Cybersecurity at the European Union institutions, bodies, offices and agencies
SUMMARY OF:
Regulation (EU, Euratom) 2023/2841 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
WHAT IS THE AIM OF THE REGULATION?
The regulation aims to ensure a high common level of cybersecurity in all the European Union (EU) institutions, bodies, offices and agencies (defined therein as ‘Union entities’). It provides for:
-
the establishment of an internal cybersecurity risk management, governance and control framework for each Union entity;
-
cybersecurity risk management, reporting and information sharing;
-
the creation of an Interinstitutional Cybersecurity Board (IICB) and the extension of the mandate for the Cybersecurity Service for the Union Institutions, Bodies, Offices and Agencies (CERT-EU);
-
the monitoring of the regulation’s implementation.
KEY POINTS
Cybersecurity measures and timetable
The IICB will issue guidelines by 8 September 2024 to all Union entities to:
-
carry out an initial cybersecurity review;
-
establish an internal cybersecurity risk management, governance and control framework;
-
perform cybersecurity maturity assessments;
-
take cybersecurity risk management measures;
-
adopt a cybersecurity plan.
Each Union entity will commit to the following.
-
It will establish an internal cybersecurity risk management, governance and control framework by 8 April 2025. The framework will:
- cover the Union entity’s entire unclassified ICT environment and be based on an all-hazards approach;
- ensure a high level of cybersecurity and establish internal cybersecurity policies;
- be reviewed regularly, in light of changing cybersecurity risks, and at least every 4 years.
-
It will appoint a local cybersecurity officer as the single point of contact for all cybersecurity matters.
-
It will carry out a cybersecurity maturity assessment by 8 July 2025, and at least every 2 years thereafter. Union entities with similar structures may cooperate in carrying out such assessments for their respective entities. The assessment will:
- incorporate all the elements of the entity’s ICT environment;
- include outside expertise, where appropriate.
-
It will take appropriate and proportionate technical, operational and organisational measures by 8 September 2025 to manage the risks identified in the framework and prevent or minimise the impact of incidents.
-
It will approve a cybersecurity plan without undue delay, and by 8 January 2026 at the latest. The plan will:
- be revised every 2 years, or more frequently if necessary;
- include the cyber crisis management plan for major incidents;
- be submitted to the IICB.
The IICB:
-
is responsible for:
- monitoring and supporting the Union entities’ implementation of the regulation,
- supervising CERT-EU’s implementation of its general priorities and objectives, and providing it with strategic direction;
-
consists of representatives of Union entities, the head of CERT-EU and other relevant participants;
-
designates a chair for a 3-year term, adopts its internal rules of procedure and meets at least 3 times a year;
-
has specific tasks, such as adopting guidelines and recommendations for the Union entities, adopting a multiannual strategy to raise the level of cybersecurity in Union entities and establishing technical advisory groups;
-
takes compliance measures towards a Union entity that does not effectively implement the regulation, guidelines, recommendations or calls for action.
CERT-EU:
-
advises Union entities on cybersecurity, helps them prevent, detect, handle, mitigate, respond to and recover from incidents, and acts as their information exchange and incident response coordination hub;
-
is integrated into the administrative structure of a European Commission directorate-general, and its head acts under the Commission’s authority and the IICB’s supervision for the application of administrative and financial procedures;
-
collects, manages, analyses and shares information with Union entities on cyber threats, vulnerabilities and incidents in unclassified ICT infrastructure;
-
carries out a wide range of tasks, such as offering standard computer security incident response team (CSIRT) services and maintaining a network of peers and partners;
-
may cooperate with relevant cybersecurity communities within the EU and EU Member States;
-
organises cybersecurity exercises;
-
issues calls for action and proposals for guidelines and recommendations.
Reporting for significant incidents
An incident is considered significant if it has:
-
caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned;
-
affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Union entities will notify CERT-EU and inform relevant national authorities as soon as possible, within 24 hours of a significant incident, followed by detailed reporting to CERT-EU.
CERT-EU will:
-
determine whether there is any cross-entity impact, and, if so, issue a cybersecurity alert;
-
submit a summary report every 3 months to the IICB, the European Union Agency for Cybersecurity (ENISA), the European Union Intelligence and Situation Centre (EU INTCEN) and the CSIRTs network with anonymised and aggregated data on significant incidents, incidents, cyber threats, near misses and vulnerabilities.
The IICB will:
-
issue guidelines or recommendations on:
- the arrangements for, and format and content of, reporting for significant incidents by 8 July 2024,
- incident response coordination and cooperation for significant incidents by 8 January 2025.
Major incidents
The IICB will establish a cyber crisis management plan that includes arrangements for coordination and information flow, standard operating procedures, classification of major incident severity and crisis triggering points, regular exercises and secure communication channels.
CERT-EU will:
-
coordinate the management of major incidents among Union entities;
-
maintain an inventory of available technical expertise;
-
assist the IICB in coordinating Union entities’ cyber crisis management plans for major incidents.
Union entities will contribute to CERT-EU’s inventory of technical expertise.
Review
All personal data that the Union entities, the IICB and CERT-EU process must comply with EU data protection legislation, and in particular Regulation (EU) 2018/1725 (see summary).
FROM WHEN DOES THE REGULATION APPLY?
It entered into force on 7 January 2024.
BACKGROUND
In its March 2021 resolution, the Council of the European Union emphasised the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes.
The regulation contains rules that are consistent with Directive (EU) 2022/2555 (see summary) and aligns with it in terms of principles and level of ambition while respecting the specificity of Union entities.
MAIN DOCUMENT
Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council of 13 December 2023 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (OJ L, 2023/2841, 18.12.2023).
RELATED DOCUMENTS
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).
Successive amendments to Directive (EU) 2022/2555 have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15–69).
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).
last update 22.04.2024