Commission Decision (EU, Euratom) 2017/46Show full title

Article 15IT security incident handling

1.The Directorate-General for Informatics is responsible for providing the principal operational IT security incident response capability within the European Commission.

2.The Directorate-General for Human Resources and Security as contributing stakeholders to the IT security incident response shall:

(a)have the right to access summary information for all incident records and full records upon request;

(b)participate in IT security incidents crisis management groups and IT security emergency procedures;

(c)be in charge of relations with law enforcement and intelligence services;

(d)perform forensic analysis regarding cyber-security in accordance with Article 11 of Decision (EU, Euratom) 2015/443;

(e)decide on the need to launch a formal inquiry;

(f)inform the Directorate-General for Informatics of any IT security incidents that may present a risk to other CISs.

3.Regular communications shall take place between the Directorate-General for Informatics and the Directorate-General for Human Resources and Security to exchange information and coordinate the handling of security incidents, in particular any IT security incident that may require a formal inquiry.

4.The incident coordination services of Computer Emergency Response Team for the European institutions, bodies and agencies (‘CERT-EU’) may be used to support the incident handling process when appropriate and for knowledge sharing with other EU institutions and agencies that may be affected.

5.System owners involved in an IT security incident shall:

(a)immediately notify their Head of Commission Departments, the Directorate-General for Informatics, the Directorate-General for Human Resources, the LISO and, where appropriate, the data owner of any major IT security incidents, in particular those involving a breach of data confidentiality;

(b)cooperate and follow the instructions of the relevant Commission authorities on incident communication, response and remediation.

6.Users shall report all actual or suspected IT security incidents to the relevant IT helpdesk in a timely manner.

7.Data owners shall report all actual or suspected IT security incidents to the relevant IT security incident response team in a timely manner.

8.The Directorate-General for Informatics, with support from the other contributing stakeholders, is responsible for handling any IT security incident detected in relation to Commission CISs that are not outsourced systems.

9.The Directorate-General for Informatics shall inform affected Commission departments about IT security incidents, the relevant LISOs and, where appropriate, the CERT-EU on a need-to-know basis.

10.The Directorate-General for Informatics shall regularly report on major IT security incidents affecting the Commission's CIS to the ISSB.

11.The relevant LISO shall, upon request, have access to IT security incident records concerning the CIS of the Commission department.

12.In case of a major IT security incident, the Directorate-General for Informatics shall be the contact point for the management of the crisis situations by coordinating the IT security incidents crisis management groups.

13.In case of an emergency the Director-General of the Directorate-General for Informatics can decide to launch an IT security emergency procedure. The Directorate-General for Informatics shall develop emergency procedures to be approved by the ISSB.

14.The Directorate-General for Informatics shall report on the execution of emergency procedures to the ISSB and the heads of Commission departments affected.

The processes related to these responsibilities and activities shall be further detailed in implementing rules.