This proposal is part of the EU Security Union Strategy1 adopted by the Commission on 24 July 2020 and laying down its commitment to bring the European Union's added value to the national efforts in the area of security. Part of this engagement is the initiative to streamline the internal legal frameworks for information security in all Union institutions and bodies.

A key feature of the Strategic Agenda for 2019-2024 adopted by the European Council in June 2019 is to protect our societies from the ever evolving threats targeting the information handled by institutions and bodies. In its conclusions2, the European Council called in particular on ‘the EU institutions, together with the Member States, to work on measures to enhance the resilience and improve the security culture of the European Union against cyber and hybrid threats from outside the EU, and to better protect the EU’s information and communication networks, and its decision-making processes, from malicious activities of all kinds’.

In the same line, the General Affairs Council of December 20193 concluded that the EU institutions and bodies, supported by Member States, should develop and implement a comprehensive set of measures to ensure their security. This echoes a long standing request from the Council Security Committee to investigate a common core of security rules for the Council, the Commission and the European External Action Service4.

Currently, the Union institutions and bodies either have their own information security rules, based on their Rules of procedure or founding act, or they do not have information security rules at all. This is mostly the case of some small entities, which lack any formal information security policies.

Due to the ever-increasing amounts of sensitive non-classified and European Union classified information (‘EUCI’) that the Union institutions and bodies need to share between themselves and considering the dramatic development of the threat landscape, the European administration is exposed to attack in all its areas of activity. The information handled by our institutions and bodies is very attractive for the threat actors and needs to be appropriately protected. This requires swift action aiming at enhancing its protection.