keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 2 Art. 3 Definitions
- 1 Art. 23 Management of major incidents
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- article 18
- means 15
- eu / 13
- defined 12
- management 11
- directive 11
- point 11
- major 8
- incidents 7
- incident 7
- union_entities 6
- shall 6
- union 6
- cybersecurity 5
- crisis 5
- level 4
- cyber 4
- regulation 3
- incident’ 3
- technical 3
- information 3
- pursuant 3
- among 3
- plan 3
- iicb 3
- european 3
- treaty 3
- entity 2
- the 2
- inventory 2
- cyber_threat 2
- definitions 2
- respective 2
- point 2
- risk 2
- arrangements 2
- without 2
- prejudice 2
- available 2
- expertise 2
- coordination 2
- body 2
- functioning 2
- relevant 2
- significant 2
- regular 2
- contribute 2
- referred 2
- operational 2
- which 2
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community; |
| (2) | ‘ network_and_information_system’ means a network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555; |
| (3) | ‘security of network_and_information_systems’ means security of network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555; |
| (4) | ‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (5) | ‘ highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and cybersecurity risk management in their respective areas of responsibility; |
| (6) | ‘ near_miss’ means a near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; |
| (7) | ‘ incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; |
| (8) | ‘major incident’ means an incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two Union_entities; |
| (9) | ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555; |
| (10) | ‘ incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555; |
| (11) | ‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (12) | ‘significant cyber_threat’ means a significant cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555; |
| (13) | ‘ vulnerability’ means a vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555; |
| (14) | ‘ cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555; |
| (15) | ‘ cloud_computing_service’ means a cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555. |
Article 23
Management of major incidents
1. In order to support at operational level the coordinated management of major incidents affecting Union_entities and to contribute to the regular exchange of relevant information among Union_entities and with Member States, the IICB shall, pursuant to Article 11, point (q), establish a cyber crisis management plan based on the activities referred to in Article 22(2), in close cooperation with CERT-EU and ENISA. The cyber crisis management plan shall include at least the following elements:
| (a) | arrangements concerning coordination and information flow among Union_entities for the management of major incidents at operational level; |
| (b) | common standard operating procedures (SOPs); |
| (c) | a common taxonomy of major incident severity and crisis triggering points; |
| (d) | regular exercises; |
| (e) | secure communication channels that are to be used. |
2. The Commission representative in the IICB shall, subject to the cyber crisis management plan established pursuant to paragraph 1 of this Article and without prejudice to Article 16(2), first subparagraph, of Directive (EU) 2022/2555, be the point of contact for the sharing of relevant information in relation to major incidents with EU-CyCLONe.
3. CERT-EU shall coordinate among the Union_entities the management of major incidents. It shall maintain an inventory of the available technical expertise that would be needed for incident response in the event of major incidents and assist the IICB in coordinating Union_entities’ cyber crisis management plans for major incidents referred to in Article 9(2).
4. The Union_entities shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.
CHAPTER VI
FINAL PROVISIONS
whereas