keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 2 Scope
- 1 Art. 3 Definitions
- 1 Art. 4 Processing of personal data
- 1 Art. 19 Information handling
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- article 30
- means 15
- eu / 14
- regulation 13
- pursuant 13
- defined 12
- point 11
- cybersecurity 10
- directive 10
- shall 8
- union_entities 8
- data 8
- cert-eu 8
- information 6
- union 6
- incident 6
- personal 5
- management 4
- processing 4
- handling 4
- european 4
- measures 4
- incident’ 3
- level 3
- the 3
- necessary 3
- treaty 3
- obligations 3
- apply 3
- established 3
- board 3
- interinstitutional 3
- without 2
- security 2
- obligation 2
- sharing 2
- categories 2
- referred 2
- entity 2
- body 2
- point 2
- cyber_threat 2
- cyber_threat’ 2
- public 2
- significant 2
- prejudice 2
- which 2
- risk 2
- coordination 2
- special 2
Article 2
Scope
1. This Regulation applies to Union_entities, to the Interinstitutional Cybersecurity Board established pursuant to Article 10 and to CERT-EU.
2. This Regulation applies without prejudice to the institutional autonomy pursuant to the Treaties.
3. With the exception of Article 13(8), this Regulation does not apply to network_and_information_systems handling EU classified information (EUCI).
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community; |
| (2) | ‘ network_and_information_system’ means a network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555; |
| (3) | ‘security of network_and_information_systems’ means security of network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555; |
| (4) | ‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (5) | ‘ highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and cybersecurity risk management in their respective areas of responsibility; |
| (6) | ‘ near_miss’ means a near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; |
| (7) | ‘ incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; |
| (8) | ‘major incident’ means an incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two Union_entities; |
| (9) | ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555; |
| (10) | ‘ incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555; |
| (11) | ‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (12) | ‘significant cyber_threat’ means a significant cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555; |
| (13) | ‘ vulnerability’ means a vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555; |
| (14) | ‘ cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555; |
| (15) | ‘ cloud_computing_service’ means a cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555. |
Article 4
Processing of personal data
1. The processing of personal data under this Regulation by CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and Union_entities shall be carried out in accordance with Regulation (EU) 2018/1725.
2. Where they perform tasks or fulfil obligations pursuant to this Regulation, CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and Union_entities shall process and exchange personal data only to the extent necessary and for the sole purpose of performing those tasks or fulfilling those obligations.
3. The processing of special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725 shall be considered to be necessary for reasons of substantial public interest pursuant to Article 10(2), point (g), of that Regulation. Such data may be processed only to the extent necessary for the implementation of cybersecurity risk-management measures referred to in Articles 6 and 8, for the provision of services by CERT-EU pursuant to Article 13, for the sharing of incident-specific information pursuant to Article 17(3) and Article 18(3), for the sharing of information pursuant Article 20, for the reporting obligations pursuant to Article 21, for incident response coordination and cooperation pursuant to Article 22 and for the management of major incidents pursuant to Article 23 of this Regulation. The Union_entities and CERT-EU, when acting as data controllers, shall apply technical measures to prevent the processing of special categories of personal data for other purposes and shall provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
Article 19
Information handling
1. Union_entities and CERT-EU shall respect the obligation of professional secrecy in accordance with Article 339 TFEU or equivalent applicable frameworks.
2. Regulation (EC) No 1049/2001 of the European Parliament and of the Council (10) shall apply with regard to requests for public access to documents held by CERT-EU, including the obligation under that Regulation to consult other Union_entities or, where relevant, Member States, whenever a request concerns their documents.
3. The handling of information by Union_entities and CERT-EU shall comply with the applicable rules on information security.
whereas