keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 6 Cybersecurity risk-management, governance and control framework
- 1 Art. 14 Guidelines, recommendations and calls for action
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- cybersecurity 27
- shall 21
- union 19
- entity 16
- framework 12
- regulation 10
- implementation 9
- cert-eu 8
- article 7
- each 6
- union_entities 6
- local 6
- highest_level_of_management 5
- basis 5
- measures 5
- the 5
- officer 5
- concerned 5
- without 4
- staff 4
- level 4
- common 4
- security 4
- including 4
- within 4
- appropriate 4
- risk-management 4
- officials 4
- services 3
- pursuant 3
- equivalent 3
- arrangements 3
- obligations 3
- from 3
- action 3
- recommendations 3
- regular 3
- account 3
- point 3
- tasks 3
- entity’s 3
- establish 3
- environment 3
- appointed 2
- relevant 2
- service 2
- taking 2
- contact 2
- interinstitutional 2
- board 2
Article 6
Cybersecurity risk-management, governance and control framework
1. By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.
2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.
3. The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.
4. The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.
5. The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.
6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.
7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.
8. Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.
CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.
9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.
Article 14
Guidelines, recommendations and calls for action
1. CERT-EU shall support the implementation of this Regulation by issuing:
| (a) | calls for action describing urgent security measures that Union_entities are urged to take within a set timeframe; |
| (b) | proposals to the IICB for guidelines addressed to all or a subset of the Union_entities; |
| (c) | proposals to the IICB for recommendations addressed to individual Union_entities. |
With regard to the first subparagraph, point (a), the Union entity concerned shall, without undue delay after receiving the call for action, inform CERT-EU of how the urgent security measures were applied.
2. Guidelines and recommendations may include:
| (a) | common methodologies and a model for assessing the cybersecurity maturity of the Union_entities, including the corresponding scales or KPIs, serving as reference in support of continuous cybersecurity improvement across the Union_entities and facilitating the prioritisation of cybersecurity domains and measures taking into account entities’ cybersecurity posture; |
| (b) | arrangements for or improvements to cybersecurity risk management and the cybersecurity risk-management measures; |
| (c) | arrangements for cybersecurity maturity assessments and cybersecurity plans; |
| (d) | where appropriate, the use of common technology, architecture, open source and associated best practices with the aim of achieving interoperability and common standards, including a coordinated approach to supply chain security; |
| (e) | where appropriate, information to facilitate the use of common procurement instruments for the purchasing of relevant cybersecurity services and products from third-party suppliers; |
| (f) | information-sharing arrangements pursuant to Article 20. |
whereas