Entering into force on 7 January 2024, the new European Union regulation on cybersecurity represents an important step to increase the level of cybersecurity within EU institutions and bodies.
The regulation aims to strengthen the cybersecurity of Union entities and others align the EU administration with the standards imposed on Member States, in line with the NIS 2 Directive on common high levels of cybersecurity. Its rapid adoption demonstrates the EU's commitment to the goal of greater cybersecurity. In a context where cyber threats are becoming increasingly pervasive and sophisticated, the Regulation plays a key role in ensuring an open, efficient, secure and resilient EU public administration, as highlighted by EU Commissioner Johannes Hahn.
In particular, the Regulation establishes measures for the establishment of an internal risk management, governance and control framework for each Union entity and establishes a new Interinstitutional Cybersecurity Board (IICB) to monitor and support the implementation of the rules. The EU Computer Emergency Response Team (CERT-EU) is renamed to the Cyber Security Service for Union institutions, bodies, offices and agencies, taking on a central role as a center for threat intelligence and incident response coordination .
Union entities will follow a timetable defined by the Regulation to establish internal cybersecurity governance processes and progressively implement specific risk management measures. The IICB will be operational as soon as possible, with the aim of ensuring the strategic direction of Cert-EU in its extended mandate, providing guidance and support to Union entities and monitoring the implementation of the Regulation.
The Regulation also provides that Union entities may notify incidents, cyber threats, vulnerabilities and near-misses to CERT-EU, sharing technical details that enable detection or mitigation and response to similar incidents in other Union entities. Each Union entity appoints a local cybersecurity officer, who facilitates the implementation of the regulation and reports directly to the highest level of management.
Within the regulation there is also a guide to determine the existence and severity of a cyber attack and an operational reporting and sharing protocol. An incident is considered significant if it causes a serious operational disruption or substantial financial loss, or if it significantly affects other natural or legal persons. Union entities are required to submit an early warning to CERT-EU within 24 hours of becoming aware of a significant incident and a detailed notification within 72 hours.
This regulation represents an important step forward in protecting the European Union's critical infrastructures and managing the growing challenges posed by cyber threats. By implementing these measures, the EU positions itself as a leader in taking a proactive and comprehensive approach to cybersecurity.
For more information at full text
#Regulation #Cybersecurity #strategy #greater #security #institutions
