keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 6 Art. 6 Cybersecurity risk-management, governance and control framework
- 1 Art. 7 Cybersecurity maturity assessments
- 1 Art. 11 Tasks of the IICB
- 2 Art. 15 Head of CERT-EU
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- cert-eu 37
- shall 35
- cybersecurity 34
- union 23
- entity 19
- article 18
- head 17
- basis 14
- implementation 13
- regulation 13
- level 12
- framework 12
- service 11
- the 11
- union_entities 11
- iicb 10
- including 9
- each 8
- approve 8
- local 8
- proposal 7
- from 7
- officer 7
- into 6
- within 6
- annual 6
- maturity 6
- establish 6
- management 6
- account 6
- financial 6
- reports 6
- report 5
- appropriate 5
- proposed 5
- assessments 5
- regular 5
- catalogue 5
- staff 5
- tasks 5
- agreements 5
- highest_level_of_management 5
- concerned 5
- such 5
- view 4
- cert-eu’s 4
- environment 4
- board 4
- established 4
- pursuant 4
Article 6
Cybersecurity risk-management, governance and control framework
1. By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.
2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.
3. The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.
4. The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.
5. The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.
6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.
7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.
8. Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.
CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.
9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.
Article 7
Cybersecurity maturity assessments
1. By 8 July 2025 and at least every two years thereafter, each Union entity shall carry out a cybersecurity maturity assessment incorporating all the elements of its ICT environment.
2. The cybersecurity maturity assessments shall, where appropriate, be carried out with the assistance of a specialised third party.
3. Union_entities with similar structures may cooperate in carrying out cybersecurity maturity assessments for their respective entities.
4. On the basis of a request of the Interinstitutional Cybersecurity Board established pursuant to Article 10 and with the explicit consent of the Union entity concerned, the results of a cybersecurity maturity assessment may be discussed within that Board or within the informal group of local cybersecurity officers with a view to learning from experience and sharing best practices.
Article 11
Tasks of the IICB
When exercising its responsibilities, the IICB shall, in particular:
| (a) | provide guidance to the Head of CERT-EU; |
| (b) | effectively monitor and supervise the implementation of this Regulation and support the Union_entities in strengthening their cybersecurity, including, where appropriate, requesting ad-hoc reports from Union_entities and CERT-EU; |
| (c) | following a strategic discussion, adopt a multiannual strategy on raising the level of cybersecurity in the Union_entities, asses that strategy on a regular basis and in any event every five years and, where necessary, amend that strategy; |
| (d) | establish the methodology and organisational aspects for the conduct of voluntary peer reviews by Union_entities, with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Union_entities’ cybersecurity capabilities, ensuring that such peer reviews are conducted by cybersecurity experts designated by a Union entity different from the Union entity being reviewed and that the methodology is based on Article 19 of Directive (EU) 2022/2555 and is, where appropriate, adapted to the Union_entities; |
| (e) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s annual work programme and monitor its implementation; |
| (f) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s service catalogue and any updates thereof; |
| (g) | approve, on the basis of a proposal by the Head of CERT-EU, the annual financial planning of revenue and expenditure, including staffing, for CERT-EU activities; |
| (h) | approve, on the basis of a proposal by the Head of CERT-EU, the arrangements for service level agreements; |
| (i) | examine and approve the annual report drawn up by the Head of CERT-EU covering the activities of, and management of funds by, CERT-EU; |
| (j) | approve and monitor key performance indicators (KPIs) for CERT-EU established on the basis of a proposal by the Head of CERT-EU; |
| (k) | approve cooperation arrangements, service level agreements or contracts between CERT-EU and other entities pursuant to Article 18; |
| (l) | adopt guidelines and recommendations on the basis of a proposal by CERT-EU in accordance with Article 14 and instruct CERT-EU to issue, withdraw or modify a proposal for guidelines or recommendations, or a call for action; |
| (m) | establish technical advisory groups with specific tasks to assist the IICB’s work, approve their terms of reference and designate their respective Chairs; |
| (n) | receive and assess documents and reports submitted by the Union_entities under this Regulation, such as cybersecurity maturity assessments; |
| (o) | facilitate the establishment of an informal group of local cybersecurity officers of Union_entities, supported by ENISA, with the aim of exchanging best practices and information in relation to the implementation of this Regulation; |
| (p) | taking into account the information on the identified cybersecurity risks and lessons learnt provided by CERT-EU, monitor the adequacy of interconnectivity arrangements among the Union_entities’ ICT environments and advise on possible improvements; |
| (q) | establish a cyber crisis management plan with a view to supporting, at an operational level, the coordinated management of major incidents affecting Union_entities and to contributing to the regular exchange of relevant information, in particular with regard to the impacts and severity of, and the possible ways of mitigating the effects of, major incidents; |
| (r) | coordinate the adoption of individual Union_entities’ cyber crisis management plans referred to in Article 9(2); |
| (s) | adopt recommendations relating to supply chain security referred to in Article 8(2), first subparagraph, point (m), taking into account the results of Union level coordinated security risk assessments of critical supply chains referred to in Article 22 of Directive (EU) 2022/2555 to support Union_entities in adopting effective and proportionate cybersecurity risk-management measures. |
Article 15
Head of CERT-EU
1. The Commission, after obtaining the approval of a majority of two thirds of the members of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the appointment procedure, in particular with regard to drafting vacancy notices, examining applications and appointing selection boards in relation to the post. The selection procedure, including the final shortlist of candidates from which the Head of CERT-EU is to be appointed, shall ensure fair representation of each gender, taking into account the applications submitted.
2. The Head of CERT-EU shall be responsible for the proper functioning of CERT-EU and shall act within the remit of his or her role and under the direction of the IICB. The Head of CERT-EU shall report regularly to the Chair of the IICB and shall submit ad-hoc reports to the IICB upon its request.
3. The Head of CERT-EU shall assist the responsible authorising officer by delegation in drafting the annual activity report containing financial and management information, including the results of controls, drawn up in accordance with Article 74(9) of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (9), and shall report regularly to the authorising officer by delegation on the implementation of measures in respect of which powers have been sub-delegated to the Head of CERT-EU.
4. The Head of CERT-EU shall draw up, on an annual basis, a financial planning of administrative revenue and expenditure for its activities, a proposed annual work programme, a proposed service catalogue for CERT-EU, proposed revisions of the service catalogue, proposed arrangements for service level agreements and proposed KPIs for CERT-EU, to be approved by the IICB in accordance with Article 11. When revising the list of services in CERT-EU’s service catalogue, the Head of CERT-EU shall take into account the resources allocated to CERT-EU.
5. The Head of CERT-EU shall submit reports at least annually to the IICB and the Chair of the IICB on the activities and performance of CERT-EU during the reference period, including on the implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 11. Those reports shall include a work programme for the following period, financial planning of revenue and expenditure, including staffing, planned updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have with regard to financial and human resources.
whereas