Cyber Resilience Act 2023/2841 EN

(1)	‘ Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community;

(2)	‘ network_and_information_system’ means a network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555;

(3)	‘security of network_and_information_systems’ means security of network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555;

(4)	‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;

(5)

‘ highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and cybersecurity risk management in their respective areas of responsibility;

(6)	‘ near_miss’ means a near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;

(7)	‘ incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;

(8)	‘major incident’ means an incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two Union_entities;

(9)	‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555;

(10)	‘ incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555;

(11)	‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;

(12)	‘significant cyber_threat’ means a significant cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555;

(13)	‘ vulnerability’ means a vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555;

(14)	‘ cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555;

(15)	‘ cloud_computing_service’ means a cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555.

Article 6

Cybersecurity risk-management, governance and control framework

1. By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.

2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.

3. The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.

4. The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.

5. The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.

6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.

7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.

8. Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.

CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.

9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.

Article 8

Cybersecurity risk-management measures

1. Without undue delay and in any event by 8 September 2025, each Union entity shall, under the oversight of its highest_level_of_management, take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks identified under the Framework, and to prevent or minimise the impact of incidents. Taking into account the state of the art and, where applicable, relevant European and international standards, those measures shall ensure a level of security of network_and_information_systems across the entirety of the ICT environment commensurate to the cybersecurity risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the Union entity’s exposure to cybersecurity risks, its size and the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.

2. Union_entities shall address at least the following domains in the implementation of the cybersecurity risk-management measures:

(a)	cybersecurity policy, including measures needed to reach objectives and priorities referred to in Article 6 and paragraph 3 of this Article;

(b)	policies on cybersecurity risk analysis and information system security;

(c)	policy objectives regarding the use of cloud_computing_services;

(d)	cybersecurity audit, where appropriate, which may include a cybersecurity risk, vulnerability and cyber_threat assessment, and penetration testing carried out by a trusted private provider on a regular basis;

(e)	implementation of recommendations resulting from cybersecurity audits referred to in point (d) through cybersecurity and policy updates;

(f)	organisation of cybersecurity, including establishment of roles and responsibilities;

(g)	asset management, including ICT asset inventory and ICT network cartography;

(h)	human resources security and access control;

(i)	operations security;

(j)	communications security;

(k)	system acquisition, development and maintenance, including policies on vulnerability handling and disclosure;

(l)	where possible, policies on the transparency of the source code;

(m)	supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers;

(n)	incident handling and cooperation with CERT-EU, such as the maintenance of security monitoring and logging;

(o)	business continuity management, such as backup management and disaster recovery, and crisis management; and

(p)	promotion and development of cybersecurity education, skills, awareness-raising, exercise and training programmes.

For the purposes of the first subparagraph, point (m), Union_entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.

3. Union_entities shall take at least the following specific cybersecurity risk-management measures:

(a)	technical arrangements to enable and sustain teleworking;

(b)	concrete steps for moving towards zero-trust principles;

(c)	the use of multifactor authentication as a norm across network_and_information_systems;

(d)	the use of cryptography and encryption, in particular end-to-end encryption, as well as secure digital signing;

(e)	where appropriate, secured voice, video and text communications, and secured emergency communications systems within the Union entity;

(f)	proactive measures for detection and removal of malware and spyware;

(g)	the establishment of software supply chain security through criteria for secure software development and evaluation;

(h)	the establishment and adoption of training programmes on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest_level_of_management and members of staff of the Union entity tasked with ensuring the effective implementation of this Regulation;

(i)	regular cybersecurity training of staff members;

(j)	where relevant, participation in interconnectivity risk analyses between the Union_entities;

(k)

the enhancement of procurement rules to facilitate a high common level of cybersecurity through:

(i)	the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber_threats with CERT-EU;

(ii)	contractual obligations to report incidents, vulnerabilities and cyber_threats as well as to have appropriate incident response and monitoring mechanisms in place.

Article 9

Cybersecurity plans

1. Following the conclusion of the cybersecurity maturity assessment carried out pursuant to Article 7 and taking into account the assets and cybersecurity risks identified in the Framework as well as the cybersecurity risk-management measures taken pursuant to Article 8, the highest_level_of_management of each Union entity shall approve a cybersecurity plan without undue delay and in any event by 8 January 2026. The cybersecurity plan shall aim at increasing the overall cybersecurity of the Union entity and shall thereby contribute to the enhancement of a high common level of cybersecurity within the Union_entities. The cybersecurity plan shall include at least the cybersecurity risk-management measures taken pursuant to Article 8. The cybersecurity plan shall be revised every two years, or more frequently where necessary, following the cybersecurity maturity assessments carried out pursuant to Article 7 or any substantial review of the Framework.

2. The cybersecurity plan shall include the Union entity’s cyber crisis management plan for major incidents.

3. The Union entity shall submit the completed cybersecurity plan to the Interinstitutional Cybersecurity Board established pursuant to Article 10.

CHAPTER III

INTERINSTITUTIONAL CYBERSECURITY BOARD

Article 21

Reporting obligations

1. An incident shall be considered to be significant if:

(a)	it has caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned;

(b)	it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

2. Union_entities shall submit to CERT-EU:

(a)

without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate that the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact;

(b)

without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;

(c)	upon the request of CERT-EU, an intermediate report on relevant status updates;

(d)

a final report not later than one month after the submission of the incident notification under point (b), including the following:

(i)	a detailed description of the incident, including its severity and impact;

(ii)	the type of threat or root cause that is likely to have triggered the incident;

(iii)

applied and ongoing mitigation measures;

(iv)	where applicable, the cross-border or cross-entity impact of the incident;

(e)	in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month of their handling of the incident.

3. A Union entity shall, without undue delay and in any event within 24 hours of becoming aware of a significant incident, inform any relevant Member State counterparts referred to in Article 17(1) in the Member State where it is located that a significant incident has occurred.

4. The Union_entities shall notify, inter alia, any information enabling CERT-EU to determine any cross-entity impact, impact on the hosting Member State or cross-border impact following a significant incident. Without prejudice to Article 12, the mere act of notification shall not subject the Union entity to increased liability.

5. Where applicable, Union_entities shall communicate, without undue delay, to the users of the network_and_information_systems affected, or of other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber_threat, and, where appropriate, need to take mitigating measures, any measures or remedies that they can take in response to that incident or that threat. Where appropriate, Union_entities shall inform those users of the significant cyber_threat itself.

6. Where a significant incident or significant cyber_threat affects a network_and_information_system, or a component of a Union entity’s ICT environment that is knowingly connected with another Union entity’s ICT environment, CERT-EU shall issue a relevant cybersecurity alert.

7. The Union_entities, upon the request of CERT-EU, shall, without undue delay, provide CERT-EU with digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may provide further details of the types of information that it requires for situational awareness and incident response.

8. CERT-EU shall submit to the IICB, ENISA, the EU INTCEN and the CSIRTs network, every three months, a summary report including anonymised and aggregated data on significant incidents, incidents, cyber_threats, near_misses and vulnerabilities pursuant to Article 20 and significant incidents notified pursuant to paragraph 2 of this Article. The summary report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.

9. By 8 July 2024, the IICB shall issue guidelines or recommendations further specifying the arrangements for, and format and content of, the reporting pursuant to this Article. When preparing such guidelines or recommendations, the IICB shall take into account any implementing acts adopted pursuant to Article 23(11) of Directive (EU) 2022/2555 specifying the type of information, the format and the procedure of notifications. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union_entities.

10. The reporting obligations laid down in this Article shall not extend to:

(a)

EUCI;

(b)	information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed.

whereas

keyboard_tab Cyber Resilience Act 2023/2841 EN

Cyber Resilience Act 2023/2841 EN