Dear Computer Emergency Response Team,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
- A list of all incident reports by EU institutions to CERT-EU since January 2018, including the organisation's name, a short summary of the event, the system that produced the alert, the system affected, the estimated impact and particularities.
Dear Computer Emergency Response Team,
could you please acknowledge whether you have received my request?
Rue de la Loi 155
Thank you for your email and apologies for our delayed reply.
We treat our obligations under EU law with the utmost importance.
As you are no doubt aware, exceptions to this right of access are defined
in Article 4(1a) of Regulation 1049/2001 including in situations where
this could undermine the protection of the public interest as regards
public security of the EU. Moreover, CERT-EU is not at liberty to share
any incident-specific information related to its constituents without
their prior consent as they remain the sole owners of this data.
We trust we have answered your request satisfactorily.
Arthur de Liedekerke
Dear Mr. De Liedekerke Beaufort,
thank you for your reply, however you do not appear to clearly provide a reasoned rejection of my access to documents request. I kindly ask to provide a formal reply. I would like to remind you in this context of Article 7 (4) of Regulation 2049/2001.
Dear Mr. Fanta,
Thank you for your initial request of February 26 and for your follow-up messages of April 14 and April 15. My apologies for the delay in getting back to you.
I would like to add to the reply you received from my colleague Arthur de Liedekerke on April 15, and give you a reply of a more formal character, as you requested.
Under the rules on the organisation and operation of CERT-EU (Arrangement between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU) (2018/C 12/01), Official Journal of the European Union, C12/1 of 13.1.2018), Article 3.3, “[…] incident information communicated to CERT-EU shall not be shared outside CERT-EU, even in anonymised form, unless the affected constituent has given its consent. […]”.
Incident information is shared by EU institutions, bodies and agencies or other organisations with CERT-EU for purposes of investigation and incident response support, in order to protect their networks and systems. Consent for sharing is only given for these specific operational purposes and solely for sharing with these organisations, and rarely disseminated other than in an anonymised form. Wider disclosure would highlight potential weaknesses and vulnerabilities in their ICT infrastructure, significantly prejudicing the collective cyber security of all EU institutions, bodies and agencies.
To bring this in the context of Regulation 1049/2001, the following exceptions apply:
- It concerns third-party documents in the sense of Article 4.4, and it is clear that the documents should not to be disclosed.
- Disclosure would undermine the protection of the purpose of investigations in the sense of Article 4.2, third indent, and hence access is to be refused.
- Disclosure would undermine the protection of the public interest as regards public security in the sense of Article 4.1, first indent, and hence access is to be refused.
In light of the foregoing considerations, CERT-EU is not in a position to share the requested information with you.
In accordance with Article 7.2, I inform you that you have the right to make a confirmatory application.
With kind regards,
- Rogier Holla
Deputy Head of CERT-EU
Computer emergency response team for the EU institutions, bodies and agencies