EU institutions lack proper cybersecurity, EU auditors warn

Marta Pacheco

Belgium, (Brussels Morning) EU institutions are not well suited to face the growing threat of cyberattacks. The findings came from the European Court of Auditors (ECA), noting that the interconnectivity of EU bodies presents a weakness to the Union since a security threat in one institution or agency can quickly spread.

With the current landscape of recurring cyber warfare and in a growing digitalized world, the level of cybersecurity preparedness is a determinant factor to ensure security.

However, significant cybersecurity incidents in EU bodies increased more than tenfold between 2018 and 2021, according to ECA. The increase of remote working has considerably increased the number of potential access points for attackers.

“EU institutions, bodies, and agencies are attractive targets for potential attackers, particularly groups capable of executing highly sophisticated stealth attacks for cyber-espionage and other nefarious purposes”, said Bettina Jakobsen, the ECA member who led the audit. 

“Such attacks can have significant political implications, harm the overall reputation of the EU, and undermine trust in its institutions. The EU must step up its efforts to protect its own organizations,” she added.

CERT-EU and ENISA

To address the growing problem, EU auditors recommend that binding cybersecurity rules should be introduced, and the number of resources available to the Computer Emergency Response Team (CERT-EU) should be increased. 

In addition, the European Commission should also promote further cooperation among EU bodies while CERT-EU and the European Union Agency for Cybersecurity (ENISA) should increase their focus on those EU bodies that have less experience in managing cybersecurity.

CERT-EU and ENISA are the EU’s two main entities tasked with providing support on cybersecurity. However, they have not been able to provide EU bodies with all the support they need, due to resource constraints or priority being given to other areas. 

“Cybersecurity must no longer be seen as a secondary concern. It is essential that we use all available tools and resources to protect ourselves,” said DIGITALEUROPE’s Director General Cecilia Bonefeld-Dahl.

Increase resources

The allocation of resources to cybersecurity varies widely, and a number of EU bodies are spending considerably less than comparable peers. Still, considering the different risk profiles of each organization and the varying sensitivity levels of the data they handle, EU auditors reiterate that cybersecurity weaknesses in a single EU body can expose several other organizations to cybersecurity threats.

Information sharing is also a shortcoming, according to the auditors. For example, not all EU bodies carry out timely reporting on vulnerabilities and significant cybersecurity incidents that have impacted them and may impact others.

“As we have now seen, cyberwarfare can outride traditional warfare. By breaking into the ICT systems of ministries, hospitals, media outlets, and other critical infrastructure, cyber-attacks can grind government business to a halt, disrupt vital supplies and sow confusion,” said Bonefeld-Dahl, highlighting the severe impact of a potential cyberattack.

About Us

Brussels Morning is a daily online newspaper based in Belgium. BM publishes unique and independent coverage on international and European affairs. With a Europe-wide perspective, BM covers policies and politics of the EU, significant Member State developments, and looks at the international agenda with a European perspective.
Share This Article
Marta Pacheco is the Brussels Morning European Commission Editor. She studied Political Science and Media & Journalism at the Catholic University of Portugal (UCP). A former Blue Book trainee of the European Commission, Marta has a keen interest in global affairs and experience in EU and diplomatic affairs reporting.
The Brussels Morning Newspaper Logo

Subscribe for Latest Updates