keyboard_tab Cyber Resilience Act 2023/2841 EN

1.   By 8 July 2025 and at least every two years thereafter, each Union entity shall carry out a cybersecurity maturity assessment incorporating all the elements of its ICT environment.

2.   The cybersecurity maturity assessments shall, where appropriate, be carried out with the assistance of a specialised third party.

3.    Union_entities with similar structures may cooperate in carrying out cybersecurity maturity assessments for their respective entities.

4.   On the basis of a request of the Interinstitutional Cybersecurity Board established pursuant to Article 10 and with the explicit consent of the Union entity concerned, the results of a cybersecurity maturity assessment may be discussed within that Board or within the informal group of local cybersecurity officers with a view to learning from experience and sharing best practices.

1.   Without undue delay and in any event by 8 September 2025, each Union entity shall, under the oversight of its highest_level_of_management, take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks identified under the Framework, and to prevent or minimise the impact of incidents. Taking into account the state of the art and, where applicable, relevant European and international standards, those measures shall ensure a level of security of network_and_information_systems across the entirety of the ICT environment commensurate to the cybersecurity risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the Union entity’s exposure to cybersecurity risks, its size and the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.

2.    Union_entities shall address at least the following domains in the implementation of the cybersecurity risk-management measures:

(a)	cybersecurity policy, including measures needed to reach objectives and priorities referred to in Article 6 and paragraph 3 of this Article;

(b)	policies on cybersecurity risk analysis and information system security;

(c)	policy objectives regarding the use of cloud_computing_services;

(d)	cybersecurity audit, where appropriate, which may include a cybersecurity risk, vulnerability and cyber_threat assessment, and penetration testing carried out by a trusted private provider on a regular basis;

(e)	implementation of recommendations resulting from cybersecurity audits referred to in point (d) through cybersecurity and policy updates;

(f)	organisation of cybersecurity, including establishment of roles and responsibilities;

(g)	asset management, including ICT asset inventory and ICT network cartography;

(h)	human resources security and access control;

(i)	operations security;

(j)	communications security;

(k)	system acquisition, development and maintenance, including policies on vulnerability handling and disclosure;

(l)	where possible, policies on the transparency of the source code;

(m)	supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers;

(n)	incident handling and cooperation with CERT-EU, such as the maintenance of security monitoring and logging;

(o)	business continuity management, such as backup management and disaster recovery, and crisis management; and

(p)	promotion and development of cybersecurity education, skills, awareness-raising, exercise and training programmes.

For the purposes of the first subparagraph, point (m), Union_entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.

3.    Union_entities shall take at least the following specific cybersecurity risk-management measures:

(a)	technical arrangements to enable and sustain teleworking;

(b)	concrete steps for moving towards zero-trust principles;

(c)	the use of multifactor authentication as a norm across network_and_information_systems;

(d)	the use of cryptography and encryption, in particular end-to-end encryption, as well as secure digital signing;

(e)	where appropriate, secured voice, video and text communications, and secured emergency communications systems within the Union entity;

(f)	proactive measures for detection and removal of malware and spyware;

(g)	the establishment of software supply chain security through criteria for secure software development and evaluation;

(h)	the establishment and adoption of training programmes on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest_level_of_management and members of staff of the Union entity tasked with ensuring the effective implementation of this Regulation;

(i)	regular cybersecurity training of staff members;

(j)	where relevant, participation in interconnectivity risk analyses between the Union_entities;

(k)

the enhancement of procurement rules to facilitate a high common level of cybersecurity through: (i) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber_threats with CERT-EU; (ii) contractual obligations to report incidents, vulnerabilities and cyber_threats as well as to have appropriate incident response and monitoring mechanisms in place.

1.   CERT-EU shall support the implementation of this Regulation by issuing:

(a)	calls for action describing urgent security measures that Union_entities are urged to take within a set timeframe;

(b)	proposals to the IICB for guidelines addressed to all or a subset of the Union_entities;

(c)	proposals to the IICB for recommendations addressed to individual Union_entities.

With regard to the first subparagraph, point (a), the Union entity concerned shall, without undue delay after receiving the call for action, inform CERT-EU of how the urgent security measures were applied.

2.   Guidelines and recommendations may include:

(a)

common methodologies and a model for assessing the cybersecurity maturity of the Union_entities, including the corresponding scales or KPIs, serving as reference in support of continuous cybersecurity improvement across the Union_entities and facilitating the prioritisation of cybersecurity domains and measures taking into account entities’ cybersecurity posture;

(b)	arrangements for or improvements to cybersecurity risk management and the cybersecurity risk-management measures;

(c)	arrangements for cybersecurity maturity assessments and cybersecurity plans;

(d)	where appropriate, the use of common technology, architecture, open source and associated best practices with the aim of achieving interoperability and common standards, including a coordinated approach to supply chain security;

(e)	where appropriate, information to facilitate the use of common procurement instruments for the purchasing of relevant cybersecurity services and products from third-party suppliers;

(f)	information-sharing arrangements pursuant to Article 20.

1.    Union_entities may, on a voluntary basis, notify CERT-EU of, and provide it with information on, incidents, cyber_threats, near_misses and vulnerabilities that affect them. CERT-EU shall ensure that efficient means of communication, with a high level of traceability, confidentiality and reliability, are available for the purpose of facilitating information sharing with the Union_entities. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Without prejudice to Article 12, voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union entity to which it would not have been subject had it not submitted the notification.

2.   To perform its mission and tasks conferred pursuant to Article 13, CERT-EU may request Union_entities to provide it with information from their respective ICT system inventories, including information relating to cyber_threats, near_misses, vulnerabilities, indicators of compromise, cybersecurity alerts and recommendations regarding configuration of cybersecurity tools to detect incidents. The requested Union entity shall transmit the requested information, and any subsequent updates thereto, without undue delay.

3.   CERT-EU may exchange incident-specific information with Union_entities which reveals the identity of the Union entity affected by the incident, provided that the Union entity affected consents. Where a Union entity withholds its consent, it shall provide CERT-EU with reasons substantiating that decision.

4.    Union_entities shall, upon request, share information with the European Parliament and the Council on the completion of cybersecurity plans.

5.   The IICB or CERT-EU, as applicable, shall, upon request, share guidelines, recommendations and calls for action with the European Parliament and the Council.

6.   The sharing obligations laid down in this Article shall not extend to:

(a)

EUCI;

(b)	information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed.

1.   An incident shall be considered to be significant if:

(a)	it has caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned;

(b)	it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

2.    Union_entities shall submit to CERT-EU:

(a)

without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate that the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact;

(b)

without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;

(c)	upon the request of CERT-EU, an intermediate report on relevant status updates;

(d)

a final report not later than one month after the submission of the incident notification under point (b), including the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-entity impact of the incident;

(e)	in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month of their handling of the incident.

3.   A Union entity shall, without undue delay and in any event within 24 hours of becoming aware of a significant incident, inform any relevant Member State counterparts referred to in Article 17(1) in the Member State where it is located that a significant incident has occurred.

4.   The Union_entities shall notify, inter alia, any information enabling CERT-EU to determine any cross-entity impact, impact on the hosting Member State or cross-border impact following a significant incident. Without prejudice to Article 12, the mere act of notification shall not subject the Union entity to increased liability.

5.   Where applicable, Union_entities shall communicate, without undue delay, to the users of the network_and_information_systems affected, or of other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber_threat, and, where appropriate, need to take mitigating measures, any measures or remedies that they can take in response to that incident or that threat. Where appropriate, Union_entities shall inform those users of the significant cyber_threat itself.

6.   Where a significant incident or significant cyber_threat affects a network_and_information_system, or a component of a Union entity’s ICT environment that is knowingly connected with another Union entity’s ICT environment, CERT-EU shall issue a relevant cybersecurity alert.

7.   The Union_entities, upon the request of CERT-EU, shall, without undue delay, provide CERT-EU with digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may provide further details of the types of information that it requires for situational awareness and incident response.

8.   CERT-EU shall submit to the IICB, ENISA, the EU INTCEN and the CSIRTs network, every three months, a summary report including anonymised and aggregated data on significant incidents, incidents, cyber_threats, near_misses and vulnerabilities pursuant to Article 20 and significant incidents notified pursuant to paragraph 2 of this Article. The summary report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.

9.   By 8 July 2024, the IICB shall issue guidelines or recommendations further specifying the arrangements for, and format and content of, the reporting pursuant to this Article. When preparing such guidelines or recommendations, the IICB shall take into account any implementing acts adopted pursuant to Article 23(11) of Directive (EU) 2022/2555 specifying the type of information, the format and the procedure of notifications. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union_entities.

10.   The reporting obligations laid down in this Article shall not extend to:

(a)

EUCI;

(b)	information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed.

1.   In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:

(a)	Union_entities;

(b)	the counterparts referred to in Articles 17 and 18.

2.   CERT-EU, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:

(a)	contribution to consistent external communication;

(b)	mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site;

(c)	optimal use of operational resources;

(d)	coordination with other crisis response mechanisms at Union level.

3.   CERT-EU, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.

4.   By 8 January 2025, the IICB shall, on the basis of a proposal by CERT-EU, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities, without undue delay.

5.   Following a specific request from a Member State and with the approval of the Union_entities concerned, CERT-EU may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by CERT-EU.

1.   In order to support at operational level the coordinated management of major incidents affecting Union_entities and to contribute to the regular exchange of relevant information among Union_entities and with Member States, the IICB shall, pursuant to Article 11, point (q), establish a cyber crisis management plan based on the activities referred to in Article 22(2), in close cooperation with CERT-EU and ENISA. The cyber crisis management plan shall include at least the following elements:

(a)	arrangements concerning coordination and information flow among Union_entities for the management of major incidents at operational level;

(b)	common standard operating procedures (SOPs);

(c)	a common taxonomy of major incident severity and crisis triggering points;

(d)	regular exercises;

(e)	secure communication channels that are to be used.

2.   The Commission representative in the IICB shall, subject to the cyber crisis management plan established pursuant to paragraph 1 of this Article and without prejudice to Article 16(2), first subparagraph, of Directive (EU) 2022/2555, be the point of contact for the sharing of relevant information in relation to major incidents with EU-CyCLONe.

3.   CERT-EU shall coordinate among the Union_entities the management of major incidents. It shall maintain an inventory of the available technical expertise that would be needed for incident response in the event of major incidents and assist the IICB in coordinating Union_entities’ cyber crisis management plans for major incidents referred to in Article 9(2).

4.   The Union_entities shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.