keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 5 Art. 8 Cybersecurity risk-management measures
- 1 Art. 23 Management of major incidents
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- cybersecurity 18
- management 12
- shall 12
- incidents 11
- union_entities 9
- major 8
- security 8
- including 7
- article 7
- measures 6
- crisis 6
- union 5
- information 5
- technical 5
- development 4
- service 4
- incident 4
- cyber 4
- referred 4
- secure 4
- level 4
- relevant 4
- regular 4
- entity 4
- appropriate 4
- least 3
- following 3
- implementation 3
- policy 3
- policies 3
- risk 3
- plan 3
- point 3
- iicb 3
- establishment 3
- risks 3
- inventory 3
- communications 3
- each 3
- providers 3
- cert-eu 3
- common 3
- training 3
- vulnerabilities 3
- specific 3
- risk-management 3
- take 3
- among 3
- account 3
- operational 3
Article 8
Cybersecurity risk-management measures
1. Without undue delay and in any event by 8 September 2025, each Union entity shall, under the oversight of its highest_level_of_management, take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks identified under the Framework, and to prevent or minimise the impact of incidents. Taking into account the state of the art and, where applicable, relevant European and international standards, those measures shall ensure a level of security of network_and_information_systems across the entirety of the ICT environment commensurate to the cybersecurity risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the Union entity’s exposure to cybersecurity risks, its size and the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
2. Union_entities shall address at least the following domains in the implementation of the cybersecurity risk-management measures:
| (a) | cybersecurity policy, including measures needed to reach objectives and priorities referred to in Article 6 and paragraph 3 of this Article; |
| (b) | policies on cybersecurity risk analysis and information system security; |
| (c) | policy objectives regarding the use of cloud_computing_services; |
| (d) | cybersecurity audit, where appropriate, which may include a cybersecurity risk, vulnerability and cyber_threat assessment, and penetration testing carried out by a trusted private provider on a regular basis; |
| (e) | implementation of recommendations resulting from cybersecurity audits referred to in point (d) through cybersecurity and policy updates; |
| (f) | organisation of cybersecurity, including establishment of roles and responsibilities; |
| (g) | asset management, including ICT asset inventory and ICT network cartography; |
| (h) | human resources security and access control; |
| (i) | operations security; |
| (j) | communications security; |
| (k) | system acquisition, development and maintenance, including policies on vulnerability handling and disclosure; |
| (l) | where possible, policies on the transparency of the source code; |
| (m) | supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers; |
| (n) | incident handling and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; |
| (o) | business continuity management, such as backup management and disaster recovery, and crisis management; and |
| (p) | promotion and development of cybersecurity education, skills, awareness-raising, exercise and training programmes. |
For the purposes of the first subparagraph, point (m), Union_entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
3. Union_entities shall take at least the following specific cybersecurity risk-management measures:
| (a) | technical arrangements to enable and sustain teleworking; |
| (b) | concrete steps for moving towards zero-trust principles; |
| (c) | the use of multifactor authentication as a norm across network_and_information_systems; |
| (d) | the use of cryptography and encryption, in particular end-to-end encryption, as well as secure digital signing; |
| (e) | where appropriate, secured voice, video and text communications, and secured emergency communications systems within the Union entity; |
| (f) | proactive measures for detection and removal of malware and spyware; |
| (g) | the establishment of software supply chain security through criteria for secure software development and evaluation; |
| (h) | the establishment and adoption of training programmes on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest_level_of_management and members of staff of the Union entity tasked with ensuring the effective implementation of this Regulation; |
| (i) | regular cybersecurity training of staff members; |
| (j) | where relevant, participation in interconnectivity risk analyses between the Union_entities; |
| (k) | the enhancement of procurement rules to facilitate a high common level of cybersecurity through:
|
Article 23
Management of major incidents
1. In order to support at operational level the coordinated management of major incidents affecting Union_entities and to contribute to the regular exchange of relevant information among Union_entities and with Member States, the IICB shall, pursuant to Article 11, point (q), establish a cyber crisis management plan based on the activities referred to in Article 22(2), in close cooperation with CERT-EU and ENISA. The cyber crisis management plan shall include at least the following elements:
| (a) | arrangements concerning coordination and information flow among Union_entities for the management of major incidents at operational level; |
| (b) | common standard operating procedures (SOPs); |
| (c) | a common taxonomy of major incident severity and crisis triggering points; |
| (d) | regular exercises; |
| (e) | secure communication channels that are to be used. |
2. The Commission representative in the IICB shall, subject to the cyber crisis management plan established pursuant to paragraph 1 of this Article and without prejudice to Article 16(2), first subparagraph, of Directive (EU) 2022/2555, be the point of contact for the sharing of relevant information in relation to major incidents with EU-CyCLONe.
3. CERT-EU shall coordinate among the Union_entities the management of major incidents. It shall maintain an inventory of the available technical expertise that would be needed for incident response in the event of major incidents and assist the IICB in coordinating Union_entities’ cyber crisis management plans for major incidents referred to in Article 9(2).
4. The Union_entities shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.
CHAPTER VI
FINAL PROVISIONS
whereas