According to the official website of the European Commission, on March 22, local time, the European Commission simultaneously issued a proposal for the Information Security Regulation (hereinafter referred to as the "Credit Security Regulation") and a proposal for the "Cybersecurity Regulation" (hereinafter referred to as the "Cybersecurity Regulation"), aiming to strengthen its response ability to face network threat incidents and ensure the safety of European public administration.
Official website of the European Commission
It is worth noting that the Credit Security Regulations intend to require the establishment of an information security coordination group composed of the security authorities of eu agencies, giving it the power to formulate supporting guidance documents and take cybersecurity measures. The group is required to maintain regular contact with the national security authorities of the member States and to meet in the form of an Information Security Committee to provide advice.
Some experts told Nandu reporters that this regulation is conducive to coordinating the actions of the entire EU institutions and organizations to provide unified guidance for their information security business. In addition, it is also conducive to simplifying the actual operational process of information security, improving the efficiency of communication and cooperation, and avoiding obstacles to the exchange of information between institutions.
1
Minimum standards applicable to all institutions
"EU agencies and organisations have either developed their own information security norms in accordance with their rules of procedure or the founding act, or none at all. They lack a formal information security code. In its context, the Credit And Safety Regulations write that it aims to create minimum standards of information security norms that apply to all union institutions and will apply to all information stored and processed by EU institutions and organizations.
Prior to the introduction of the Credit Security Regulations, the EU had made several attempts to explore the establishment of common information security measures among various institutions, dating back to a directive adopted by the European Parliament and the Council in July 2016 on measures to improve the overall security level of EU networks and information systems – the first legislative measure within the EU aimed at strengthening cybersecurity cooperation among member states.
In July 2020, the European Commission adopted the Security Alliance Strategy, which proposes to create a minimum set of information security norms across all EU institutions in an attempt to establish the same level of information protection standards in European administrations. In December of the same year, the European Commission adopted the Cybersecurity Strategy, which identifies priority measures and key actions to be taken in the face of cyber threat incidents, and proposes that institutions should establish equal information security standards.
"This proposal is part of The European Security Alliance Strategy and aims to improve its regulatory framework." According to the contents of the Credit Security Regulations, its overall goal is to achieve a high level of common security for unclassified and classified information stored and processed by EU institutions and organizations, so that European administrations are protected from external interference and espionage.
Johannes Hahn, the EU's budget and administrative commissioner, said in a statement on the PSA that in an Internet environment, a single cybersecurity incident can affect an entire organization, so a strong barrier against cyber threats needs to be created. The Psyrotechnic Regulations are a milestone in the field of information security in the EU and are the result of a collective EU effort based on coherence and mutual support among EU institutions.
2
Jointly create a unified network and information security
On the same day that the CISR was published, the European Commission also published the Cyber Security Regulation, which aims to establish a risk control and governance framework in the field of cybersecurity. The Cybersecurity Regulations require the establishment of a Cybersecurity Committee among EU institutions to facilitate the implementation of the proposal, and organizations conduct a cybersecurity maturity assessment at least every three years, which includes all factors of their environment.
Wang Xinrui, a partner at Shihui Law Firm, pointed out in introducing the connection between the two companies that the Xin'an Regulations and the Cyber Security Regulations have jointly established a cross-institutional cooperation model based on the same standards and procedures, and then built a security governance framework for network security risk control and information interaction guarantee. "For example, the establishment of an information security coordination group in the "Xin'an Regulations" and the establishment of a network security committee in the "Cyber Security Regulations" are all aimed at promoting and supervising the implementation of relevant proposals."
Wu Shenkuo, assistant dean of the Internet Development Research Institute of Beijing Normal University, phD supervisor and deputy director of the Research Center of the Internet Society of China, believes that the "Xin'an Regulations" focus on the content governance of EU institutions from the perspective of information security, emphasizing the classic information security elements including information classification; while the "Cyber Security Regulations" emphasize the construction of network security capabilities from the technical and organizational management levels.
In the view of Senior Data Lawyer Yuan Lizhi, the common goal of the two proposals is to strengthen coordination and unification among EU institutions and organizations at the level of cybersecurity and information security.
"With the large number and expansion of relevant eu institutions, there is a lack of unified coordination between institutions in terms of cybersecurity and information security management." He explained that the two proposals address different issues and areas, cybersecurity is relatively broader, it targets the various threats faced by networks and information systems and their users and related parties, while information security focuses on ensuring that information is true, confidential, complete, available, etc.
Specifically, the provisions of the Cyber Security Regulations are relatively simple, mainly to establish a governance framework, and do not provide specific rules or security measures; the content of the Cyber Security Regulations is relatively more specific, and it will set detailed rules for how information is classified, managed and flowed between institutions. ”
3
Define information rating criteria in descriptive language
A report released by the World Economic Forum (WEF) in January identified cybersecurity threats as one of the top risks facing the world. The frequency of malicious cyber activities around the world has prompted countries to continuously improve their response speed and capacity.
The SSR proposes to provide for the establishment of an Information Security Coordination Group composed of the security authorities of the EU agencies, giving it the power to develop supporting guidance documents for the implementation of the SSR and, where appropriate, to take cybersecurity measures. The Information Security Coordination Group is required to maintain regular contact with the national security authorities of the Member States and to meet in the form of an Information Security Committee to provide advice.
In order to prevent duplication of effort among security agencies, the Information Security Coordination Group also needs five thematic groups: the Permanent Information Assurance Group, the Non-Confidential Information Group, the Entity Security Group, the Information Systems Storage and Processing Certification Group, and the Sensitive Confidential Information Sharing Group. The panels are composed of experts in various areas of competence.
"This can coordinate the actions of the entire EU institutions and entities to provide uniform guidance for their information security procedures." Wang Xinrui pointed out that the regulations are conducive to simplifying the actual operation process of information security and improving the efficiency of communication and cooperation.
Yuan Lizhi also holds a similar view on this. He also said that there are many EU institutions, the main body and structure of information security management are more complex, and the lack of uniformity may lead to obstacles to information exchange between institutions, and even information security risks. "From the perspective of positioning, it has only established an inter-agency coordination group, not a mandatory body, and plays a role in harmonizing standards and practices."
In terms of the classification of information, the Credit and Safety Regulation proposes to stipulate that EU institutions and organizations shall assess and classify all information stored and processed by them, and stipulate that they are obliged to take the necessary security measures in accordance with the requirements of information security risk management. Among them, non-confidential information is divided into information for public use, normal information and sensitive non-confidential information, and confidential information is divided into four levels: top secret, secret, confidential and restrictive confidentiality.
Specifically, depending on the degree of harm disclosed, information at the top secret level is defined as "information and material that is disclosed without authorization and is likely to cause unusually serious harm to the fundamental interests of one or more EU member states", the secret level is "serious damage", the classification level is "likely to be damaged", and "restrictive confidentiality" is defined as "information and material that may be detrimental to the interests of one or more EU member states". ”
Yuan Lizhi believes that before the "Xin'an Regulations", EU institutions and organizations should already have their own information classification standards, and a unified law is needed to unify these contents. The Credit And Safety Ordinance gives a descriptive definition of information classification, or combined with examples, but it is not necessary or includes specific quantitative criteria, and relevant guidelines may be issued in the future to further guide its implementation.
"If protection measures are taken after grading information, there are similarities in the practices of countries in ensuring information security." He commented, "Taking the mainland as an example, for information involving information other than state secrets, we have established core data and important data protection systems – these ideas are similar. ”
4
Unified information sharing standards facilitate data circulation
Since the global outbreak of covid-19, digital technology has occupied an important place in modern life. The background of the Xin'an Regulations points out that the epidemic has brought about major changes in the work and lifestyle of the public, and remote communication tools play an important role, as well as laws and regulations on information processing and protection.
The European Commission's official website highlights that the Credit Security Regulations reflect the trend towards the modernization of information security policies, including support for digital transformation and remote work. In Wang Xinrui's view, there are three aspects that can confirm this view.
First, in order to adapt to the new remote work practice, the Credit Security Regulation requires that the network used to connect to the remote access services of EU institutions should be protected by appropriate security measures; second, in the process of information security risk management, the relevant personnel of remote access to information are also taken into account; third, the Credit Security Regulations broadly emphasize the protection of communication information systems and develop a series of security safeguards.
In Yuan Lizhi's view, the digital trend of information security strategies embodied in the "Xin'an Regulations" is obvious. In the mobile Internet environment, the traditional information systems that were easy to manage in the past have been replaced. While remote communication tools play an important role, data flows will become more frequent, and the interaction between personal communication devices and institutional systems will also face hidden dangers. "When applying new technologies and updating information systems, the corresponding security guarantees must naturally be appropriately adjusted."
The CISP intends to provide that all EU institutions and organizations may share confidential information with other entities, provided that it is confirmed to be necessary to safeguard their common interests and ensure that recipients of confidential information can provide a minimum standard of information protection not lower than those set out in the CIS.
In addition, it is necessary to give full play to the responsibilities of the Task Force on The Sharing of Confidential Information, together with the National Security Agencies of member States, to organize visits and assessments of the organizations involved in information sharing, and to issue reports.
"This is mainly to solve the problem of information data reuse." Wu Shenkuo said that there are still some difficulties in the process of implementing the provisions, on the one hand, the format and logic of information data still need to be refined, and on the other hand, the coordination between the sharing mechanism and other rights and interests such as personal information protection. Wang Xinrui believes that in practice, it may face problems such as insufficient willingness to share and difficulty in meeting the higher assessment requirements of the EU.
Speaking of information sharing, Yuan Lizhi said that the regulations make up for two loopholes in the information sharing process.
On the one hand, it is necessary to avoid the obstruction of the transmission of normal information, for example, when institutions must share some information with each other in order to achieve public policy purposes, due to the non-uniform implementation standards of all parties, it may lead to the inability to transmit this information normally, so that the efficiency of the organization's work will be affected.
On the other hand, when the level of information protection varies greatly between different institutions, inconsistent protection and sharing standards may lead to security risks. "Now the loopholes on both sides have been closed."
Written by: Nandu trainee reporter Fan Wenyang intern Ji Hanya
![The European Commission announced its decision to expand the range of available spectrum for 5G[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)