Written question on Microsoft vulnerabilities and the EU


Today I asked the Commission the following written question:

The recent Wannacry and Petya ransomware attacks once more highlighted the need for using the most up-to-date software to secure communications, data and critical infrastructure. Microsoft XP was particularly vulnerable to Wannacry, especially since no security-updates were provided by the company after 2014. Providing software updates after sales is a public good when critical infrastructure depends on legacy software.

1. The desktop computing environment of European institutions is dependent on Microsoft software products since 1993. What is the total value of all ongoing contracts between Microsoft and the European Commission?

2. DG Digit states that one of the 'main challenges  in  the  area  of  vulnerability  management  will  be  to  systematically  target  and  reduce  structural  vulnerabilities  due  to  a  legacy  of  information systems  that  have  not  been  developed  with  security  in  mind  and  to  achieve  target patch rates of days and in critical cases of hours across the Commission".(*) How does the Commission assess its cooperation with Microsoft in this context?   

3. In what ways can the European Union instutitions, as customers of legacy software, and as guardians of the public interest, ensure software remains updated and safe, to avoid vulnerability to attacks?