The number of cyberattacks on EU institutions, bodies and agencies (EUIBAs) is increasing sharply. As EUIBAs are strongly interconnected, weaknesses in one can expose others to security threats. We examined whether the EUIBAs have adequate arrangements to protect themselves against cyber threats. We found that, overall, EUIBAs’ level of preparedness is not commensurate with the threats, and that they have very different levels of cybersecurity maturity. We recommend that the Commission improve EUIBAs’ preparedness by proposing the introduction of binding cybersecurity rules and an increase in resources for the Computer Emergency Response Team (CERT-EU). The Commission should also promote further synergies among EUIBAs, and CERT-EU and the European Union Agency for Cybersecurity should focus their support on less mature EUIBAs.
ECA special report pursuant to Article 287(4), second subparagraph, TFEU.