The Commission welcomes the political agreement reached between the European Parliament and the Council of the EU on the Regulation proposed by the Commission laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. Negotiations have now concluded, paving the way for final approval of the legal text by the European Parliament and the Council.
The Commission announced the proposal for the Cybersecurity Regulation in March 2022. This Regulation will put in place a framework for governance, risk management and control across EU entities in cybersecurity, with a new inter-institutional Cybersecurity Board to monitor its implementation. It will also extend the mandate of the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies (CERT-EU), as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider. CERT-EU will be renamed to ‘Cybersecurity Service for the Union institutions, bodies, offices and agencies’ to reflect its new mandate while keeping the short name CERT-EU for recognition purposes.
The key elements of the proposal for all EU institutions, bodies, offices and agencies are the following:
- Have a framework for governance, risk management and control in the area of cybersecurity;
- Conduct regular maturity assessments;
- Implement cybersecurity measures addressing the identified risks;
- Put in place a plan for improving their cybersecurity;
- Share incident-related information with CERT-EU without undue delay.
Once the text is finalised, the European Parliament and the Council will have to formally adopt the new Regulation before it can enter into force. Union entities will then be required to comply with the obligations and meet the deadlines specified in the text. This will contribute to ensuring higher levels of cybersecurity in the EU administration and be better prepared to face future challenges.
In its resolution from March 2021, the Council of the European Union stressed the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. This can only be achieved through enhanced resilience and improved security culture of the EU institutions, bodies, offices and agencies.
Following the EU Security Union Strategy and the EU Cybersecurity Strategy, the Cybersecurity Regulation will ensure consistency with existing EU cybersecurity policies, in full alignment with current European legislation:
- The Directive on measures for a high common level of cybersecurity across the Union (‘NIS 2′), with which this legislation is aligned in terms of principles and level of ambition, while respecting the specificities of Union entities;
- The Cybersecurity Act;
- The Commission Recommendation on coordinated response to large-scale cybersecurity incidents and crises.