全球智库信息集成服务系统

• Skip to page content

Objective Analysis. Effective Solutions.

This study reviews the legal and policy frameworks that govern the use of information and communications technology by European Union institutions and agencies in terms of the extent to which they account for information security and data privacy.

The first set of findings is presented in Chapter 2, which suggests that legacy equipment, path dependency when it comes to law and policymaking, and the natural conservativeness of a large and complex administrative machine may act as inhibitors to building greater information security in EU institutions and agencies.

Examining legal and policy frameworks that govern and regulate the use of ICT across EU institutions and agencies, Chapter 3 finds that the overall tone of EU policy and legal frameworks governing and regulating information security resonates with a model of security based on an internally secure organisation and insecure external environment, which appears to be inconsistent with the latest evolving canon of best practice concerning inter-organisational security. Moreover, key EU information security and data protection frameworks would appear poorly aligned with many modern models of technology service delivery and use, and the potential for security and privacy requirements to be built in from the start through Security Engineering or Privacy by Design principles appears to have little visibility in many EU legal and policy frameworks.

Mapping legal and policy frameworks, which cover policy domains that are unique to EU institutions and agencies, Chapter 4 reveals that there is a complex landscape of very specific information security and data protection requirements for different EU policy domains. The unique nature of some of these policy domains and their attendant security or privacy considerations seem difficult to reconcile with the appetite for more innovative types of technology provision. The Chapter concluded by highlighting that information security governance and data protection remains a challenge within many EU frameworks, which are often managed in a federated fashion through obligatory standards and rules set at a strategic EU level and implementation at the national level.

• Chapter One

  Introduction

• Chapter Two

  European Union ICT requirements and infrastructure

• Chapter Three

  Cross-cutting legal and policy frameworks applicable to EU institutions and agencies

• Chapter Four

  Legal and policy frameworks covering policy domains unique to EU institutions and agencies

• Chapter Five

  Conclusions