keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 7 Cybersecurity maturity assessments
- 4 Art. 13 CERT-EU mission and tasks
- 1 Art. 22 Incident response coordination and cooperation
- 1 Art. 25 Review
- Article 26 Entry into force
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 26
- union_entities 21
- cybersecurity 19
- union 13
- information 12
- cert-eu 12
- cert-eu 12
- article 12
- cooperation 11
- incident 11
- regulation 10
- incidents 10
- iicb 10
- basis 9
- response 8
- coordination 8
- support 8
- level 8
- referred 8
- services 8
- report 7
- relevant 7
- assistance 7
- including 6
- implementation 6
- entity 6
- operational 5
- cyber_threats 5
- concerned 5
- from 5
- commission 5
- by 5
- appropriate 5
- exchange 5
- environment 5
- european 5
- maturity 5
- enisa 5
- contribute 4
- tasks 4
- agreements 4
- vulnerabilities 4
- than 4
- network 4
- paragraph 4
- close 4
- eu / 4
- provide 4
- network_and_information_systems 4
- applicable 4
Article 7
Cybersecurity maturity assessments
1. By 8 July 2025 and at least every two years thereafter, each Union entity shall carry out a cybersecurity maturity assessment incorporating all the elements of its ICT environment.
2. The cybersecurity maturity assessments shall, where appropriate, be carried out with the assistance of a specialised third party.
3. Union_entities with similar structures may cooperate in carrying out cybersecurity maturity assessments for their respective entities.
4. On the basis of a request of the Interinstitutional Cybersecurity Board established pursuant to Article 10 and with the explicit consent of the Union entity concerned, the results of a cybersecurity maturity assessment may be discussed within that Board or within the informal group of local cybersecurity officers with a view to learning from experience and sharing best practices.
Article 13
CERT-EU mission and tasks
1. CERT-EU’s mission shall be to contribute to the security of the unclassified ICT environment of Union_entities by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
2. CERT-EU shall collect, manage, analyse and share information with the Union_entities on cyber_threats, vulnerabilities and incidents in unclassified ICT infrastructure. It shall coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.
3. CERT-EU shall carry out the following tasks to assist the Union_entities:
| (a) | support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB; |
| (b) | offer standard CSIRT services for Union_entities by means of a package of cybersecurity services described in its service catalogue (baseline services); |
| (c) | maintain a network of peers and partners to support the services as outlined in Articles 17 and 18; |
| (d) | bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action; |
| (e) | on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA; |
| (f) | coordinate the management of major incidents; |
| (g) | act on the part of Union_entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555; |
| (h) | provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible network_and_information_systems of that Union entity. |
The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.
4. CERT-EU may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant cybersecurity communities within the Union and its Member States, including in the following areas:
| (a) | preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union_entities; |
| (b) | operational cooperation regarding the CSIRTs network, including with regard to mutual assistance; |
| (c) | cyber_threat intelligence, including situational awareness; |
| (d) | on any topic requiring CERT-EU’s technical cybersecurity expertise. |
5. Within its competence, CERT-EU shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of cyber_threats in accordance with Regulation (EU) 2019/881. CERT-EU may cooperate and exchange information with Europol’s European Cybercrime Centre.
6. CERT-EU may provide the following services not described in its service catalogue (chargeable services):
| (a) | services that support the cybersecurity of Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity cyber_threats; |
| (b) | services that support cybersecurity operations or projects of Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB; |
| (c) | upon request, a proactive scanning of the network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact; |
| (d) | services that support the security of their ICT environment to organisations other than the Union_entities that cooperate closely with Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB. |
With regard to the first subparagraph, point (d), CERT-EU may, on an exceptional basis, enter into service level agreements with entities other than the Union_entities with the prior approval of the IICB.
7. CERT-EU shall organise and may participate in cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of cybersecurity of the Union_entities.
8. CERT-EU may provide assistance to Union_entities regarding incidents in network_and_information_systems handling EUCI where it is explicitly requested to do so by the Union_entities concerned in accordance with their respective procedures. The provision of assistance by CERT-EU under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.
9. CERT-EU shall inform Union_entities about its incident handling procedures and processes.
10. CERT-EU shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).
11. CERT-EU shall, in cooperation with the EDPS, support the Union_entities concerned when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.
12. CERT-EU may, if expressly requested by Union_entities’ policy departments, provide technical advice or input on relevant policy matters.
Article 22
Incident response coordination and cooperation
1. In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:
| (a) | Union_entities; |
| (b) | the counterparts referred to in Articles 17 and 18. |
2. CERT-EU, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:
| (a) | contribution to consistent external communication; |
| (b) | mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site; |
| (c) | optimal use of operational resources; |
| (d) | coordination with other crisis response mechanisms at Union level. |
3. CERT-EU, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.
4. By 8 January 2025, the IICB shall, on the basis of a proposal by CERT-EU, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities, without undue delay.
5. Following a specific request from a Member State and with the approval of the Union_entities concerned, CERT-EU may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by CERT-EU.
Article 25
Review
1. By 8 January 2025 and on an annual basis thereafter, the IICB, with the assistance of CERT-EU, shall report to the Commission on the implementation of this Regulation. The IICB may make recommendations to the Commission to review this Regulation.
2. By 8 January 2027 and every two years thereafter, the Commission shall assess and report on the implementation of this Regulation and on the experience gained at a strategic and operational level to the European Parliament and to the Council.
The report referred to in the first subparagraph of this paragraph shall include the review referred to in Article 16(1), on the possibility of establishing CERT-EU as a Union office.
3. By 8 January 2029, the Commission shall evaluate the functioning of this Regulation and submit a report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. The Commission shall also evaluate the appropriateness of including network_and_information_systems handling EUCI within the scope of this Regulation, taking into account other Union legislative acts applicable to those systems. The report shall be accompanied, where necessary, by a legislative proposal.
whereas