keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- Art. 1 Subject matter
- Art. 2 Scope
- Art. 3 Definitions
- Art. 4 Processing of personal data
- Art. 5 Implementation of measures
- Art. 6 Cybersecurity risk-management, governance and control framework
- Art. 7 Cybersecurity maturity assessments
- Art. 8 Cybersecurity risk-management measures
- Art. 9 Cybersecurity plans
- Art. 10 Interinstitutional Cybersecurity Board
- Art. 11 Tasks of the IICB
- Art. 12 Compliance
- Art. 13 CERT-EU mission and tasks
- Art. 14 Guidelines, recommendations and calls for action
- Art. 15 Head of CERT-EU
- Art. 16 Financial and staffing matters
- Art. 17 Cooperation of CERT-EU with Member State counterparts
- Art. 18 Cooperation of CERT-EU with other counterparts
- Art. 19 Information handling
- Art. 20 Cybersecurity information-sharing arrangements
- Art. 21 Reporting obligations
- Art. 22 Incident response coordination and cooperation
- Art. 23 Management of major incidents
- Art. 24 Initial budgetary reallocation
- Art. 25 Review
- Article 26 Entry into force
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 19
- cybersecurity 18
- union 18
- entity 15
- framework 12
- regulation 9
- implementation 8
- cert-eu 7
- local 6
- each 6
- article 5
- officer 5
- the 5
- highest_level_of_management 5
- basis 5
- level 4
- concerned 4
- officials 4
- staff 4
- tasks 3
- regular 3
- without 3
- environment 3
- within 3
- obligations 3
- entity’s 3
- establish 3
- equivalent 3
- risk-management 3
- networks 2
- mechanisms 2
- connected 2
- responsibility 2
- appointed 2
- appropriate 2
- ensure 2
- each 2
- devices 2
- updated 2
- pursuant 2
- established 2
- board 2
- percentage 2
- interinstitutional 2
- from 2
- account 2
- control 2
- tasked 2
- effective 2
- service 2
Article 6
Cybersecurity risk-management, governance and control framework
1. By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.
2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.
3. The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.
4. The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.
5. The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.
6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.
7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.
8. Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.
CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.
9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.
whereas