Security and privacy is a component of the European Interoperability Framework its Conceptual model for integrated public services provision.


Security and privacy are primary concerns in the provision of public services. Public administrations should ensure that:

  • they follow the privacy-by-design and security-by-design approach to secure their complete infrastructure and building blocks;
  • services are not vulnerable to attacks which might interrupt their operation and cause data theft or data damage; and
  • they are compliant with the legal requirements and obligations regarding data protection and privacy acknowledging the risks to privacy from advanced data processing and analytics.

Public administrations should also ensure that controllers comply with data protection legislation, by covering the following points.

  • Risk management plans’ to identify risks, assess their potential impact and plan responses with appropriate technical and organisational measures. Based on the latest technological developments, those measures must ensure that the level of security is commensurate with the degree of risk;
  • Business continuity plans’ and ‘Back-up and recovery plans’ to put in place the procedures needed for functions to operate after a disastrous event and bring all functions back to normal the earliest possible;
  • A ‘data access and authorisation plan’ which determines who has access to what data and under what conditions, to ensure privacy. Unauthorised access and security breaches should be monitored and appropriate actions should be taken to prevent any recurrence of breaches;
  • Use of qualified trust services in line with the eIDAS regulation1 to ensure the integrity, authenticity, confidentiality and non-repudiation of data.

When public administrations and other entities exchange official information, the information should be transferred, depending on security requirements, via a secure, harmonised, managed and controlled network.2 Transfer mechanisms should facilitate information exchanges between administrations, businesses and citizens that are:

  • registered and verified, so that both sender and receiver have been identified and authenticated through agreed procedures and mechanisms;
  • encrypted, so that the confidentiality of the exchanged data is ensured;
  • time stamped, to maintain accurate time of electronic records’ transfer and access;
  • logged, for electronic records to be archived, thus ensuring a legal audit trail.

Appropriate mechanisms should allow secure exchange of electronically verified messages, records, forms and other kinds of information between the different systems; should handle specific security requirements and electronic identification and trust services such as electronic signatures/seals creation and verification; and should monitor traffic to detect intrusions, changes of data and other type of attacks.

Information must also be appropriately protected during transmission, processing and storage by different security processes such as:

  • defining and applying security policies;
  • security training and awareness;
  • physical security (including access control);
  • security in development;
  • security in operations (including security monitoring, incident handling, vulnerability management);
  • security reviews (including audits and technical checks).

As data from different Member States may be subject to different data protection implementation approaches, common requirements for data protection should be agreed before providing aggregated services.


The provision of secure data exchange also requires several management functions, including:

  • service management to oversee all communications on identification, authentication, authorisation, data transport, etc., including access authorisations, revocation and audit;
  • service registration to provide, subject to proper authorisation, access to available services through prior localisation and verification that the service is trustworthy;
  • service logging to ensure that all data exchanges are logged for future reference and archived when necessary.

These are recommendations for interoperability governance:


Source: European Interoperability Framework - Promoting seamless services and data flows for European public administrations, COM(2017)134, 23 March 2017, url (Available in the languages of the EU Member States)