New rules to boost cybersecurity in EU entities
On 22 March 2022, the Commission proposed new rules to establish common cybersecurity and information security measures across the EU institutions, bodies, offices and agencies. The political agreement was reached between the European Parliament and the Council on the regulation proposed by the Commission on 26 June 2023 and the new regulation entered into force on 7 January 2024. According to the justification of the proposal, from 2019 to 2021, the number of significant incidents affecting Union institutions, bodies and agencies, authored by advanced persistent threat actors, has surged dramatically. CERT-EU (Computer Emergency Response Team for the EU institutions, bodies, offices and agencies) has conducted an assessment of the principal cyber threats to which Union institutions, bodies and agencies are currently exposed or are likely to be exposed to in the foreseeable future.
The analysis of the Union entities showed that their governance, cyber-hygiene, overall capability and maturity vary over a broad spectrum. Therefore, the Commission decided that requiring them to implement a baseline of cybersecurity measures is instrumental to address this disparity in maturity and to bring all of the entities to a high common level of cybersecurity.
The Commission stated that the regulation will put in place a framework for governance, risk management and control across EU entities in cybersecurity, with a new inter-institutional Cybersecurity Board to monitor its implementation. The institutions, bodies and agencies shall moreover adopt a cybersecurity baseline to address the risks identified under the framework, carry out regular cybersecurity maturity assessments and adopt a cybersecurity plan. The regulation will also extend the mandate of the CERT-EU, as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider. CERT-EU will be renamed to “Cybersecurity Service for the Union institutions, bodies, offices and agencies” to reflect its new mandate while keeping the short name CERT-EU for recognition purposes.
The Commission expects that the new regulation will contribute to ensuring higher levels of cybersecurity in the EU administration and be better prepared to face future challenges.