keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 2 Art. 3 Definitions
- 3 Art. 21 Reporting obligations
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- article 32
- means 31
- incident 30
- eu / 26
- defined 24
- point 23
- directive 22
- significant 19
- union 18
- shall 17
- cybersecurity 12
- impact 9
- without 8
- report 8
- cert-eu 8
- union_entities 8
- cyber_threat 7
- pursuant 7
- entity 7
- which 7
- management 6
- incident’ 6
- regulation 6
- information 6
- treaty 6
- european 6
- undue 5
- delay 5
- functioning 5
- measures 4
- body 4
- event 4
- level 4
- within 4
- cyber_threat’ 4
- applicable 4
- incidents 4
- point 4
- entity’s 4
- risk 4
- definitions 4
- including 4
- state 4
- disruption 3
- response 3
- handling 3
- appropriate 3
- further 3
- environment 3
- iicb 3
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community; |
| (2) | ‘ network_and_information_system’ means a network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555; |
| (3) | ‘security of network_and_information_systems’ means security of network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555; |
| (4) | ‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (5) | ‘ highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and cybersecurity risk management in their respective areas of responsibility; |
| (6) | ‘ near_miss’ means a near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; |
| (7) | ‘ incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; |
| (8) | ‘major incident’ means an incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two Union_entities; |
| (9) | ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555; |
| (10) | ‘ incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555; |
| (11) | ‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (12) | ‘significant cyber_threat’ means a significant cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555; |
| (13) | ‘ vulnerability’ means a vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555; |
| (14) | ‘ cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555; |
| (15) | ‘ cloud_computing_service’ means a cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555. |
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community; |
| (2) | ‘ network_and_information_system’ means a network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555; |
| (3) | ‘security of network_and_information_systems’ means security of network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555; |
| (4) | ‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (5) | ‘ highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and cybersecurity risk management in their respective areas of responsibility; |
| (6) | ‘ near_miss’ means a near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; |
| (7) | ‘ incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; |
| (8) | ‘major incident’ means an incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two Union_entities; |
| (9) | ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555; |
| (10) | ‘ incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555; |
| (11) | ‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (12) | ‘significant cyber_threat’ means a significant cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555; |
| (13) | ‘ vulnerability’ means a vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555; |
| (14) | ‘ cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555; |
| (15) | ‘ cloud_computing_service’ means a cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555. |
Article 21
Reporting obligations
1. An incident shall be considered to be significant if:
| (a) | it has caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned; |
| (b) | it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. |
2. Union_entities shall submit to CERT-EU:
| (a) | without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate that the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact; |
| (b) | without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; |
| (c) | upon the request of CERT-EU, an intermediate report on relevant status updates; |
| (d) | a final report not later than one month after the submission of the incident notification under point (b), including the following:
|
| (e) | in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month of their handling of the incident. |
3. A Union entity shall, without undue delay and in any event within 24 hours of becoming aware of a significant incident, inform any relevant Member State counterparts referred to in Article 17(1) in the Member State where it is located that a significant incident has occurred.
4. The Union_entities shall notify, inter alia, any information enabling CERT-EU to determine any cross-entity impact, impact on the hosting Member State or cross-border impact following a significant incident. Without prejudice to Article 12, the mere act of notification shall not subject the Union entity to increased liability.
5. Where applicable, Union_entities shall communicate, without undue delay, to the users of the network_and_information_systems affected, or of other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber_threat, and, where appropriate, need to take mitigating measures, any measures or remedies that they can take in response to that incident or that threat. Where appropriate, Union_entities shall inform those users of the significant cyber_threat itself.
6. Where a significant incident or significant cyber_threat affects a network_and_information_system, or a component of a Union entity’s ICT environment that is knowingly connected with another Union entity’s ICT environment, CERT-EU shall issue a relevant cybersecurity alert.
7. The Union_entities, upon the request of CERT-EU, shall, without undue delay, provide CERT-EU with digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may provide further details of the types of information that it requires for situational awareness and incident response.
8. CERT-EU shall submit to the IICB, ENISA, the EU INTCEN and the CSIRTs network, every three months, a summary report including anonymised and aggregated data on significant incidents, incidents, cyber_threats, near_misses and vulnerabilities pursuant to Article 20 and significant incidents notified pursuant to paragraph 2 of this Article. The summary report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.
9. By 8 July 2024, the IICB shall issue guidelines or recommendations further specifying the arrangements for, and format and content of, the reporting pursuant to this Article. When preparing such guidelines or recommendations, the IICB shall take into account any implementing acts adopted pursuant to Article 23(11) of Directive (EU) 2022/2555 specifying the type of information, the format and the procedure of notifications. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union_entities.
10. The reporting obligations laid down in this Article shall not extend to:
| (a) | EUCI; |
| (b) | information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed. |
whereas