keyboard_tab Cyber Resilience Act 2023/2841 EN

1.   By 8 September 2024, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall, after consulting the European Union Agency for Cybersecurity (ENISA) and after receiving guidance from cert-eu, issue guidelines to Union_entities for the purpose of carrying out an initial cybersecurity review and establishing an internal cybersecurity risk-management, governance and control framework pursuant to Article 6, carrying out cybersecurity maturity assessments pursuant to Article 7, taking cybersecurity risk-management measures pursuant to Article 8, and adopting the cybersecurity plan pursuant to Article 9.

2.   When implementing Articles 6 to 9, Union_entities shall take into account the guidelines referred to in paragraph 1 of this Article, as well as relevant guidelines and recommendations adopted pursuant to Articles 11 and 14.

1.   By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.

2.   The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.

3.   The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.

4.   The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from cert-eu on incidents identified or possible gaps observed in the implementation of this Regulation.

5.   The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.

6.   Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.

7.   Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.

8.   Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to cert-eu on the basis of a service level agreement concluded between that Union entity and cert-eu, or those tasks may be shared by several Union_entities. Where those tasks are delegated to cert-eu, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of cert-eu, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify cert-eu of the local cybersecurity officer appointed and any subsequent change thereto.

cert-eu shall establish and keep updated a list of appointed local cybersecurity officers.

9.   The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.

1.   Without undue delay and in any event by 8 September 2025, each Union entity shall, under the oversight of its highest_level_of_management, take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks identified under the Framework, and to prevent or minimise the impact of incidents. Taking into account the state of the art and, where applicable, relevant European and international standards, those measures shall ensure a level of security of network_and_information_systems across the entirety of the ICT environment commensurate to the cybersecurity risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the Union entity’s exposure to cybersecurity risks, its size and the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.

2.    Union_entities shall address at least the following domains in the implementation of the cybersecurity risk-management measures:

(a)	cybersecurity policy, including measures needed to reach objectives and priorities referred to in Article 6 and paragraph 3 of this Article;

(b)	policies on cybersecurity risk analysis and information system security;

(c)	policy objectives regarding the use of cloud_computing_services;

(d)	cybersecurity audit, where appropriate, which may include a cybersecurity risk, vulnerability and cyber_threat assessment, and penetration testing carried out by a trusted private provider on a regular basis;

(e)	implementation of recommendations resulting from cybersecurity audits referred to in point (d) through cybersecurity and policy updates;

(f)	organisation of cybersecurity, including establishment of roles and responsibilities;

(g)	asset management, including ICT asset inventory and ICT network cartography;

(h)	human resources security and access control;

(i)	operations security;

(j)	communications security;

(k)	system acquisition, development and maintenance, including policies on vulnerability handling and disclosure;

(l)	where possible, policies on the transparency of the source code;

(m)	supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers;

(n)	incident handling and cooperation with cert-eu, such as the maintenance of security monitoring and logging;

(o)	business continuity management, such as backup management and disaster recovery, and crisis management; and

(p)	promotion and development of cybersecurity education, skills, awareness-raising, exercise and training programmes.

For the purposes of the first subparagraph, point (m), Union_entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.

3.    Union_entities shall take at least the following specific cybersecurity risk-management measures:

(a)	technical arrangements to enable and sustain teleworking;

(b)	concrete steps for moving towards zero-trust principles;

(c)	the use of multifactor authentication as a norm across network_and_information_systems;

(d)	the use of cryptography and encryption, in particular end-to-end encryption, as well as secure digital signing;

(e)	where appropriate, secured voice, video and text communications, and secured emergency communications systems within the Union entity;

(f)	proactive measures for detection and removal of malware and spyware;

(g)	the establishment of software supply chain security through criteria for secure software development and evaluation;

(h)	the establishment and adoption of training programmes on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest_level_of_management and members of staff of the Union entity tasked with ensuring the effective implementation of this Regulation;

(i)	regular cybersecurity training of staff members;

(j)	where relevant, participation in interconnectivity risk analyses between the Union_entities;

(k)

the enhancement of procurement rules to facilitate a high common level of cybersecurity through: (i) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber_threats with cert-eu; (ii) contractual obligations to report incidents, vulnerabilities and cyber_threats as well as to have appropriate incident response and monitoring mechanisms in place.

1.   An Interinstitutional Cybersecurity Board (IICB) is hereby established.

2.   The IICB shall be responsible for:

(a)	monitoring and supporting the implementation of this Regulation by the Union_entities;

(b)	supervising the implementation of general priorities and objectives by cert-eu and providing strategic direction to cert-eu.

3.   The IICB shall consist of:

(a)

one representative designated by each of the following: (i) the European Parliament; (ii) the European Council; (iii) the Council of the European Union; (iv) the Commission; (v) the Court of Justice of the European Union; (vi) the European Central Bank; (vii) the Court of Auditors; (viii) the European External Action Service; (ix) the European Economic and Social Committee; (x) the European Committee of the Regions; (xi) the European Investment Bank; (xii) the European Cybersecurity Industrial, Technology and Research Competence Centre; (xiii) ENISA; (xiv) the European Data Protection Supervisor (EDPS); (xv) the European Union Agency for the Space Programme.

(b)	three representatives designated by the EU Agencies Network (EUAN) on the basis of a proposal by its ICT Advisory Committee to represent the interests of the bodies, offices and agencies of the Union that run their own ICT environment, other than those referred to in point (a).

The Union_entities represented on the IICB shall aim to achieve gender balance among the designated representatives.

4.   Members of the IICB may be assisted by an alternate. Other representatives of the Union_entities referred to in paragraph 3 or of other Union_entities may be invited by the Chair to attend IICB meetings without voting power.

5.   The Head of cert-eu and the Chairs of the Cooperation Group, the CSIRTs network and EU-CyCLONe established, respectively, pursuant to Articles 14, 15 and 16 of Directive (EU) 2022/2555, or their alternates, may participate in IICB meetings as observers. In exceptional cases, the IICB may, in accordance with its internal rules of procedure, decide otherwise.

6.   The IICB shall adopt its internal rules of procedure.

7.   The IICB shall designate a Chair in accordance with its internal rules of procedure, from among its members for a period of three years. The Chair’s alternate shall become a full member of the IICB for the same duration.

8.   The IICB shall meet at least three times a year at the initiative of its Chair, at the request of cert-eu or at the request of any of its members.

9.   Each member of the IICB shall have one vote. The IICB’s decisions shall be taken by simple majority except where otherwise provided for in this Regulation. The Chair of the IICB shall not have a vote except in the event of a tied vote, in which case the Chair may cast a deciding vote.

10.   The IICB may act by means of a simplified written procedure initiated in accordance with its internal rules of procedure. Under that procedure, the relevant decision shall be deemed to be approved within the timeframe set by the Chair, except where a member objects.

11.   The secretariat of the IICB shall be provided by the Commission and shall be accountable to the Chair of the IICB.

12.   The representatives nominated by the EUAN shall relay the IICB’s decisions to the members of the EUAN. Any member of the EUAN shall be entitled to raise with those representatives or the Chair of the IICB any matter which it considers should be brought to the IICB’s attention.

13.   The IICB may establish an executive committee to assist it in its work, and delegate some of its tasks and powers to it. The IICB shall lay down the rules of procedure of the executive committee, including its tasks and powers, and the terms of office of its members.

14.   By 8 January 2025 and on an annual basis thereafter, the IICB shall submit a report to the European Parliament and to the Council detailing progress made with the implementation of this Regulation and specifying in particular the extent of cooperation of cert-eu with Member State counterparts in each of the Member States. The report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.

1.   The IICB shall, pursuant to Article 10(2) and Article 11, effectively monitor the implementation of this Regulation and of adopted guidelines, recommendations and calls for action by the Union_entities. The IICB may request information or documentation necessary for that purpose from the Union_entities. For the purpose of adopting compliance measures under this Article, where the Union entity concerned is directly represented on the IICB, that Union entity shall not have voting rights.

2.   Where the IICB finds that a Union entity has not effectively implemented this Regulation or guidelines, recommendations or calls for action issued pursuant thereto, it may, without prejudice to the internal procedures of the Union entity concerned, and after giving an opportunity to the Union entity concerned to present its observations:

(a)	communicate a reasoned opinion to the Union entity concerned with observed gaps in the implementation of this Regulation;

(b)	provide, after consulting cert-eu, guidelines to the Union entity concerned to ensure that its Framework, cybersecurity risk-management measures, cybersecurity plan and reporting comply with this Regulation within a specified period;

(c)	issue a warning to address identified shortcomings within a specified period, including recommendations to amend measures adopted by the Union entity concerned pursuant to this Regulation;

(d)	issue a reasoned notification to the Union entity concerned, in the event that shortcomings identified in a warning issued pursuant to point (c) were not sufficiently addressed within the specified period;

(e)	issue: (i) a recommendation for an audit to be carried out; or (ii) a request that an audit be performed by a third-party audit service;

(f)	if applicable, inform the Court of Auditors, within the remit of its mandate, of the alleged non-compliance;

(g)	issue a recommendation that all Member States and Union_entities implement a temporary suspension of data flows to the Union entity concerned.

For the purposes of the first subparagraph, point (c), the audience of a warning shall be restricted appropriately, where necessary in view of the cybersecurity risk.

Warnings and recommendations issued pursuant to the first subparagraph shall be directed to the highest_level_of_management of the Union entity concerned.

3.   Where the IICB has adopted measures under paragraph 2, first subparagraph, points (a) to (g), the Union entity concerned shall provide details of the measures and actions taken to address the alleged shortcomings identified by the IICB. The Union entity shall submit those details within a reasonable period to be agreed with the IICB.

4.   Where the IICB considers that there is persistent infringement of this Regulation by a Union entity resulting directly from actions or omissions of an official or other servant of the Union, including at the highest_level_of_management, the IICB shall request that the Union entity concerned take appropriate action, including requesting it to consider taking action of a disciplinary nature, in accordance with the rules and procedures laid down in the Staff Regulations and any other applicable rules and procedures. To that end, the IICB shall transfer the necessary information to the Union entity concerned.

5.   Where Union_entities notify that they are unable to meet the deadlines set out in Article 6(1) and Article 8(1), the IICB may, in duly substantiated cases, taking into account the size of the Union entity, authorise the extension of those deadlines.

1.   cert-eu’s mission shall be to contribute to the security of the unclassified ICT environment of Union_entities by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.

2.   cert-eu shall collect, manage, analyse and share information with the Union_entities on cyber_threats, vulnerabilities and incidents in unclassified ICT infrastructure. It shall coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.

3.   cert-eu shall carry out the following tasks to assist the Union_entities:

(a)	support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB;

(b)	offer standard CSIRT services for Union_entities by means of a package of cybersecurity services described in its service catalogue (baseline services);

(c)	maintain a network of peers and partners to support the services as outlined in Articles 17 and 18;

(d)	bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action;

(e)	on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA;

(f)	coordinate the management of major incidents;

(g)	act on the part of Union_entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555;

(h)	provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible network_and_information_systems of that Union entity.

The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.

4.   cert-eu may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant cybersecurity communities within the Union and its Member States, including in the following areas:

(a)	preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union_entities;

(b)	operational cooperation regarding the CSIRTs network, including with regard to mutual assistance;

(c)	cyber_threat intelligence, including situational awareness;

(d)	on any topic requiring cert-eu’s technical cybersecurity expertise.

5.   Within its competence, cert-eu shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of cyber_threats in accordance with Regulation (EU) 2019/881. cert-eu may cooperate and exchange information with Europol’s European Cybercrime Centre.

6.   cert-eu may provide the following services not described in its service catalogue (chargeable services):

(a)

services that support the cybersecurity of Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity cyber_threats;

(b)	services that support cybersecurity operations or projects of Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB;

(c)	upon request, a proactive scanning of the network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact;

(d)

services that support the security of their ICT environment to organisations other than the Union_entities that cooperate closely with Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB.

With regard to the first subparagraph, point (d), cert-eu may, on an exceptional basis, enter into service level agreements with entities other than the Union_entities with the prior approval of the IICB.

7.   cert-eu shall organise and may participate in cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of cybersecurity of the Union_entities.

8.   cert-eu may provide assistance to Union_entities regarding incidents in network_and_information_systems handling EUCI where it is explicitly requested to do so by the Union_entities concerned in accordance with their respective procedures. The provision of assistance by cert-eu under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.

9.   cert-eu shall inform Union_entities about its incident handling procedures and processes.

10.   cert-eu shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).

11.   cert-eu shall, in cooperation with the EDPS, support the Union_entities concerned when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.

12.   cert-eu may, if expressly requested by Union_entities’ policy departments, provide technical advice or input on relevant policy matters.

1.   cert-eu shall support the implementation of this Regulation by issuing:

(a)	calls for action describing urgent security measures that Union_entities are urged to take within a set timeframe;

(b)	proposals to the IICB for guidelines addressed to all or a subset of the Union_entities;

(c)	proposals to the IICB for recommendations addressed to individual Union_entities.

With regard to the first subparagraph, point (a), the Union entity concerned shall, without undue delay after receiving the call for action, inform cert-eu of how the urgent security measures were applied.

2.   Guidelines and recommendations may include:

(a)

common methodologies and a model for assessing the cybersecurity maturity of the Union_entities, including the corresponding scales or KPIs, serving as reference in support of continuous cybersecurity improvement across the Union_entities and facilitating the prioritisation of cybersecurity domains and measures taking into account entities’ cybersecurity posture;

(b)	arrangements for or improvements to cybersecurity risk management and the cybersecurity risk-management measures;

(c)	arrangements for cybersecurity maturity assessments and cybersecurity plans;

(d)	where appropriate, the use of common technology, architecture, open source and associated best practices with the aim of achieving interoperability and common standards, including a coordinated approach to supply chain security;

(e)	where appropriate, information to facilitate the use of common procurement instruments for the purchasing of relevant cybersecurity services and products from third-party suppliers;

(f)	information-sharing arrangements pursuant to Article 20.

1.   The Commission, after obtaining the approval of a majority of two thirds of the members of the IICB, shall appoint the Head of cert-eu. The IICB shall be consulted at all stages of the appointment procedure, in particular with regard to drafting vacancy notices, examining applications and appointing selection boards in relation to the post. The selection procedure, including the final shortlist of candidates from which the Head of cert-eu is to be appointed, shall ensure fair representation of each gender, taking into account the applications submitted.

2.   The Head of cert-eu shall be responsible for the proper functioning of cert-eu and shall act within the remit of his or her role and under the direction of the IICB. The Head of cert-eu shall report regularly to the Chair of the IICB and shall submit ad-hoc reports to the IICB upon its request.

3.   The Head of cert-eu shall assist the responsible authorising officer by delegation in drafting the annual activity report containing financial and management information, including the results of controls, drawn up in accordance with Article 74(9) of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (9), and shall report regularly to the authorising officer by delegation on the implementation of measures in respect of which powers have been sub-delegated to the Head of cert-eu.

4.   The Head of cert-eu shall draw up, on an annual basis, a financial planning of administrative revenue and expenditure for its activities, a proposed annual work programme, a proposed service catalogue for cert-eu, proposed revisions of the service catalogue, proposed arrangements for service level agreements and proposed KPIs for cert-eu, to be approved by the IICB in accordance with Article 11. When revising the list of services in cert-eu’s service catalogue, the Head of cert-eu shall take into account the resources allocated to cert-eu.

5.   The Head of cert-eu shall submit reports at least annually to the IICB and the Chair of the IICB on the activities and performance of cert-eu during the reference period, including on the implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 11. Those reports shall include a work programme for the following period, financial planning of revenue and expenditure, including staffing, planned updates of cert-eu’s service catalogue and an assessment of the expected impact that such updates may have with regard to financial and human resources.

1.   cert-eu shall be integrated into the administrative structure of a directorate-general of the Commission in order to benefit from the Commission’s administrative, financial management and accounting support structures, while maintaining its status as an autonomous interinstitutional service provider for all Union_entities. The Commission shall inform the IICB of the administrative location of cert-eu and any changes thereto. The Commission shall review the administrative arrangements related to cert-eu on a regular basis and in any event before the establishment of any multiannual financial framework pursuant to Article 312 TFEU, in order to allow for appropriate action to be taken. The review shall include the possibility of establishing cert-eu as a Union office.

2.   For the application of administrative and financial procedures, the Head of cert-eu shall act under the authority of the Commission and under the supervision of the IICB.

3.   cert-eu’s tasks and activities, including services provided by cert-eu pursuant to Article 13(3), (4), (5) and (7) and Article 14(1) to Union_entities financed from the heading of the multiannual financial framework dedicated to European public administration, shall be funded by means of a distinct budget line of the Commission budget. The posts earmarked for cert-eu shall be detailed in a footnote to the Commission establishment plan.

4.    Union_entities other than those referred to in paragraph 3 of this Article shall make an annual financial contribution to cert-eu to cover the services provided by cert-eu pursuant to that paragraph. The contributions shall be based on orientations given by the IICB and agreed between each Union entity and cert-eu in service level agreements. The contributions shall represent a fair and proportionate share of the total costs of services provided. They shall be received by the distinct budget line referred to in paragraph 3 of this Article, as internal assigned revenue, as provided for in Article 21(3), point (c), of Regulation (EU, Euratom) 2018/1046.

5.   The costs of the services provided for in Article 13(6) shall be recovered from the Union_entities receiving cert-eu services. The revenues shall be assigned to the budget lines supporting the costs.

1.   cert-eu shall, without undue delay, cooperate and exchange information with Member State counterparts, in particular the CSIRTs designated or established pursuant to Article 10 of Directive (EU) 2022/2555, or, where applicable, the competent authorities and single points of contact designated or established pursuant to Article 8 of that Directive, with regard to incidents, cyber_threats, vulnerabilities, near_misses, possible countermeasures as well as best practices and on all matters relevant for improving the protection of the ICT environments of Union_entities, including by means of the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555. cert-eu shall support the Commission in EU-CyCLONe established pursuant to Article 16 of Directive (EU) 2022/2555 on the coordinated management of large-scale cybersecurity incidents and crises.

2.   Where cert-eu becomes aware of a significant incident occurring within the territory of a Member State, it shall, without delay, notify any relevant counterpart in that Member State, in accordance with paragraph 1.

3.   Provided that personal data are protected in accordance with applicable Union data protection law, cert-eu shall, without undue delay, exchange relevant incident-specific information with Member State counterparts to facilitate detection of similar cyber_threats or incidents, or to contribute to the analysis of an incident, without the authorisation of the Union entity affected. cert-eu shall exchange incident-specific information which reveals the identity of the target of the incident only in the event of one of the following:

(a)	the Union entity affected consents;

(b)	the Union entity affected does not consent as provided for in point (a) but the disclosure of the identity of the Union entity affected would increase the probability that incidents elsewhere would be avoided or mitigated;

(c)	the Union entity affected has already made public that it was affected.

Decisions to exchange incident-specific information which reveals the identity of the target of the incident pursuant to the first subparagraph, point (b), shall be endorsed by the Head of cert-eu. Prior to issuing such a decision, cert-eu shall contact the Union entity affected in writing, explaining clearly how the disclosure of its identity would help to avoid or mitigate incidents elsewhere. The Head of cert-eu shall provide the explanation and explicitly request the Union entity to state whether it consents within a set timeframe. The Head of cert-eu shall also inform the Union entity that, in light of the explanation provided, he or she reserves the right to disclose the information even in the absence of consent. The Union entity affected shall be informed before the information is disclosed.

1.   cert-eu may cooperate with counterparts in the Union other than those referred to in Article 17 which are subject to Union cybersecurity requirements, including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber_threats and vulnerabilities. For all cooperation with such counterparts, cert-eu shall seek prior approval from the IICB on a case-by-case basis. Where cert-eu establishes cooperation with such counterparts, it shall inform any relevant Member State counterparts referred to in Article 17(1), in the Member State in which the counterpart is located. Where applicable and appropriate, such cooperation and the conditions thereof, including regarding cybersecurity, data protection and information handling, shall be established in specific confidentiality arrangements such as contracts or administrative arrangements. The confidentiality arrangements shall not require prior approval by the IICB, but the Chair of the IICB shall be informed. In the case of an urgent and imminent need to exchange cybersecurity information in the interests of Union_entities or another party, cert-eu may do so with an entity whose specific competence, capacity and expertise are justifiably required to assist with such an urgent and imminent need, even if cert-eu does not have a confidentiality arrangement in place with that entity. In such cases, cert-eu shall immediately inform the Chair of the IICB, and shall report to the IICB by means of regular reports or meetings.

2.   cert-eu may cooperate with partners, such as commercial entities, including industry sector-specific entities, international organisations, non-Union national entities or individual experts, to gather information on general and specific cyber_threats, near_misses, vulnerabilities and possible countermeasures. For wider cooperation with such partners, cert-eu shall seek prior approval from the IICB on a case-by-case basis.

3.   cert-eu may, with the consent of the Union entity affected by an incident and provided that a non-disclosure arrangement or contract is in place with the relevant counterpart or partner, provide information related to the specific incident to counterparts or partners referred to in paragraphs 1 and 2 solely for the purpose of contributing to its analysis.

1.    Union_entities and cert-eu shall respect the obligation of professional secrecy in accordance with Article 339 TFEU or equivalent applicable frameworks.

2.   Regulation (EC) No 1049/2001 of the European Parliament and of the Council (10) shall apply with regard to requests for public access to documents held by cert-eu, including the obligation under that Regulation to consult other Union_entities or, where relevant, Member States, whenever a request concerns their documents.

3.   The handling of information by Union_entities and cert-eu shall comply with the applicable rules on information security.

1.    Union_entities may, on a voluntary basis, notify cert-eu of, and provide it with information on, incidents, cyber_threats, near_misses and vulnerabilities that affect them. cert-eu shall ensure that efficient means of communication, with a high level of traceability, confidentiality and reliability, are available for the purpose of facilitating information sharing with the Union_entities. When processing notifications, cert-eu may prioritise the processing of mandatory notifications over voluntary notifications. Without prejudice to Article 12, voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union entity to which it would not have been subject had it not submitted the notification.

2.   To perform its mission and tasks conferred pursuant to Article 13, cert-eu may request Union_entities to provide it with information from their respective ICT system inventories, including information relating to cyber_threats, near_misses, vulnerabilities, indicators of compromise, cybersecurity alerts and recommendations regarding configuration of cybersecurity tools to detect incidents. The requested Union entity shall transmit the requested information, and any subsequent updates thereto, without undue delay.

3.   cert-eu may exchange incident-specific information with Union_entities which reveals the identity of the Union entity affected by the incident, provided that the Union entity affected consents. Where a Union entity withholds its consent, it shall provide cert-eu with reasons substantiating that decision.

4.    Union_entities shall, upon request, share information with the European Parliament and the Council on the completion of cybersecurity plans.

5.   The IICB or cert-eu, as applicable, shall, upon request, share guidelines, recommendations and calls for action with the European Parliament and the Council.

6.   The sharing obligations laid down in this Article shall not extend to:

(a)

EUCI;

(b)	information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with cert-eu has been explicitly allowed.

1.   An incident shall be considered to be significant if:

(a)	it has caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned;

(b)	it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

2.    Union_entities shall submit to cert-eu:

(a)

without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate that the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact;

(b)

without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;

(c)	upon the request of cert-eu, an intermediate report on relevant status updates;

(d)

a final report not later than one month after the submission of the incident notification under point (b), including the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-entity impact of the incident;

(e)	in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month of their handling of the incident.

3.   A Union entity shall, without undue delay and in any event within 24 hours of becoming aware of a significant incident, inform any relevant Member State counterparts referred to in Article 17(1) in the Member State where it is located that a significant incident has occurred.

4.   The Union_entities shall notify, inter alia, any information enabling cert-eu to determine any cross-entity impact, impact on the hosting Member State or cross-border impact following a significant incident. Without prejudice to Article 12, the mere act of notification shall not subject the Union entity to increased liability.

5.   Where applicable, Union_entities shall communicate, without undue delay, to the users of the network_and_information_systems affected, or of other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber_threat, and, where appropriate, need to take mitigating measures, any measures or remedies that they can take in response to that incident or that threat. Where appropriate, Union_entities shall inform those users of the significant cyber_threat itself.

6.   Where a significant incident or significant cyber_threat affects a network_and_information_system, or a component of a Union entity’s ICT environment that is knowingly connected with another Union entity’s ICT environment, cert-eu shall issue a relevant cybersecurity alert.

7.   The Union_entities, upon the request of cert-eu, shall, without undue delay, provide cert-eu with digital information created by the use of electronic devices involved in their respective incidents. cert-eu may provide further details of the types of information that it requires for situational awareness and incident response.

8.   cert-eu shall submit to the IICB, ENISA, the EU INTCEN and the CSIRTs network, every three months, a summary report including anonymised and aggregated data on significant incidents, incidents, cyber_threats, near_misses and vulnerabilities pursuant to Article 20 and significant incidents notified pursuant to paragraph 2 of this Article. The summary report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.

9.   By 8 July 2024, the IICB shall issue guidelines or recommendations further specifying the arrangements for, and format and content of, the reporting pursuant to this Article. When preparing such guidelines or recommendations, the IICB shall take into account any implementing acts adopted pursuant to Article 23(11) of Directive (EU) 2022/2555 specifying the type of information, the format and the procedure of notifications. cert-eu shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union_entities.

10.   The reporting obligations laid down in this Article shall not extend to:

(a)

EUCI;

(b)	information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with cert-eu has been explicitly allowed.

1.   In acting as a cybersecurity information exchange and incident response coordination hub, cert-eu shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:

(a)	Union_entities;

(b)	the counterparts referred to in Articles 17 and 18.

2.   cert-eu, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:

(a)	contribution to consistent external communication;

(b)	mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site;

(c)	optimal use of operational resources;

(d)	coordination with other crisis response mechanisms at Union level.

3.   cert-eu, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.

4.   By 8 January 2025, the IICB shall, on the basis of a proposal by cert-eu, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, cert-eu shall advise on how to report the incident to law enforcement authorities, without undue delay.

5.   Following a specific request from a Member State and with the approval of the Union_entities concerned, cert-eu may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by cert-eu.

1.   In order to support at operational level the coordinated management of major incidents affecting Union_entities and to contribute to the regular exchange of relevant information among Union_entities and with Member States, the IICB shall, pursuant to Article 11, point (q), establish a cyber crisis management plan based on the activities referred to in Article 22(2), in close cooperation with cert-eu and ENISA. The cyber crisis management plan shall include at least the following elements:

(a)	arrangements concerning coordination and information flow among Union_entities for the management of major incidents at operational level;

(b)	common standard operating procedures (SOPs);

(c)	a common taxonomy of major incident severity and crisis triggering points;

(d)	regular exercises;

(e)	secure communication channels that are to be used.

2.   The Commission representative in the IICB shall, subject to the cyber crisis management plan established pursuant to paragraph 1 of this Article and without prejudice to Article 16(2), first subparagraph, of Directive (EU) 2022/2555, be the point of contact for the sharing of relevant information in relation to major incidents with EU-CyCLONe.

3.   cert-eu shall coordinate among the Union_entities the management of major incidents. It shall maintain an inventory of the available technical expertise that would be needed for incident response in the event of major incidents and assist the IICB in coordinating Union_entities’ cyber crisis management plans for major incidents referred to in Article 9(2).

4.   The Union_entities shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.

1.   By 8 January 2025 and on an annual basis thereafter, the IICB, with the assistance of cert-eu, shall report to the Commission on the implementation of this Regulation. The IICB may make recommendations to the Commission to review this Regulation.

2.   By 8 January 2027 and every two years thereafter, the Commission shall assess and report on the implementation of this Regulation and on the experience gained at a strategic and operational level to the European Parliament and to the Council.

The report referred to in the first subparagraph of this paragraph shall include the review referred to in Article 16(1), on the possibility of establishing cert-eu as a Union office.

3.   By 8 January 2029, the Commission shall evaluate the functioning of this Regulation and submit a report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. The Commission shall also evaluate the appropriateness of including network_and_information_systems handling EUCI within the scope of this Regulation, taking into account other Union legislative acts applicable to those systems. The report shall be accompanied, where necessary, by a legislative proposal.