keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 1 Subject matter
- 2 Art. 3 Definitions
- 6 Art. 6 Cybersecurity risk-management, governance and control framework
- 3 Art. 8 Cybersecurity risk-management measures
- 2 Art. 9 Cybersecurity plans
- 1 Art. 11 Tasks of the IICB
- 2 Art. 12 Compliance
- 2 Art. 13 CERT-EU mission and tasks
- 1 Art. 20 Cybersecurity information-sharing arrangements
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A high COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- cybersecurity 96
- union 76
- shall 67
- article 62
- entity 53
- cert-eu 44
- union_entities 43
- regulation 41
- european 30
- information 28
- pursuant 28
- eu / 25
- level 25
- measures 23
- implementation 22
- point 20
- iicb 20
- including 20
- concerned 19
- incidents 19
- basis 19
- means 18
- framework 17
- service 16
- directive 16
- management 16
- no / 14
- security 14
- tasks 13
- council 13
- appropriate 13
- the 12
- data 12
- defined 12
- incident 12
- risk-management 12
- within 12
- under 11
- referred 11
- recommendations 11
- cert-eu 11
- services 11
- provide 11
- each 11
- parliament 11
- from 11
- into 10
- following 10
- highest_level_of_management 10
- applicable 10
Article 1
Subject matter
This Regulation lays down measures that aim to achieve a high common level of high_tag_cloud' title='definition'>cybersecurity within high_tag_cloud' title='definition'>Union_entities with regard to:
| (a) | the establishment by each Union entity of an internal high_tag_cloud' title='definition'>cybersecurity risk-management, governance and control framework pursuant to Article 6; |
| (b) | high_tag_cloud' title='definition'>cybersecurity risk management, reporting and information sharing; |
| (c) | the organisation, functioning and operation of the Interinstitutional Cybersecurity Board established pursuant to Article 10, as well as the organisation, functioning and operation of the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU); |
| (d) | the monitoring of the implementation of this Regulation. |
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ high_tag_cloud' title='definition'>Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community; |
| (2) | ‘ high_tag_cloud' title='definition'>network_and_information_system’ means a high_tag_cloud' title='definition'>network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555; |
| (3) | ‘security of high_tag_cloud' title='definition'>network_and_information_systems’ means security of high_tag_cloud' title='definition'>network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555; |
| (4) | ‘ high_tag_cloud' title='definition'>cybersecurity’ means high_tag_cloud' title='definition'>cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (5) | ‘ high_tag_cloud' title='definition'>highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and high_tag_cloud' title='definition'>cybersecurity risk management in their respective areas of responsibility; |
| (6) | ‘ high_tag_cloud' title='definition'>near_miss’ means a high_tag_cloud' title='definition'>near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; |
| (7) | ‘ high_tag_cloud' title='definition'>incident’ means an high_tag_cloud' title='definition'>incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; |
| (8) | ‘major high_tag_cloud' title='definition'>incident’ means an high_tag_cloud' title='definition'>incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two high_tag_cloud' title='definition'>Union_entities; |
| (9) | ‘large-scale high_tag_cloud' title='definition'>cybersecurity high_tag_cloud' title='definition'>incident’ means a large-scale high_tag_cloud' title='definition'>cybersecurity high_tag_cloud' title='definition'>incident as defined in Article 6, point (7), of Directive (EU) 2022/2555; |
| (10) | ‘ high_tag_cloud' title='definition'>incident handling’ means high_tag_cloud' title='definition'>incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555; |
| (11) | ‘ high_tag_cloud' title='definition'>cyber_threat’ means a high_tag_cloud' title='definition'>cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (12) | ‘significant high_tag_cloud' title='definition'>cyber_threat’ means a significant high_tag_cloud' title='definition'>cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555; |
| (13) | ‘ high_tag_cloud' title='definition'>vulnerability’ means a high_tag_cloud' title='definition'>vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555; |
| (14) | ‘ high_tag_cloud' title='definition'>cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555; |
| (15) | ‘ high_tag_cloud' title='definition'>cloud_computing_service’ means a high_tag_cloud' title='definition'>cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555. |
Article 4
Processing of personal data
1. The processing of personal data under this Regulation by CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and high_tag_cloud' title='definition'>Union_entities shall be carried out in accordance with Regulation (EU) 2018/1725.
2. Where they perform tasks or fulfil obligations pursuant to this Regulation, CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and high_tag_cloud' title='definition'>Union_entities shall process and exchange personal data only to the extent necessary and for the sole purpose of performing those tasks or fulfilling those obligations.
3. The processing of special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725 shall be considered to be necessary for reasons of substantial public interest pursuant to Article 10(2), point (g), of that Regulation. Such data may be processed only to the extent necessary for the implementation of high_tag_cloud' title='definition'>cybersecurity risk-management measures referred to in Articles 6 and 8, for the provision of services by CERT-EU pursuant to Article 13, for the sharing of high_tag_cloud' title='definition'>incident-specific information pursuant to Article 17(3) and Article 18(3), for the sharing of information pursuant Article 20, for the reporting obligations pursuant to Article 21, for high_tag_cloud' title='definition'>incident response coordination and cooperation pursuant to Article 22 and for the management of major high_tag_cloud' title='definition'>incidents pursuant to Article 23 of this Regulation. The high_tag_cloud' title='definition'>Union_entities and CERT-EU, when acting as data controllers, shall apply technical measures to prevent the processing of special categories of personal data for other purposes and shall provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.
CHAPTER II
MEASURES FOR A high COMMON LEVEL OF CYBERSECURITY
Article 6
Cybersecurity risk-management, governance and control framework
1. By 8 April 2025, each Union entity shall, after carrying out an initial high_tag_cloud' title='definition'>cybersecurity review, such as an audit, establish an internal high_tag_cloud' title='definition'>cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s high_tag_cloud' title='definition'>highest_level_of_management.
2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.
3. The Framework shall ensure a high level of high_tag_cloud' title='definition'>cybersecurity. The Framework shall establish internal high_tag_cloud' title='definition'>cybersecurity policies, including objectives and priorities, for the security of high_tag_cloud' title='definition'>network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.
4. The Framework shall be reviewed on a regular basis, in light of the changing high_tag_cloud' title='definition'>cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on high_tag_cloud' title='definition'>incidents identified or possible gaps observed in the implementation of this Regulation.
5. The high_tag_cloud' title='definition'>highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.
6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the high_tag_cloud' title='definition'>highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the high_tag_cloud' title='definition'>highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.
7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on high_tag_cloud' title='definition'>cybersecurity. Due account shall be taken of the Framework when establishing that percentage.
8. Each Union entity shall appoint a local high_tag_cloud' title='definition'>cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of high_tag_cloud' title='definition'>cybersecurity. The local high_tag_cloud' title='definition'>cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the high_tag_cloud' title='definition'>highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local high_tag_cloud' title='definition'>cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local high_tag_cloud' title='definition'>cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several high_tag_cloud' title='definition'>Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local high_tag_cloud' title='definition'>cybersecurity officer appointed and any subsequent change thereto.
CERT-EU shall establish and keep updated a list of appointed local high_tag_cloud' title='definition'>cybersecurity officers.
9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the high_tag_cloud' title='definition'>cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess high_tag_cloud' title='definition'>cybersecurity risk- and management practices and their impact on the operations of the Union entity.
Article 8
Cybersecurity risk-management measures
1. Without undue delay and in any event by 8 September 2025, each Union entity shall, under the oversight of its high_tag_cloud' title='definition'>highest_level_of_management, take appropriate and proportionate technical, operational and organisational measures to manage the high_tag_cloud' title='definition'>cybersecurity risks identified under the Framework, and to prevent or minimise the impact of high_tag_cloud' title='definition'>incidents. Taking into account the state of the art and, where applicable, relevant European and international standards, those measures shall ensure a level of security of high_tag_cloud' title='definition'>network_and_information_systems across the entirety of the ICT environment commensurate to the high_tag_cloud' title='definition'>cybersecurity risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the Union entity’s exposure to high_tag_cloud' title='definition'>cybersecurity risks, its size and the likelihood of occurrence of high_tag_cloud' title='definition'>incidents and their severity, including their societal, economic and interinstitutional impact.
2. high_tag_cloud' title='definition'>Union_entities shall address at least the following domains in the implementation of the high_tag_cloud' title='definition'>cybersecurity risk-management measures:
| (a) | high_tag_cloud' title='definition'>cybersecurity policy, including measures needed to reach objectives and priorities referred to in Article 6 and paragraph 3 of this Article; |
| (b) | policies on high_tag_cloud' title='definition'>cybersecurity risk analysis and information system security; |
| (c) | policy objectives regarding the use of high_tag_cloud' title='definition'>cloud_computing_services; |
| (d) | high_tag_cloud' title='definition'>cybersecurity audit, where appropriate, which may include a high_tag_cloud' title='definition'>cybersecurity risk, high_tag_cloud' title='definition'>vulnerability and high_tag_cloud' title='definition'>cyber_threat assessment, and penetration testing carried out by a trusted private provider on a regular basis; |
| (e) | implementation of recommendations resulting from high_tag_cloud' title='definition'>cybersecurity audits referred to in point (d) through high_tag_cloud' title='definition'>cybersecurity and policy updates; |
| (f) | organisation of high_tag_cloud' title='definition'>cybersecurity, including establishment of roles and responsibilities; |
| (g) | asset management, including ICT asset inventory and ICT network cartography; |
| (h) | human resources security and access control; |
| (i) | operations security; |
| (j) | communications security; |
| (k) | system acquisition, development and maintenance, including policies on high_tag_cloud' title='definition'>vulnerability handling and disclosure; |
| (l) | where possible, policies on the transparency of the source code; |
| (m) | supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers; |
| (n) | high_tag_cloud' title='definition'>incident handling and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; |
| (o) | business continuity management, such as backup management and disaster recovery, and crisis management; and |
| (p) | promotion and development of high_tag_cloud' title='definition'>cybersecurity education, skills, awareness-raising, exercise and training programmes. |
For the purposes of the first subparagraph, point (m), high_tag_cloud' title='definition'>Union_entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and high_tag_cloud' title='definition'>cybersecurity practices of their suppliers and service providers, including their secure development procedures.
3. high_tag_cloud' title='definition'>Union_entities shall take at least the following specific high_tag_cloud' title='definition'>cybersecurity risk-management measures:
| (a) | technical arrangements to enable and sustain teleworking; |
| (b) | concrete steps for moving towards zero-trust principles; |
| (c) | the use of multifactor authentication as a norm across high_tag_cloud' title='definition'>network_and_information_systems; |
| (d) | the use of cryptography and encryption, in particular end-to-end encryption, as well as secure digital signing; |
| (e) | where appropriate, secured voice, video and text communications, and secured emergency communications systems within the Union entity; |
| (f) | proactive measures for detection and removal of malware and spyware; |
| (g) | the establishment of software supply chain security through criteria for secure software development and evaluation; |
| (h) | the establishment and adoption of training programmes on high_tag_cloud' title='definition'>cybersecurity commensurate to the prescribed tasks and expected capabilities for the high_tag_cloud' title='definition'>highest_level_of_management and members of staff of the Union entity tasked with ensuring the effective implementation of this Regulation; |
| (i) | regular high_tag_cloud' title='definition'>cybersecurity training of staff members; |
| (j) | where relevant, participation in interconnectivity risk analyses between the high_tag_cloud' title='definition'>Union_entities; |
| (k) | the enhancement of procurement rules to facilitate a high common level of high_tag_cloud' title='definition'>cybersecurity through:
|
Article 9
Cybersecurity plans
1. Following the conclusion of the high_tag_cloud' title='definition'>cybersecurity maturity assessment carried out pursuant to Article 7 and taking into account the assets and high_tag_cloud' title='definition'>cybersecurity risks identified in the Framework as well as the high_tag_cloud' title='definition'>cybersecurity risk-management measures taken pursuant to Article 8, the high_tag_cloud' title='definition'>highest_level_of_management of each Union entity shall approve a high_tag_cloud' title='definition'>cybersecurity plan without undue delay and in any event by 8 January 2026. The high_tag_cloud' title='definition'>cybersecurity plan shall aim at increasing the overall high_tag_cloud' title='definition'>cybersecurity of the Union entity and shall thereby contribute to the enhancement of a high common level of high_tag_cloud' title='definition'>cybersecurity within the high_tag_cloud' title='definition'>Union_entities. The high_tag_cloud' title='definition'>cybersecurity plan shall include at least the high_tag_cloud' title='definition'>cybersecurity risk-management measures taken pursuant to Article 8. The high_tag_cloud' title='definition'>cybersecurity plan shall be revised every two years, or more frequently where necessary, following the high_tag_cloud' title='definition'>cybersecurity maturity assessments carried out pursuant to Article 7 or any substantial review of the Framework.
2. The high_tag_cloud' title='definition'>cybersecurity plan shall include the Union entity’s cyber crisis management plan for major high_tag_cloud' title='definition'>incidents.
3. The Union entity shall submit the completed high_tag_cloud' title='definition'>cybersecurity plan to the Interinstitutional Cybersecurity Board established pursuant to Article 10.
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
Article 11
Tasks of the IICB
When exercising its responsibilities, the IICB shall, in particular:
| (a) | provide guidance to the Head of CERT-EU; |
| (b) | effectively monitor and supervise the implementation of this Regulation and support the high_tag_cloud' title='definition'>Union_entities in strengthening their high_tag_cloud' title='definition'>cybersecurity, including, where appropriate, requesting ad-hoc reports from high_tag_cloud' title='definition'>Union_entities and CERT-EU; |
| (c) | following a strategic discussion, adopt a multiannual strategy on raising the level of high_tag_cloud' title='definition'>cybersecurity in the high_tag_cloud' title='definition'>Union_entities, asses that strategy on a regular basis and in any event every five years and, where necessary, amend that strategy; |
| (d) | establish the methodology and organisational aspects for the conduct of voluntary peer reviews by high_tag_cloud' title='definition'>Union_entities, with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of high_tag_cloud' title='definition'>cybersecurity, as well as enhancing high_tag_cloud' title='definition'>Union_entities’ high_tag_cloud' title='definition'>cybersecurity capabilities, ensuring that such peer reviews are conducted by high_tag_cloud' title='definition'>cybersecurity experts designated by a Union entity different from the Union entity being reviewed and that the methodology is based on Article 19 of Directive (EU) 2022/2555 and is, where appropriate, adapted to the high_tag_cloud' title='definition'>Union_entities; |
| (e) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s annual work programme and monitor its implementation; |
| (f) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s service catalogue and any updates thereof; |
| (g) | approve, on the basis of a proposal by the Head of CERT-EU, the annual financial planning of revenue and expenditure, including staffing, for CERT-EU activities; |
| (h) | approve, on the basis of a proposal by the Head of CERT-EU, the arrangements for service level agreements; |
| (i) | examine and approve the annual report drawn up by the Head of CERT-EU covering the activities of, and management of funds by, CERT-EU; |
| (j) | approve and monitor key performance indicators (KPIs) for CERT-EU established on the basis of a proposal by the Head of CERT-EU; |
| (k) | approve cooperation arrangements, service level agreements or contracts between CERT-EU and other entities pursuant to Article 18; |
| (l) | adopt guidelines and recommendations on the basis of a proposal by CERT-EU in accordance with Article 14 and instruct CERT-EU to issue, withdraw or modify a proposal for guidelines or recommendations, or a call for action; |
| (m) | establish technical advisory groups with specific tasks to assist the IICB’s work, approve their terms of reference and designate their respective Chairs; |
| (n) | receive and assess documents and reports submitted by the high_tag_cloud' title='definition'>Union_entities under this Regulation, such as high_tag_cloud' title='definition'>cybersecurity maturity assessments; |
| (o) | facilitate the establishment of an informal group of local high_tag_cloud' title='definition'>cybersecurity officers of high_tag_cloud' title='definition'>Union_entities, supported by ENISA, with the aim of exchanging best practices and information in relation to the implementation of this Regulation; |
| (p) | taking into account the information on the identified high_tag_cloud' title='definition'>cybersecurity risks and lessons learnt provided by CERT-EU, monitor the adequacy of interconnectivity arrangements among the high_tag_cloud' title='definition'>Union_entities’ ICT environments and advise on possible improvements; |
| (q) | establish a cyber crisis management plan with a view to supporting, at an operational level, the coordinated management of major high_tag_cloud' title='definition'>incidents affecting high_tag_cloud' title='definition'>Union_entities and to contributing to the regular exchange of relevant information, in particular with regard to the impacts and severity of, and the possible ways of mitigating the effects of, major high_tag_cloud' title='definition'>incidents; |
| (r) | coordinate the adoption of individual high_tag_cloud' title='definition'>Union_entities’ cyber crisis management plans referred to in Article 9(2); |
| (s) | adopt recommendations relating to supply chain security referred to in Article 8(2), first subparagraph, point (m), taking into account the results of Union level coordinated security risk assessments of critical supply chains referred to in Article 22 of Directive (EU) 2022/2555 to support high_tag_cloud' title='definition'>Union_entities in adopting effective and proportionate high_tag_cloud' title='definition'>cybersecurity risk-management measures. |
Article 12
Compliance
1. The IICB shall, pursuant to Article 10(2) and Article 11, effectively monitor the implementation of this Regulation and of adopted guidelines, recommendations and calls for action by the high_tag_cloud' title='definition'>Union_entities. The IICB may request information or documentation necessary for that purpose from the high_tag_cloud' title='definition'>Union_entities. For the purpose of adopting compliance measures under this Article, where the Union entity concerned is directly represented on the IICB, that Union entity shall not have voting rights.
2. Where the IICB finds that a Union entity has not effectively implemented this Regulation or guidelines, recommendations or calls for action issued pursuant thereto, it may, without prejudice to the internal procedures of the Union entity concerned, and after giving an opportunity to the Union entity concerned to present its observations:
| (a) | communicate a reasoned opinion to the Union entity concerned with observed gaps in the implementation of this Regulation; |
| (b) | provide, after consulting CERT-EU, guidelines to the Union entity concerned to ensure that its Framework, high_tag_cloud' title='definition'>cybersecurity risk-management measures, high_tag_cloud' title='definition'>cybersecurity plan and reporting comply with this Regulation within a specified period; |
| (c) | issue a warning to address identified shortcomings within a specified period, including recommendations to amend measures adopted by the Union entity concerned pursuant to this Regulation; |
| (d) | issue a reasoned notification to the Union entity concerned, in the event that shortcomings identified in a warning issued pursuant to point (c) were not sufficiently addressed within the specified period; |
| (e) | issue:
|
| (f) | if applicable, inform the Court of Auditors, within the remit of its mandate, of the alleged non-compliance; |
| (g) | issue a recommendation that all Member States and high_tag_cloud' title='definition'>Union_entities implement a temporary suspension of data flows to the Union entity concerned. |
For the purposes of the first subparagraph, point (c), the audience of a warning shall be restricted appropriately, where necessary in view of the high_tag_cloud' title='definition'>cybersecurity risk.
Warnings and recommendations issued pursuant to the first subparagraph shall be directed to the high_tag_cloud' title='definition'>highest_level_of_management of the Union entity concerned.
3. Where the IICB has adopted measures under paragraph 2, first subparagraph, points (a) to (g), the Union entity concerned shall provide details of the measures and actions taken to address the alleged shortcomings identified by the IICB. The Union entity shall submit those details within a reasonable period to be agreed with the IICB.
4. Where the IICB considers that there is persistent infringement of this Regulation by a Union entity resulting directly from actions or omissions of an official or other servant of the Union, including at the high_tag_cloud' title='definition'>highest_level_of_management, the IICB shall request that the Union entity concerned take appropriate action, including requesting it to consider taking action of a disciplinary nature, in accordance with the rules and procedures laid down in the Staff Regulations and any other applicable rules and procedures. To that end, the IICB shall transfer the necessary information to the Union entity concerned.
5. Where high_tag_cloud' title='definition'>Union_entities notify that they are unable to meet the deadlines set out in Article 6(1) and Article 8(1), the IICB may, in duly substantiated cases, taking into account the size of the Union entity, authorise the extension of those deadlines.
CHAPTER IV
CERT-EU
Article 13
CERT-EU mission and tasks
1. CERT-EU’s mission shall be to contribute to the security of the unclassified ICT environment of high_tag_cloud' title='definition'>Union_entities by advising them on high_tag_cloud' title='definition'>cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from high_tag_cloud' title='definition'>incidents and by acting as their high_tag_cloud' title='definition'>cybersecurity information exchange and high_tag_cloud' title='definition'>incident response coordination hub.
2. CERT-EU shall collect, manage, analyse and share information with the high_tag_cloud' title='definition'>Union_entities on high_tag_cloud' title='definition'>cyber_threats, vulnerabilities and high_tag_cloud' title='definition'>incidents in unclassified ICT infrastructure. It shall coordinate responses to high_tag_cloud' title='definition'>incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.
3. CERT-EU shall carry out the following tasks to assist the high_tag_cloud' title='definition'>Union_entities:
| (a) | support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB; |
| (b) | offer standard CSIRT services for high_tag_cloud' title='definition'>Union_entities by means of a package of high_tag_cloud' title='definition'>cybersecurity services described in its service catalogue (baseline services); |
| (c) | maintain a network of peers and partners to support the services as outlined in Articles 17 and 18; |
| (d) | bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action; |
| (e) | on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA; |
| (f) | coordinate the management of major high_tag_cloud' title='definition'>incidents; |
| (g) | act on the part of high_tag_cloud' title='definition'>Union_entities as the equivalent of the coordinator designated for the purposes of coordinated high_tag_cloud' title='definition'>vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555; |
| (h) | provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible high_tag_cloud' title='definition'>network_and_information_systems of that Union entity. |
The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.
4. CERT-EU may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant high_tag_cloud' title='definition'>cybersecurity communities within the Union and its Member States, including in the following areas:
| (a) | preparedness, high_tag_cloud' title='definition'>incident coordination, information exchange and crisis response at the technical level on cases linked to high_tag_cloud' title='definition'>Union_entities; |
| (b) | operational cooperation regarding the CSIRTs network, including with regard to mutual assistance; |
| (c) | high_tag_cloud' title='definition'>cyber_threat intelligence, including situational awareness; |
| (d) | on any topic requiring CERT-EU’s technical high_tag_cloud' title='definition'>cybersecurity expertise. |
5. Within its competence, CERT-EU shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of high_tag_cloud' title='definition'>cyber_threats in accordance with Regulation (EU) 2019/881. CERT-EU may cooperate and exchange information with Europol’s European Cybercrime Centre.
6. CERT-EU may provide the following services not described in its service catalogue (chargeable services):
| (a) | services that support the high_tag_cloud' title='definition'>cybersecurity of high_tag_cloud' title='definition'>Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity high_tag_cloud' title='definition'>cyber_threats; |
| (b) | services that support high_tag_cloud' title='definition'>cybersecurity operations or projects of high_tag_cloud' title='definition'>Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB; |
| (c) | upon request, a proactive scanning of the high_tag_cloud' title='definition'>network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact; |
| (d) | services that support the security of their ICT environment to organisations other than the high_tag_cloud' title='definition'>Union_entities that cooperate closely with high_tag_cloud' title='definition'>Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB. |
With regard to the first subparagraph, point (d), CERT-EU may, on an exceptional basis, enter into service level agreements with entities other than the high_tag_cloud' title='definition'>Union_entities with the prior approval of the IICB.
7. CERT-EU shall organise and may participate in high_tag_cloud' title='definition'>cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of high_tag_cloud' title='definition'>cybersecurity of the high_tag_cloud' title='definition'>Union_entities.
8. CERT-EU may provide assistance to high_tag_cloud' title='definition'>Union_entities regarding high_tag_cloud' title='definition'>incidents in high_tag_cloud' title='definition'>network_and_information_systems handling EUCI where it is explicitly requested to do so by the high_tag_cloud' title='definition'>Union_entities concerned in accordance with their respective procedures. The provision of assistance by CERT-EU under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.
9. CERT-EU shall inform high_tag_cloud' title='definition'>Union_entities about its high_tag_cloud' title='definition'>incident handling procedures and processes.
10. CERT-EU shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major high_tag_cloud' title='definition'>incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).
11. CERT-EU shall, in cooperation with the EDPS, support the high_tag_cloud' title='definition'>Union_entities concerned when addressing high_tag_cloud' title='definition'>incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.
12. CERT-EU may, if expressly requested by high_tag_cloud' title='definition'>Union_entities’ policy departments, provide technical advice or input on relevant policy matters.
Article 20
Cybersecurity information-sharing arrangements
1. high_tag_cloud' title='definition'>Union_entities may, on a voluntary basis, notify CERT-EU of, and provide it with information on, high_tag_cloud' title='definition'>incidents, high_tag_cloud' title='definition'>cyber_threats, high_tag_cloud' title='definition'>near_misses and vulnerabilities that affect them. CERT-EU shall ensure that efficient means of communication, with a high level of traceability, confidentiality and reliability, are available for the purpose of facilitating information sharing with the high_tag_cloud' title='definition'>Union_entities. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Without prejudice to Article 12, voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union entity to which it would not have been subject had it not submitted the notification.
2. To perform its mission and tasks conferred pursuant to Article 13, CERT-EU may request high_tag_cloud' title='definition'>Union_entities to provide it with information from their respective ICT system inventories, including information relating to high_tag_cloud' title='definition'>cyber_threats, high_tag_cloud' title='definition'>near_misses, vulnerabilities, indicators of compromise, high_tag_cloud' title='definition'>cybersecurity alerts and recommendations regarding configuration of high_tag_cloud' title='definition'>cybersecurity tools to detect high_tag_cloud' title='definition'>incidents. The requested Union entity shall transmit the requested information, and any subsequent updates thereto, without undue delay.
3. CERT-EU may exchange high_tag_cloud' title='definition'>incident-specific information with high_tag_cloud' title='definition'>Union_entities which reveals the identity of the Union entity affected by the high_tag_cloud' title='definition'>incident, provided that the Union entity affected consents. Where a Union entity withholds its consent, it shall provide CERT-EU with reasons substantiating that decision.
4. high_tag_cloud' title='definition'>Union_entities shall, upon request, share information with the European Parliament and the Council on the completion of high_tag_cloud' title='definition'>cybersecurity plans.
5. The IICB or CERT-EU, as applicable, shall, upon request, share guidelines, recommendations and calls for action with the European Parliament and the Council.
6. The sharing obligations laid down in this Article shall not extend to:
| (a) | EUCI; |
| (b) | information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed. |
Article 26
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 13 December 2023.
For the European Parliament
The President
R. METSOLA
For the Council
The President
P. NAVARRO RÍOS
(1) Position of the European Parliament of 21 November 2023 (not yet published in the Official Journal) and decision of the Council of 8 December 2023.
(2) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of high_tag_cloud' title='definition'>cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
(3) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology high_tag_cloud' title='definition'>cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(4) Arrangement between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU) (OJ C 12, 13.1.2018, p. 1).
(5) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (OJ L 56, 4.3.1968, p. 1).
(6) Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale high_tag_cloud' title='definition'>cybersecurity high_tag_cloud' title='definition'>incidents and crises (OJ L 239, 19.9.2017, p. 36).
(7) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(8) OJ C 258, 5.7.2022, p. 10.
(9) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
(10) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
ELI: http://data.europa.eu/eli/reg/2023/2841/oj
ISSN 1977-0677 (electronic edition)