecurity at the Union institutions, bodies and agencies].
(12) Details of management modes and references to the Financial Regulation may be found on the BudgWeb site: https://myintracomm.ec.europa.eu/budgweb/EN/man/budgmanag/Pages/budgmanag.aspx
(13) Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.
(14) EFTA: European Free Trade Association.
(15) Candidate countries and, where applicable, potential candidates from the Western Balkans.
(16) According to the official budget nomenclature.
(17) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
(18) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).
(19) As described in point 1.4.2. ‘Specific objective(s)…’
(20) Technical and/or administrative assistance and expenditure in support of the implementation of EU programmes and/or actions (former ‘BA’ lines), indirect research, direct research.
(21) AC= Contract Staff; AL = Local Staff; END= Seconded National Expert; INT = agency staff; JPD= Junior Professionals in Delegations.
(22) Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).
(23) The assigned revenues steaming from the sporadic provision of services to non-constituent organisations foreseen in Article 12.5(c) have not been estimated because should be marginal.
(24) Year N is the year in which implementation of the proposal/initiative starts. Please replace ‘N’ by the expected first year of implementation (for instance: 2021). The same for the following years.
(25) As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 20 % for collection costs.