Information security in the institutions, bodies, offices and agencies of the Union

01020304050607

Commission proposal1st reading – European Parliament1st reading – Council of the EUTrilogues (interinstitutional negotiations)2nd readingConciliationAdoption

With the European Parliament, which is preparing its first-reading position.

Last active 16 Oct 2025

Track this billGet an email when the proposal moves: phase change, new document, or terminal outcome.

What this bill does

In plain terms: what it changes and who it affects.

It sets common Union-wide rules to protect information handled and stored by EU institutions and bodies.

Who it affects

It affects EU institutions, bodies, offices and agencies that handle or store sensitive and classified information. It also affects contractors, beneficiaries, and other outside parties that receive such information through EU work.

Core of the proposal

Creates common categories and handling rules for non-classified information and EU classified information.
Requires each institution or body to run its own information-security risk management and name a Security Authority.
Sets shared cooperation structures, including a Coordination Group and specialist sub-groups.
Imposes rules for access control, physical security, secure systems, classified contracts, and information sharing.

Key provisions

Takes effect: It enters into force on the twentieth day after publication in the Official Journal and applies from the first day of the month after two years.
Transitional law: Existing internal rules must be reviewed within three years of entry into force; prior suitability assessments and existing administrative arrangements are preserved, and one grant security framework continues until the grant ends.

Latest update

05 Jun 2026

The most recent development in this bill's progress.

1st reading – Council of the EU → 1st reading – European Parliament

Documents

1 recent

SourcesOEILEUR-LexEU Law Tracker