The European Union’s new Cybersecurity Regulation, which entered into force, January 7, 2024, lays out a comprehensive framework to enhance the EU cybersecurity of all its institutions, bodies, offices, and agencies. The Regulation establishes an internal cybersecurity risk management, governance, and control framework for each Union entity and sets up a new Interinstitutional Cybersecurity Board (IICB) to monitor and support its implementation.
EU Cybersecurity Service for information exchange and incident coordination
The Regulation also extends the mandate of the Computer Emergency Response Team for the EU institutions (CERT-EU), strengthening its role as a information exchange platform, and incident response coordination centre. CERT-EU has been renamed EU Cybersecurity Service for the Union institutions (CERT-EU) while retaining its acronym.
Key provisions of the Cybersecurity Regulation include:
- Establishment of Internal Cybersecurity Governance: EU entities must establish internal cybersecurity governance processes to identify, assess, and manage cybersecurity risks.
- Interinstitutional Cybersecurity Board (IICB): The IICB will provide strategic guidance and support to EU entities in implementing the Regulation and overseeing CERT-EU’s activities.
- Extended Mandate for CERT-EU: CERT-EU will play a more prominent role in coordinating cybersecurity incident response and providing threat intelligence and guidance.
- Alignment with EU Security and Cybersecurity Strategies: The Regulation aligns with the EU’s overall security and cybersecurity strategies, ensuring consistency with existing cybersecurity frameworks.
- Coordinated Response to Large-Scale Cyber Incidents: The Regulation complements the Commission’s Recommendation on coordinated response to large-scale cybersecurity incidents and crises.
Commenting on the Regulation’s entry into force, Commissioner for Budget and Administration Johannes Hahn emphasised the importance of cybersecurity in safeguarding the EU’s public administration. “As cyber threats become more prevalent and sophisticated, achieving a high common level of cybersecurity across Union entities is essential for an open, efficient, secure, and resilient EU public administration,” Hahn stated.
The Regulation marks a significant step forward in strengthening the cybersecurity of EU institutions and aligning them with the standards imposed on Member States through initiatives like the Directive on high common levels of cybersecurity across the Union (NIS 2). The Regulation also paves the way for the parallel Information Security Regulation, which aims to establish minimum information security rules and standards for all EU institutions.
The European Commission calls upon the co-legislators to swiftly engage in negotiations for the Information Security Regulation to further enhance the cybersecurity posture of the EU’s public administration.
