keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 10 Interinstitutional Cybersecurity Board
- 4 Art. 12 Compliance
- 2 Art. 15 Head of CERT-EU
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- iicb 40
- shall 39
- union 23
- cert-eu 22
- entity 17
- the 16
- european 14
- concerned 12
- article 11
- head 11
- regulation 10
- chair 10
- procedure 9
- including 9
- service 8
- union_entities 8
- within 7
- member 7
- period 7
- rules 7
- implementation 7
- cybersecurity 7
- pursuant 7
- accordance 6
- request 6
- report 6
- measures 6
- internal 5
- proposed 5
- members 5
- representatives 5
- have 5
- committee 5
- action 5
- recommendations 4
- annual 4
- adopted 4
- where 4
- vote 4
- reports 4
- submit 4
- catalogue 4
- which 4
- under 4
- into 4
- euan 4
- financial 4
- from 4
- issued 3
- cooperation 3
Article 10
Interinstitutional Cybersecurity Board
1. An Interinstitutional Cybersecurity Board (IICB) is hereby established.
2. The IICB shall be responsible for:
| (a) | monitoring and supporting the implementation of this Regulation by the Union_entities; |
| (b) | supervising the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. |
3. The IICB shall consist of:
| (a) | one representative designated by each of the following:
|
| (b) | three representatives designated by the EU Agencies Network (EUAN) on the basis of a proposal by its ICT Advisory Committee to represent the interests of the bodies, offices and agencies of the Union that run their own ICT environment, other than those referred to in point (a). |
The Union_entities represented on the IICB shall aim to achieve gender balance among the designated representatives.
4. Members of the IICB may be assisted by an alternate. Other representatives of the Union_entities referred to in paragraph 3 or of other Union_entities may be invited by the Chair to attend IICB meetings without voting power.
5. The Head of CERT-EU and the Chairs of the Cooperation Group, the CSIRTs network and EU-CyCLONe established, respectively, pursuant to Articles 14, 15 and 16 of Directive (EU) 2022/2555, or their alternates, may participate in IICB meetings as observers. In exceptional cases, the IICB may, in accordance with its internal rules of procedure, decide otherwise.
6. The IICB shall adopt its internal rules of procedure.
7. The IICB shall designate a Chair in accordance with its internal rules of procedure, from among its members for a period of three years. The Chair’s alternate shall become a full member of the IICB for the same duration.
8. The IICB shall meet at least three times a year at the initiative of its Chair, at the request of CERT-EU or at the request of any of its members.
9. Each member of the IICB shall have one vote. The IICB’s decisions shall be taken by simple majority except where otherwise provided for in this Regulation. The Chair of the IICB shall not have a vote except in the event of a tied vote, in which case the Chair may cast a deciding vote.
10. The IICB may act by means of a simplified written procedure initiated in accordance with its internal rules of procedure. Under that procedure, the relevant decision shall be deemed to be approved within the timeframe set by the Chair, except where a member objects.
11. The secretariat of the IICB shall be provided by the Commission and shall be accountable to the Chair of the IICB.
12. The representatives nominated by the EUAN shall relay the IICB’s decisions to the members of the EUAN. Any member of the EUAN shall be entitled to raise with those representatives or the Chair of the IICB any matter which it considers should be brought to the IICB’s attention.
13. The IICB may establish an executive committee to assist it in its work, and delegate some of its tasks and powers to it. The IICB shall lay down the rules of procedure of the executive committee, including its tasks and powers, and the terms of office of its members.
14. By 8 January 2025 and on an annual basis thereafter, the IICB shall submit a report to the European Parliament and to the Council detailing progress made with the implementation of this Regulation and specifying in particular the extent of cooperation of CERT-EU with Member State counterparts in each of the Member States. The report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.
Article 12
Compliance
1. The IICB shall, pursuant to Article 10(2) and Article 11, effectively monitor the implementation of this Regulation and of adopted guidelines, recommendations and calls for action by the Union_entities. The IICB may request information or documentation necessary for that purpose from the Union_entities. For the purpose of adopting compliance measures under this Article, where the Union entity concerned is directly represented on the IICB, that Union entity shall not have voting rights.
2. Where the IICB finds that a Union entity has not effectively implemented this Regulation or guidelines, recommendations or calls for action issued pursuant thereto, it may, without prejudice to the internal procedures of the Union entity concerned, and after giving an opportunity to the Union entity concerned to present its observations:
| (a) | communicate a reasoned opinion to the Union entity concerned with observed gaps in the implementation of this Regulation; |
| (b) | provide, after consulting CERT-EU, guidelines to the Union entity concerned to ensure that its Framework, cybersecurity risk-management measures, cybersecurity plan and reporting comply with this Regulation within a specified period; |
| (c) | issue a warning to address identified shortcomings within a specified period, including recommendations to amend measures adopted by the Union entity concerned pursuant to this Regulation; |
| (d) | issue a reasoned notification to the Union entity concerned, in the event that shortcomings identified in a warning issued pursuant to point (c) were not sufficiently addressed within the specified period; |
| (e) | issue:
|
| (f) | if applicable, inform the Court of Auditors, within the remit of its mandate, of the alleged non-compliance; |
| (g) | issue a recommendation that all Member States and Union_entities implement a temporary suspension of data flows to the Union entity concerned. |
For the purposes of the first subparagraph, point (c), the audience of a warning shall be restricted appropriately, where necessary in view of the cybersecurity risk.
Warnings and recommendations issued pursuant to the first subparagraph shall be directed to the highest_level_of_management of the Union entity concerned.
3. Where the IICB has adopted measures under paragraph 2, first subparagraph, points (a) to (g), the Union entity concerned shall provide details of the measures and actions taken to address the alleged shortcomings identified by the IICB. The Union entity shall submit those details within a reasonable period to be agreed with the IICB.
4. Where the IICB considers that there is persistent infringement of this Regulation by a Union entity resulting directly from actions or omissions of an official or other servant of the Union, including at the highest_level_of_management, the IICB shall request that the Union entity concerned take appropriate action, including requesting it to consider taking action of a disciplinary nature, in accordance with the rules and procedures laid down in the Staff Regulations and any other applicable rules and procedures. To that end, the IICB shall transfer the necessary information to the Union entity concerned.
5. Where Union_entities notify that they are unable to meet the deadlines set out in Article 6(1) and Article 8(1), the IICB may, in duly substantiated cases, taking into account the size of the Union entity, authorise the extension of those deadlines.
CHAPTER IV
CERT-EU
Article 15
Head of CERT-EU
1. The Commission, after obtaining the approval of a majority of two thirds of the members of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the appointment procedure, in particular with regard to drafting vacancy notices, examining applications and appointing selection boards in relation to the post. The selection procedure, including the final shortlist of candidates from which the Head of CERT-EU is to be appointed, shall ensure fair representation of each gender, taking into account the applications submitted.
2. The Head of CERT-EU shall be responsible for the proper functioning of CERT-EU and shall act within the remit of his or her role and under the direction of the IICB. The Head of CERT-EU shall report regularly to the Chair of the IICB and shall submit ad-hoc reports to the IICB upon its request.
3. The Head of CERT-EU shall assist the responsible authorising officer by delegation in drafting the annual activity report containing financial and management information, including the results of controls, drawn up in accordance with Article 74(9) of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (9), and shall report regularly to the authorising officer by delegation on the implementation of measures in respect of which powers have been sub-delegated to the Head of CERT-EU.
4. The Head of CERT-EU shall draw up, on an annual basis, a financial planning of administrative revenue and expenditure for its activities, a proposed annual work programme, a proposed service catalogue for CERT-EU, proposed revisions of the service catalogue, proposed arrangements for service level agreements and proposed KPIs for CERT-EU, to be approved by the IICB in accordance with Article 11. When revising the list of services in CERT-EU’s service catalogue, the Head of CERT-EU shall take into account the resources allocated to CERT-EU.
5. The Head of CERT-EU shall submit reports at least annually to the IICB and the Chair of the IICB on the activities and performance of CERT-EU during the reference period, including on the implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 11. Those reports shall include a work programme for the following period, financial planning of revenue and expenditure, including staffing, planned updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have with regard to financial and human resources.
whereas