keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 4 Processing of personal data
- 1 Art. 11 Tasks of the IICB
- 3 Art. 13 CERT-EU mission and tasks
- 4 Art. 17 Cooperation of CERT-EU with Member State counterparts
- 1 Art. 18 Cooperation of CERT-EU with other counterparts
- 1 Art. 20 Cybersecurity information-sharing arrangements
- 2 Art. 22 Incident response coordination and cooperation
- 1 Art. 23 Management of major incidents
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 55
- cert-eu 53
- union_entities 44
- article 43
- information 38
- cybersecurity 33
- union 30
- incidents 27
- entity 23
- incident 21
- cooperation 21
- iicb 20
- pursuant 20
- cert-eu 18
- basis 17
- level 17
- referred 16
- management 15
- relevant 15
- such 14
- regulation 14
- major 14
- exchange 14
- support 12
- eu / 12
- data 12
- including 12
- counterparts 11
- cyber_threats 11
- member 11
- provide 11
- affected 11
- from 10
- head 10
- coordination 10
- response 10
- without 10
- state 10
- crisis 9
- specific 9
- proposal 9
- directive 9
- services 9
- technical 9
- vulnerabilities 9
- tasks 9
- established 9
- which 9
- approve 8
- accordance 8
Article 4
Processing of personal data
1. The processing of personal data under this Regulation by CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and Union_entities shall be carried out in accordance with Regulation (EU) 2018/1725.
2. Where they perform tasks or fulfil obligations pursuant to this Regulation, CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and Union_entities shall process and exchange personal data only to the extent necessary and for the sole purpose of performing those tasks or fulfilling those obligations.
3. The processing of special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725 shall be considered to be necessary for reasons of substantial public interest pursuant to Article 10(2), point (g), of that Regulation. Such data may be processed only to the extent necessary for the implementation of cybersecurity risk-management measures referred to in Articles 6 and 8, for the provision of services by CERT-EU pursuant to Article 13, for the sharing of incident-specific information pursuant to Article 17(3) and Article 18(3), for the sharing of information pursuant Article 20, for the reporting obligations pursuant to Article 21, for incident response coordination and cooperation pursuant to Article 22 and for the management of major incidents pursuant to Article 23 of this Regulation. The Union_entities and CERT-EU, when acting as data controllers, shall apply technical measures to prevent the processing of special categories of personal data for other purposes and shall provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
Article 11
Tasks of the IICB
When exercising its responsibilities, the IICB shall, in particular:
| (a) | provide guidance to the Head of CERT-EU; |
| (b) | effectively monitor and supervise the implementation of this Regulation and support the Union_entities in strengthening their cybersecurity, including, where appropriate, requesting ad-hoc reports from Union_entities and CERT-EU; |
| (c) | following a strategic discussion, adopt a multiannual strategy on raising the level of cybersecurity in the Union_entities, asses that strategy on a regular basis and in any event every five years and, where necessary, amend that strategy; |
| (d) | establish the methodology and organisational aspects for the conduct of voluntary peer reviews by Union_entities, with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Union_entities’ cybersecurity capabilities, ensuring that such peer reviews are conducted by cybersecurity experts designated by a Union entity different from the Union entity being reviewed and that the methodology is based on Article 19 of Directive (EU) 2022/2555 and is, where appropriate, adapted to the Union_entities; |
| (e) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s annual work programme and monitor its implementation; |
| (f) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s service catalogue and any updates thereof; |
| (g) | approve, on the basis of a proposal by the Head of CERT-EU, the annual financial planning of revenue and expenditure, including staffing, for CERT-EU activities; |
| (h) | approve, on the basis of a proposal by the Head of CERT-EU, the arrangements for service level agreements; |
| (i) | examine and approve the annual report drawn up by the Head of CERT-EU covering the activities of, and management of funds by, CERT-EU; |
| (j) | approve and monitor key performance indicators (KPIs) for CERT-EU established on the basis of a proposal by the Head of CERT-EU; |
| (k) | approve cooperation arrangements, service level agreements or contracts between CERT-EU and other entities pursuant to Article 18; |
| (l) | adopt guidelines and recommendations on the basis of a proposal by CERT-EU in accordance with Article 14 and instruct CERT-EU to issue, withdraw or modify a proposal for guidelines or recommendations, or a call for action; |
| (m) | establish technical advisory groups with specific tasks to assist the IICB’s work, approve their terms of reference and designate their respective Chairs; |
| (n) | receive and assess documents and reports submitted by the Union_entities under this Regulation, such as cybersecurity maturity assessments; |
| (o) | facilitate the establishment of an informal group of local cybersecurity officers of Union_entities, supported by ENISA, with the aim of exchanging best practices and information in relation to the implementation of this Regulation; |
| (p) | taking into account the information on the identified cybersecurity risks and lessons learnt provided by CERT-EU, monitor the adequacy of interconnectivity arrangements among the Union_entities’ ICT environments and advise on possible improvements; |
| (q) | establish a cyber crisis management plan with a view to supporting, at an operational level, the coordinated management of major incidents affecting Union_entities and to contributing to the regular exchange of relevant information, in particular with regard to the impacts and severity of, and the possible ways of mitigating the effects of, major incidents; |
| (r) | coordinate the adoption of individual Union_entities’ cyber crisis management plans referred to in Article 9(2); |
| (s) | adopt recommendations relating to supply chain security referred to in Article 8(2), first subparagraph, point (m), taking into account the results of Union level coordinated security risk assessments of critical supply chains referred to in Article 22 of Directive (EU) 2022/2555 to support Union_entities in adopting effective and proportionate cybersecurity risk-management measures. |
Article 13
CERT-EU mission and tasks
1. CERT-EU’s mission shall be to contribute to the security of the unclassified ICT environment of Union_entities by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
2. CERT-EU shall collect, manage, analyse and share information with the Union_entities on cyber_threats, vulnerabilities and incidents in unclassified ICT infrastructure. It shall coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.
3. CERT-EU shall carry out the following tasks to assist the Union_entities:
| (a) | support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB; |
| (b) | offer standard CSIRT services for Union_entities by means of a package of cybersecurity services described in its service catalogue (baseline services); |
| (c) | maintain a network of peers and partners to support the services as outlined in Articles 17 and 18; |
| (d) | bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action; |
| (e) | on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA; |
| (f) | coordinate the management of major incidents; |
| (g) | act on the part of Union_entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555; |
| (h) | provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible network_and_information_systems of that Union entity. |
The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.
4. CERT-EU may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant cybersecurity communities within the Union and its Member States, including in the following areas:
| (a) | preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union_entities; |
| (b) | operational cooperation regarding the CSIRTs network, including with regard to mutual assistance; |
| (c) | cyber_threat intelligence, including situational awareness; |
| (d) | on any topic requiring CERT-EU’s technical cybersecurity expertise. |
5. Within its competence, CERT-EU shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of cyber_threats in accordance with Regulation (EU) 2019/881. CERT-EU may cooperate and exchange information with Europol’s European Cybercrime Centre.
6. CERT-EU may provide the following services not described in its service catalogue (chargeable services):
| (a) | services that support the cybersecurity of Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity cyber_threats; |
| (b) | services that support cybersecurity operations or projects of Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB; |
| (c) | upon request, a proactive scanning of the network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact; |
| (d) | services that support the security of their ICT environment to organisations other than the Union_entities that cooperate closely with Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB. |
With regard to the first subparagraph, point (d), CERT-EU may, on an exceptional basis, enter into service level agreements with entities other than the Union_entities with the prior approval of the IICB.
7. CERT-EU shall organise and may participate in cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of cybersecurity of the Union_entities.
8. CERT-EU may provide assistance to Union_entities regarding incidents in network_and_information_systems handling EUCI where it is explicitly requested to do so by the Union_entities concerned in accordance with their respective procedures. The provision of assistance by CERT-EU under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.
9. CERT-EU shall inform Union_entities about its incident handling procedures and processes.
10. CERT-EU shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).
11. CERT-EU shall, in cooperation with the EDPS, support the Union_entities concerned when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.
12. CERT-EU may, if expressly requested by Union_entities’ policy departments, provide technical advice or input on relevant policy matters.
Article 17
Cooperation of CERT-EU with Member State counterparts
1. CERT-EU shall, without undue delay, cooperate and exchange information with Member State counterparts, in particular the CSIRTs designated or established pursuant to Article 10 of Directive (EU) 2022/2555, or, where applicable, the competent authorities and single points of contact designated or established pursuant to Article 8 of that Directive, with regard to incidents, cyber_threats, vulnerabilities, near_misses, possible countermeasures as well as best practices and on all matters relevant for improving the protection of the ICT environments of Union_entities, including by means of the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555. CERT-EU shall support the Commission in EU-CyCLONe established pursuant to Article 16 of Directive (EU) 2022/2555 on the coordinated management of large-scale cybersecurity incidents and crises.
2. Where CERT-EU becomes aware of a significant incident occurring within the territory of a Member State, it shall, without delay, notify any relevant counterpart in that Member State, in accordance with paragraph 1.
3. Provided that personal data are protected in accordance with applicable Union data protection law, CERT-EU shall, without undue delay, exchange relevant incident-specific information with Member State counterparts to facilitate detection of similar cyber_threats or incidents, or to contribute to the analysis of an incident, without the authorisation of the Union entity affected. CERT-EU shall exchange incident-specific information which reveals the identity of the target of the incident only in the event of one of the following:
| (a) | the Union entity affected consents; |
| (b) | the Union entity affected does not consent as provided for in point (a) but the disclosure of the identity of the Union entity affected would increase the probability that incidents elsewhere would be avoided or mitigated; |
| (c) | the Union entity affected has already made public that it was affected. |
Decisions to exchange incident-specific information which reveals the identity of the target of the incident pursuant to the first subparagraph, point (b), shall be endorsed by the Head of CERT-EU. Prior to issuing such a decision, CERT-EU shall contact the Union entity affected in writing, explaining clearly how the disclosure of its identity would help to avoid or mitigate incidents elsewhere. The Head of CERT-EU shall provide the explanation and explicitly request the Union entity to state whether it consents within a set timeframe. The Head of CERT-EU shall also inform the Union entity that, in light of the explanation provided, he or she reserves the right to disclose the information even in the absence of consent. The Union entity affected shall be informed before the information is disclosed.
Article 18
Cooperation of CERT-EU with other counterparts
1. CERT-EU may cooperate with counterparts in the Union other than those referred to in Article 17 which are subject to Union cybersecurity requirements, including industry sector-specific counterparts, on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber_threats and vulnerabilities. For all cooperation with such counterparts, CERT-EU shall seek prior approval from the IICB on a case-by-case basis. Where CERT-EU establishes cooperation with such counterparts, it shall inform any relevant Member State counterparts referred to in Article 17(1), in the Member State in which the counterpart is located. Where applicable and appropriate, such cooperation and the conditions thereof, including regarding cybersecurity, data protection and information handling, shall be established in specific confidentiality arrangements such as contracts or administrative arrangements. The confidentiality arrangements shall not require prior approval by the IICB, but the Chair of the IICB shall be informed. In the case of an urgent and imminent need to exchange cybersecurity information in the interests of Union_entities or another party, CERT-EU may do so with an entity whose specific competence, capacity and expertise are justifiably required to assist with such an urgent and imminent need, even if CERT-EU does not have a confidentiality arrangement in place with that entity. In such cases, CERT-EU shall immediately inform the Chair of the IICB, and shall report to the IICB by means of regular reports or meetings.
2. CERT-EU may cooperate with partners, such as commercial entities, including industry sector-specific entities, international organisations, non-Union national entities or individual experts, to gather information on general and specific cyber_threats, near_misses, vulnerabilities and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB on a case-by-case basis.
3. CERT-EU may, with the consent of the Union entity affected by an incident and provided that a non-disclosure arrangement or contract is in place with the relevant counterpart or partner, provide information related to the specific incident to counterparts or partners referred to in paragraphs 1 and 2 solely for the purpose of contributing to its analysis.
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
Article 20
Cybersecurity information-sharing arrangements
1. Union_entities may, on a voluntary basis, notify CERT-EU of, and provide it with information on, incidents, cyber_threats, near_misses and vulnerabilities that affect them. CERT-EU shall ensure that efficient means of communication, with a high level of traceability, confidentiality and reliability, are available for the purpose of facilitating information sharing with the Union_entities. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Without prejudice to Article 12, voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union entity to which it would not have been subject had it not submitted the notification.
2. To perform its mission and tasks conferred pursuant to Article 13, CERT-EU may request Union_entities to provide it with information from their respective ICT system inventories, including information relating to cyber_threats, near_misses, vulnerabilities, indicators of compromise, cybersecurity alerts and recommendations regarding configuration of cybersecurity tools to detect incidents. The requested Union entity shall transmit the requested information, and any subsequent updates thereto, without undue delay.
3. CERT-EU may exchange incident-specific information with Union_entities which reveals the identity of the Union entity affected by the incident, provided that the Union entity affected consents. Where a Union entity withholds its consent, it shall provide CERT-EU with reasons substantiating that decision.
4. Union_entities shall, upon request, share information with the European Parliament and the Council on the completion of cybersecurity plans.
5. The IICB or CERT-EU, as applicable, shall, upon request, share guidelines, recommendations and calls for action with the European Parliament and the Council.
6. The sharing obligations laid down in this Article shall not extend to:
| (a) | EUCI; |
| (b) | information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed. |
Article 22
Incident response coordination and cooperation
1. In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:
| (a) | Union_entities; |
| (b) | the counterparts referred to in Articles 17 and 18. |
2. CERT-EU, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:
| (a) | contribution to consistent external communication; |
| (b) | mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site; |
| (c) | optimal use of operational resources; |
| (d) | coordination with other crisis response mechanisms at Union level. |
3. CERT-EU, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.
4. By 8 January 2025, the IICB shall, on the basis of a proposal by CERT-EU, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities, without undue delay.
5. Following a specific request from a Member State and with the approval of the Union_entities concerned, CERT-EU may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by CERT-EU.
Article 23
Management of major incidents
1. In order to support at operational level the coordinated management of major incidents affecting Union_entities and to contribute to the regular exchange of relevant information among Union_entities and with Member States, the IICB shall, pursuant to Article 11, point (q), establish a cyber crisis management plan based on the activities referred to in Article 22(2), in close cooperation with CERT-EU and ENISA. The cyber crisis management plan shall include at least the following elements:
| (a) | arrangements concerning coordination and information flow among Union_entities for the management of major incidents at operational level; |
| (b) | common standard operating procedures (SOPs); |
| (c) | a common taxonomy of major incident severity and crisis triggering points; |
| (d) | regular exercises; |
| (e) | secure communication channels that are to be used. |
2. The Commission representative in the IICB shall, subject to the cyber crisis management plan established pursuant to paragraph 1 of this Article and without prejudice to Article 16(2), first subparagraph, of Directive (EU) 2022/2555, be the point of contact for the sharing of relevant information in relation to major incidents with EU-CyCLONe.
3. CERT-EU shall coordinate among the Union_entities the management of major incidents. It shall maintain an inventory of the available technical expertise that would be needed for incident response in the event of major incidents and assist the IICB in coordinating Union_entities’ cyber crisis management plans for major incidents referred to in Article 9(2).
4. The Union_entities shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.
CHAPTER VI
FINAL PROVISIONS
whereas