Last 22nd March, the Commission proposed new rules to establish common cybersecurity and information security measures across the EU institutions, bodies, offices and agencies. The proposal aims to bolster their resilience and response capacities against cyber threats and incidents, as well as to ensure a resilient, secure EU public administration, amidst rising malicious cyber activities in the global landscape.
Commissioner for Budget and Administration, Johannes Hahn, said: “In a connected environment, a single cybersecurity incident can affect an entire organisation. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act. The regulations we are proposing today are a milestone in the EU cybersecurity and information security landscape. They are based on reinforced cooperation and mutual support among EU institutions, bodies, offices and agencies and on a coordinated preparedness and response. This is a real EU collective endeavour.”
The proposed Cybersecurity Regulation will put in place a framework for governance, risk management and control in the cybersecurity area. It will lead to the creation of a new inter-institutional Cybersecurity Board, boost cybersecurity capabilities, and stimulate regular maturity assessments and better cyber-hygiene. It will also extend the mandate of the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies (CERT-EU), as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider.
Key elements of the proposal for a Cybersecurity Regulation:
- Strengthen the mandate of CERT-EU and provide the resources it needs to fulfil it;
- Require from all EU institutions, bodies, offices and agencies to:
- Have a framework for governance, risk management and control in the area of cybersecurity;
- Implement a baseline of cybersecurity measures addressing the identified risks;
- Conduct regular maturity assessments;
- Put in place a plan for improving their cybersecurity, approved by the entity’s leadership;
- Share incident-related information with CERT-EU without undue delay.
- Set up a new inter-institutional Cybersecurity Board to drive and monitor the implementation of the regulation and to steer CERT-EU;
- Rename CERT-EU from ‘Computer Emergency Response Team’ to ‘Cybersecurity Centre’, in line with developments in the Member States and globally, but keep the short name ‘CERT-EU’ for name recognition.
Information Security Regulation
The proposed Information Security Regulation will create a minimum set of information security rules and standards for all EU institutions, bodies, offices and agencies to ensure an enhanced and consistent protection against the evolving threats to their information. These new rules will provide a stable ground for a secure exchange of information across EU institutions, bodies, offices and agencies and with the Member States, based on standardised practices and measures to protect information flows.
Key elements of the proposal for Information Security Regulation:
- Set up an efficient governance to foster the cooperation across all EU institutions, bodies, offices and agencies, namely an inter-institutional Information Security Coordination Group;
- Establish a common approach to information categorisation based on the level of confidentiality;
- Modernise the information security policies, fully including digital transformation and remote work;
- Streamline current practices and achieve greater compatibility between the relevant systems and devices.
Source: European Commission