keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 37
- iicb 25
- cybersecurity 23
- european 16
- article 13
- cert-eu 12
- union 12
- the 12
- union_entities 11
- report 9
- regulation 8
- chair 8
- incident 8
- member 8
- procedure 7
- plan 7
- commission 7
- pursuant 7
- committee 7
- january 6
- response 6
- rules 6
- referred 6
- cooperation 6
- representatives 5
- basis 5
- coordination 5
- implementation 5
- relevant 5
- by 5
- council 5
- internal 4
- euan 4
- review 4
- state 4
- vote 4
- proposal 4
- incidents 4
- interinstitutional 4
- board 4
- accordance 4
- parliament 4
- from 4
- members 4
- established 3
- submit 3
- among 3
- information 3
- except 3
- iicb’s 3
Article 9
Cybersecurity plans
1. Following the conclusion of the cybersecurity maturity assessment carried out pursuant to Article 7 and taking into account the assets and cybersecurity risks identified in the Framework as well as the cybersecurity risk-management measures taken pursuant to Article 8, the highest_level_of_management of each Union entity shall approve a cybersecurity plan without undue delay and in any event by 8 january 2026. The cybersecurity plan shall aim at increasing the overall cybersecurity of the Union entity and shall thereby contribute to the enhancement of a high common level of cybersecurity within the Union_entities. The cybersecurity plan shall include at least the cybersecurity risk-management measures taken pursuant to Article 8. The cybersecurity plan shall be revised every two years, or more frequently where necessary, following the cybersecurity maturity assessments carried out pursuant to Article 7 or any substantial review of the Framework.
2. The cybersecurity plan shall include the Union entity’s cyber crisis management plan for major incidents.
3. The Union entity shall submit the completed cybersecurity plan to the Interinstitutional Cybersecurity Board established pursuant to Article 10.
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
Article 10
Interinstitutional Cybersecurity Board
1. An Interinstitutional Cybersecurity Board (IICB) is hereby established.
2. The IICB shall be responsible for:
| (a) | monitoring and supporting the implementation of this Regulation by the Union_entities; |
| (b) | supervising the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. |
3. The IICB shall consist of:
| (a) | one representative designated by each of the following:
|
| (b) | three representatives designated by the EU Agencies Network (EUAN) on the basis of a proposal by its ICT Advisory Committee to represent the interests of the bodies, offices and agencies of the Union that run their own ICT environment, other than those referred to in point (a). |
The Union_entities represented on the IICB shall aim to achieve gender balance among the designated representatives.
4. Members of the IICB may be assisted by an alternate. Other representatives of the Union_entities referred to in paragraph 3 or of other Union_entities may be invited by the Chair to attend IICB meetings without voting power.
5. The Head of CERT-EU and the Chairs of the Cooperation Group, the CSIRTs network and EU-CyCLONe established, respectively, pursuant to Articles 14, 15 and 16 of Directive (EU) 2022/2555, or their alternates, may participate in IICB meetings as observers. In exceptional cases, the IICB may, in accordance with its internal rules of procedure, decide otherwise.
6. The IICB shall adopt its internal rules of procedure.
7. The IICB shall designate a Chair in accordance with its internal rules of procedure, from among its members for a period of three years. The Chair’s alternate shall become a full member of the IICB for the same duration.
8. The IICB shall meet at least three times a year at the initiative of its Chair, at the request of CERT-EU or at the request of any of its members.
9. Each member of the IICB shall have one vote. The IICB’s decisions shall be taken by simple majority except where otherwise provided for in this Regulation. The Chair of the IICB shall not have a vote except in the event of a tied vote, in which case the Chair may cast a deciding vote.
10. The IICB may act by means of a simplified written procedure initiated in accordance with its internal rules of procedure. Under that procedure, the relevant decision shall be deemed to be approved within the timeframe set by the Chair, except where a member objects.
11. The secretariat of the IICB shall be provided by the Commission and shall be accountable to the Chair of the IICB.
12. The representatives nominated by the EUAN shall relay the IICB’s decisions to the members of the EUAN. Any member of the EUAN shall be entitled to raise with those representatives or the Chair of the IICB any matter which it considers should be brought to the IICB’s attention.
13. The IICB may establish an executive committee to assist it in its work, and delegate some of its tasks and powers to it. The IICB shall lay down the rules of procedure of the executive committee, including its tasks and powers, and the terms of office of its members.
14. By 8 january 2025 and on an annual basis thereafter, the IICB shall submit a report to the European Parliament and to the Council detailing progress made with the implementation of this Regulation and specifying in particular the extent of cooperation of CERT-EU with Member State counterparts in each of the Member States. The report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.
Article 22
Incident response coordination and cooperation
1. In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:
| (a) | Union_entities; |
| (b) | the counterparts referred to in Articles 17 and 18. |
2. CERT-EU, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:
| (a) | contribution to consistent external communication; |
| (b) | mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site; |
| (c) | optimal use of operational resources; |
| (d) | coordination with other crisis response mechanisms at Union level. |
3. CERT-EU, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.
4. By 8 january 2025, the IICB shall, on the basis of a proposal by CERT-EU, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities, without undue delay.
5. Following a specific request from a Member State and with the approval of the Union_entities concerned, CERT-EU may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by CERT-EU.
Article 25
Review
1. By 8 january 2025 and on an annual basis thereafter, the IICB, with the assistance of CERT-EU, shall report to the Commission on the implementation of this Regulation. The IICB may make recommendations to the Commission to review this Regulation.
2. By 8 january 2027 and every two years thereafter, the Commission shall assess and report on the implementation of this Regulation and on the experience gained at a strategic and operational level to the European Parliament and to the Council.
The report referred to in the first subparagraph of this paragraph shall include the review referred to in Article 16(1), on the possibility of establishing CERT-EU as a Union office.
3. By 8 january 2029, the Commission shall evaluate the functioning of this Regulation and submit a report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. The Commission shall also evaluate the appropriateness of including network_and_information_systems handling EUCI within the scope of this Regulation, taking into account other Union legislative acts applicable to those systems. The report shall be accompanied, where necessary, by a legislative proposal.
whereas