search


keyboard_tab Cyber Resilience Act 2023/2841 EN

BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf

2023/2841 EN cercato: 'mechanisms' . Output generated live by software developed by IusOnDemand srl


expand index mechanisms:


whereas mechanisms:


definitions:


cloud tag: and the number of total unique words without stopwords is: 550

 

Article 6

Cybersecurity risk-management, governance and control framework

1.   By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.

2.   The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.

3.   The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.

4.   The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.

5.   The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.

6.   Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.

7.   Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.

8.   Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.

CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.

9.   The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.

Article 8

Cybersecurity risk-management measures

1.   Without undue delay and in any event by 8 September 2025, each Union entity shall, under the oversight of its highest_level_of_management, take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks identified under the Framework, and to prevent or minimise the impact of incidents. Taking into account the state of the art and, where applicable, relevant European and international standards, those measures shall ensure a level of security of network_and_information_systems across the entirety of the ICT environment commensurate to the cybersecurity risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the Union entity’s exposure to cybersecurity risks, its size and the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.

2.    Union_entities shall address at least the following domains in the implementation of the cybersecurity risk-management measures:

(a)

cybersecurity policy, including measures needed to reach objectives and priorities referred to in Article 6 and paragraph 3 of this Article;

(b)

policies on cybersecurity risk analysis and information system security;

(c)

policy objectives regarding the use of cloud_computing_services;

(d)

cybersecurity audit, where appropriate, which may include a cybersecurity risk, vulnerability and cyber_threat assessment, and penetration testing carried out by a trusted private provider on a regular basis;

(e)

implementation of recommendations resulting from cybersecurity audits referred to in point (d) through cybersecurity and policy updates;

(f)

organisation of cybersecurity, including establishment of roles and responsibilities;

(g)

asset management, including ICT asset inventory and ICT network cartography;

(h)

human resources security and access control;

(i)

operations security;

(j)

communications security;

(k)

system acquisition, development and maintenance, including policies on vulnerability handling and disclosure;

(l)

where possible, policies on the transparency of the source code;

(m)

supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers;

(n)

incident handling and cooperation with CERT-EU, such as the maintenance of security monitoring and logging;

(o)

business continuity management, such as backup management and disaster recovery, and crisis management; and

(p)

promotion and development of cybersecurity education, skills, awareness-raising, exercise and training programmes.

For the purposes of the first subparagraph, point (m), Union_entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.

3.    Union_entities shall take at least the following specific cybersecurity risk-management measures:

(a)

technical arrangements to enable and sustain teleworking;

(b)

concrete steps for moving towards zero-trust principles;

(c)

the use of multifactor authentication as a norm across network_and_information_systems;

(d)

the use of cryptography and encryption, in particular end-to-end encryption, as well as secure digital signing;

(e)

where appropriate, secured voice, video and text communications, and secured emergency communications systems within the Union entity;

(f)

proactive measures for detection and removal of malware and spyware;

(g)

the establishment of software supply chain security through criteria for secure software development and evaluation;

(h)

the establishment and adoption of training programmes on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest_level_of_management and members of staff of the Union entity tasked with ensuring the effective implementation of this Regulation;

(i)

regular cybersecurity training of staff members;

(j)

where relevant, participation in interconnectivity risk analyses between the Union_entities;

(k)

the enhancement of procurement rules to facilitate a high common level of cybersecurity through:

(i)

the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber_threats with CERT-EU;

(ii)

contractual obligations to report incidents, vulnerabilities and cyber_threats as well as to have appropriate incident response and monitoring mechanisms in place.

Article 13

CERT-EU mission and tasks

1.   CERT-EU’s mission shall be to contribute to the security of the unclassified ICT environment of Union_entities by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.

2.   CERT-EU shall collect, manage, analyse and share information with the Union_entities on cyber_threats, vulnerabilities and incidents in unclassified ICT infrastructure. It shall coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.

3.   CERT-EU shall carry out the following tasks to assist the Union_entities:

(a)

support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB;

(b)

offer standard CSIRT services for Union_entities by means of a package of cybersecurity services described in its service catalogue (baseline services);

(c)

maintain a network of peers and partners to support the services as outlined in Articles 17 and 18;

(d)

bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action;

(e)

on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA;

(f)

coordinate the management of major incidents;

(g)

act on the part of Union_entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555;

(h)

provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible network_and_information_systems of that Union entity.

The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.

4.   CERT-EU may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant cybersecurity communities within the Union and its Member States, including in the following areas:

(a)

preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union_entities;

(b)

operational cooperation regarding the CSIRTs network, including with regard to mutual assistance;

(c)

cyber_threat intelligence, including situational awareness;

(d)

on any topic requiring CERT-EU’s technical cybersecurity expertise.

5.   Within its competence, CERT-EU shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of cyber_threats in accordance with Regulation (EU) 2019/881. CERT-EU may cooperate and exchange information with Europol’s European Cybercrime Centre.

6.   CERT-EU may provide the following services not described in its service catalogue (chargeable services):

(a)

services that support the cybersecurity of Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity cyber_threats;

(b)

services that support cybersecurity operations or projects of Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB;

(c)

upon request, a proactive scanning of the network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact;

(d)

services that support the security of their ICT environment to organisations other than the Union_entities that cooperate closely with Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB.

With regard to the first subparagraph, point (d), CERT-EU may, on an exceptional basis, enter into service level agreements with entities other than the Union_entities with the prior approval of the IICB.

7.   CERT-EU shall organise and may participate in cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of cybersecurity of the Union_entities.

8.   CERT-EU may provide assistance to Union_entities regarding incidents in network_and_information_systems handling EUCI where it is explicitly requested to do so by the Union_entities concerned in accordance with their respective procedures. The provision of assistance by CERT-EU under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.

9.   CERT-EU shall inform Union_entities about its incident handling procedures and processes.

10.   CERT-EU shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).

11.   CERT-EU shall, in cooperation with the EDPS, support the Union_entities concerned when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.

12.   CERT-EU may, if expressly requested by Union_entities’ policy departments, provide technical advice or input on relevant policy matters.

Article 22

Incident response coordination and cooperation

1.   In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:

(a)

Union_entities;

(b)

the counterparts referred to in Articles 17 and 18.

2.   CERT-EU, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:

(a)

contribution to consistent external communication;

(b)

mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site;

(c)

optimal use of operational resources;

(d)

coordination with other crisis response mechanisms at Union level.

3.   CERT-EU, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.

4.   By 8 January 2025, the IICB shall, on the basis of a proposal by CERT-EU, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities, without undue delay.

5.   Following a specific request from a Member State and with the approval of the Union_entities concerned, CERT-EU may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by CERT-EU.


whereas









keyboard_arrow_down