The chair of the European Council and the Parliament negotiators have reached a provisional agreement on a regulation aimed at ensuring a high common level of cybersecurity in the EU institutions, bodies, offices and agencies.
The measures were proposed by the Commission in March 2022 in the context of a significant increase in the number of sophisticated cyberattacks affecting the EU’s public administrations in recent years.
The new regulation will create a common framework for all EU entities in the field of cybersecurity and improve its resilience and incident response capability. The new rules should help EU entities prevent and counter cyberattacks, which have become increasingly frequent in recent years.
To ensure high common standards among EU institutions, the new rules require them to establish a framework for governance, risk management and control in the field of cybersecurity.
All Union entities will also have to implement cybersecurity measures to address identified risks, conduct regular cybersecurity maturity assessments and implement a cybersecurity plan.
With the new regulation, the mandate of the Eu’s Computer Emergency Response Team (CERT-EU) will also be strengthened and renamed the Cybersecurity Service for the Union Institutions, Bodies, Offices and Agencies, while keeping the current acronym.
CERT-EU will advise all EU bodies and help them to prevent, detect and respond to incidents. Additionally, it will serve as a hub for sharing information and coordinating efforts related to cybersecurity and responding to incidents. All EU entities will have to share unclassified incident-related information with CERT-EU without undue delay.
Furthermore, the newly introduced regulation will create an interinstitutional Cybersecurity Board responsible for overseeing and ensuring the implementation of the regulation across the various EU agencies.
The new board will also oversee CERT-EU’s implementation of overall priorities and objectives and provide it with strategic direction. The board will consist of representatives of all EU institutions and advisory bodies, the European Investment Bank, the European Cybersecurity Competence Center, the European Union Agency for Cybersecurity (ENISA), the European Data Protection Supervisor, the EU Agency for the Space Programme, as well as representatives of the EU Agencies Network. The European Commission will be responsible for providing the Secretariat of the board.
The provisional agreement will now be finalised at technical level, following which it will be submitted to the EU ambassadors of member states for confirmation. Once it receives confirmation from both the Council and the Parliament, the agreement will be formally adopted by both institutions.
In its 20 June 2019 conclusions, the European Council called upon the EU institutions, in collaboration with member states, to work on initiatives aimed at strengthening resilience and fostering a stronger security culture within the EU. These measures aim to address cyber and hybrid threats originating from outside the EU, as well as to enhance the protection of the EU’s information and communication networks and safeguard its decision-making processes from all kinds of malicious activities.
The regulation is one of the measures envisaged in the EU Cybersecurity Strategy for the Digital Decade, presented by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy in December 2020 to strengthen the EU’s collective resilience to cyberthreats.
In its 22 March 2021 conclusions on this strategy, the Council emphasized the critical importance of cybersecurity for the effective operation of public administrations and institutions, both at the national and EU levels. Furthermore, cybersecurity was recognised as indispensable for the well-being of our society and the overall functioning of our economy.