keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 7 Cybersecurity maturity assessments
- 1 Art. 11 Tasks of the IICB
- 1 Art. 14 Guidelines, recommendations and calls for action
- 1 Art. 17 Cooperation of CERT-EU with Member State counterparts
- 1 Art. 18 Cooperation of CERT-EU with other counterparts
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- cert-eu 32
- cybersecurity 29
- shall 23
- union 19
- article 19
- union_entities 17
- entity 17
- information 14
- such 12
- counterparts 10
- head 10
- iicb 10
- basis 10
- arrangements 9
- affected 9
- cooperation 8
- approve 8
- including 8
- maturity 8
- pursuant 8
- state 8
- proposal 7
- incidents 7
- member 7
- from 7
- relevant 7
- established 7
- directive 6
- incident 6
- assessments 6
- referred 6
- exchange 6
- appropriate 6
- level 6
- management 6
- recommendations 6
- within 5
- common 5
- security 5
- specific 5
- support 5
- best 5
- eu / 5
- entities 5
- measures 5
- cert-eu 5
- without 5
- practices 5
- regulation 4
- implementation 4
Article 7
Cybersecurity maturity assessments
1. By 8 July 2025 and at least every two years thereafter, each Union entity shall carry out a cybersecurity maturity assessment incorporating all the elements of its ICT environment.
2. The cybersecurity maturity assessments shall, where appropriate, be carried out with the assistance of a specialised third party.
3. Union_entities with similar structures may cooperate in carrying out cybersecurity maturity assessments for their respective entities.
4. On the basis of a request of the Interinstitutional Cybersecurity Board established pursuant to Article 10 and with the explicit consent of the Union entity concerned, the results of a cybersecurity maturity assessment may be discussed within that Board or within the informal group of local cybersecurity officers with a view to learning from experience and sharing best practices.
Article 11
Tasks of the IICB
When exercising its responsibilities, the IICB shall, in particular:
| (a) | provide guidance to the Head of CERT-EU; |
| (b) | effectively monitor and supervise the implementation of this Regulation and support the Union_entities in strengthening their cybersecurity, including, where appropriate, requesting ad-hoc reports from Union_entities and CERT-EU; |
| (c) | following a strategic discussion, adopt a multiannual strategy on raising the level of cybersecurity in the Union_entities, asses that strategy on a regular basis and in any event every five years and, where necessary, amend that strategy; |
| (d) | establish the methodology and organisational aspects for the conduct of voluntary peer reviews by Union_entities, with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Union_entities’ cybersecurity capabilities, ensuring that such peer reviews are conducted by cybersecurity experts designated by a Union entity different from the Union entity being reviewed and that the methodology is based on Article 19 of Directive (EU) 2022/2555 and is, where appropriate, adapted to the Union_entities; |
| (e) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s annual work programme and monitor its implementation; |
| (f) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s service catalogue and any updates thereof; |
| (g) | approve, on the basis of a proposal by the Head of CERT-EU, the annual financial planning of revenue and expenditure, including staffing, for CERT-EU activities; |
| (h) | approve, on the basis of a proposal by the Head of CERT-EU, the arrangements for service level agreements; |
| (i) | examine and approve the annual report drawn up by the Head of CERT-EU covering the activities of, and management of funds by, CERT-EU; |
| (j) | approve and monitor key performance indicators (KPIs) for CERT-EU established on the basis of a proposal by the Head of CERT-EU; |
| (k) | approve cooperation arrangements, service level agreements or contracts between CERT-EU and other entities pursuant to Article 18; |
| (l) | adopt guidelines and recommendations on the basis of a proposal by CERT-EU in accordance with Article 14 and instruct CERT-EU to issue, withdraw or modify a proposal for guidelines or recommendations, or a call for action; |
| (m) | establish technical advisory groups with specific tasks to assist the IICB’s work, approve their terms of reference and designate their respective Chairs; |
| (n) | receive and assess documents and reports submitted by the Union_entities under this Regulation, such as cybersecurity maturity assessments; |
| (o) | facilitate the establishment of an informal group of local cybersecurity officers of Union_entities, supported by ENISA, with the aim of exchanging best practices and information in relation to the implementation of this Regulation; |
| (p) | taking into account the information on the identified cybersecurity risks and lessons learnt provided by CERT-EU, monitor the adequacy of interconnectivity arrangements among the Union_entities’ ICT environments and advise on possible improvements; |
| (q) | establish a cyber crisis management plan with a view to supporting, at an operational level, the coordinated management of major incidents affecting Union_entities and to contributing to the regular exchange of relevant information, in particular with regard to the impacts and severity of, and the possible ways of mitigating the effects of, major incidents; |
| (r) | coordinate the adoption of individual Union_entities’ cyber crisis management plans referred to in Article 9(2); |
| (s) | adopt recommendations relating to supply chain security referred to in Article 8(2), first subparagraph, point (m), taking into account the results of Union level coordinated security risk assessments of critical supply chains referred to in Article 22 of Directive (EU) 2022/2555 to support Union_entities in adopting effective and proportionate cybersecurity risk-management measures. |
Article 14
Guidelines, recommendations and calls for action
1. CERT-EU shall support the implementation of this Regulation by issuing:
| (a) | calls for action describing urgent security measures that Union_entities are urged to take within a set timeframe; |
| (b) | proposals to the IICB for guidelines addressed to all or a subset of the Union_entities; |
| (c) | proposals to the IICB for recommendations addressed to individual Union_entities. |
With regard to the first subparagraph, point (a), the Union entity concerned shall, without undue delay after receiving the call for action, inform CERT-EU of how the urgent security measures were applied.
2. Guidelines and recommendations may include:
| (a) | common methodologies and a model for assessing the cybersecurity maturity of the Union_entities, including the corresponding scales or KPIs, serving as reference in support of continuous cybersecurity improvement across the Union_entities and facilitating the prioritisation of cybersecurity domains and measures taking into account entities’ cybersecurity posture; |
| (b) | arrangements for or improvements to cybersecurity risk management and the cybersecurity risk-management measures; |
| (c) | arrangements for cybersecurity maturity assessments and cybersecurity plans; |
| (d) | where appropriate, the use of common technology, architecture, open source and associated best practices with the aim of achieving interoperability and common standards, including a coordinated approach to supply chain security; |
| (e) | where appropriate, information to facilitate the use of common procurement instruments for the purchasing of relevant cybersecurity services and products from third-party suppliers; |
| (f) | information-sharing arrangements pursuant to Article 20. |
Article 17
Cooperation of CERT-EU with Member State counterparts
1. CERT-EU shall, without undue delay, cooperate and exchange information with Member State counterparts, in particular the CSIRTs designated or established pursuant to Article 10 of Directive (EU) 2022/2555, or, where applicable, the competent authorities and single points of contact designated or established pursuant to Article 8 of that Directive, with regard to incidents, cyber_threats, vulnerabilities, near_misses, possible countermeasures as well as best practices and on all matters relevant for improving the protection of the ICT environments of Union_entities, including by means of the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555. CERT-EU shall support the Commission in EU-CyCLONe established pursuant to Article 16 of Directive (EU) 2022/2555 on the coordinated management of large-scale cybersecurity incidents and crises.
2. Where CERT-EU becomes aware of a significant incident occurring within the territory of a Member State, it shall, without delay, notify any relevant counterpart in that Member State, in accordance with paragraph 1.
3. Provided that personal data are protected in accordance with applicable Union data protection law, CERT-EU shall, without undue delay, exchange relevant incident-specific information with Member State counterparts to facilitate detection of similar cyber_threats or incidents, or to contribute to the analysis of an incident, without the authorisation of the Union entity affected. CERT-EU shall exchange incident-specific information which reveals the identity of the target of the incident only in the event of one of the following:
| (a) | the Union entity affected consents; |
| (b) | the Union entity affected does not consent as provided for in point (a) but the disclosure of the identity of the Union entity affected would increase the probability that incidents elsewhere would be avoided or mitigated; |
| (c) | the Union entity affected has already made public that it was affected. |
Decisions to exchange incident-specific information which reveals the identity of the target of the incident pursuant to the first subparagraph, point (b), shall be endorsed by the Head of CERT-EU. Prior to issuing such a decision, CERT-EU shall contact the Union entity affected in writing, explaining clearly how the disclosure of its identity would help to avoid or mitigate incidents elsewhere. The Head of CERT-EU shall provide the explanation and explicitly request the Union entity to state whether it consents within a set timeframe. The Head of CERT-EU shall also inform the Union entity that, in light of the explanation provided, he or she reserves the right to disclose the information even in the absence of consent. The Union entity affected shall be informed before the information is disclosed.
Article 18
Cooperation of CERT-EU with other counterparts
1. CERT-EU may cooperate with counterparts in the Union other than those referred to in Article 17 which are subject to Union cybersecurity requirements, including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber_threats and vulnerabilities. For all cooperation with such counterparts, CERT-EU shall seek prior approval from the IICB on a case-by-case basis. Where CERT-EU establishes cooperation with such counterparts, it shall inform any relevant Member State counterparts referred to in Article 17(1), in the Member State in which the counterpart is located. Where applicable and appropriate, such cooperation and the conditions thereof, including regarding cybersecurity, data protection and information handling, shall be established in specific confidentiality arrangements such as contracts or administrative arrangements. The confidentiality arrangements shall not require prior approval by the IICB, but the Chair of the IICB shall be informed. In the case of an urgent and imminent need to exchange cybersecurity information in the interests of Union_entities or another party, CERT-EU may do so with an entity whose specific competence, capacity and expertise are justifiably required to assist with such an urgent and imminent need, even if CERT-EU does not have a confidentiality arrangement in place with that entity. In such cases, CERT-EU shall immediately inform the Chair of the IICB, and shall report to the IICB by means of regular reports or meetings.
2. CERT-EU may cooperate with partners, such as commercial entities, including industry sector-specific entities, international organisations, non-Union national entities or individual experts, to gather information on general and specific cyber_threats, near_misses, vulnerabilities and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB on a case-by-case basis.
3. CERT-EU may, with the consent of the Union entity affected by an incident and provided that a non-disclosure arrangement or contract is in place with the relevant counterpart or partner, provide information related to the specific incident to counterparts or partners referred to in paragraphs 1 and 2 solely for the purpose of contributing to its analysis.
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
whereas