keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 3 Art. 3 Definitions
- 1 Art. 13 CERT-EU mission and tasks
- 1 Art. 17 Cooperation of CERT-EU with Member State counterparts
- 15 Art. 21 Reporting obligations
- 1 Art. 22 Incident response coordination and cooperation
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 45
- incident 40
- article 32
- union 31
- union_entities 28
- cert-eu 27
- information 24
- eu / 21
- significant 20
- cybersecurity 20
- incidents 19
- directive 18
- point 18
- means 18
- entity 18
- without 14
- cert-eu 14
- relevant 13
- state 12
- defined 12
- cooperation 12
- pursuant 12
- member 11
- response 11
- iicb 11
- affected 11
- report 10
- including 10
- impact 10
- level 9
- exchange 9
- support 9
- which 9
- delay 9
- referred 9
- applicable 9
- coordination 9
- cyber_threats 8
- undue 8
- regulation 8
- services 8
- provide 7
- basis 7
- appropriate 7
- within 7
- environment 7
- accordance 6
- enisa 6
- cyber_threat 6
- vulnerabilities 6
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ Union_entities’ means the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union (TFEU) or the Treaty establishing the European Atomic Energy Community; |
| (2) | ‘ network_and_information_system’ means a network_and_information_system as defined in Article 6, point (1), of Directive (EU) 2022/2555; |
| (3) | ‘security of network_and_information_systems’ means security of network_and_information_systems as defined in Article 6, point (2), of Directive (EU) 2022/2555; |
| (4) | ‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (5) | ‘ highest_level_of_management’ means a manager, management body or coordination and oversight body that is responsible for the functioning of a Union entity, at the most senior administrative level, with a mandate to adopt or authorise decisions in line with the high-level governance arrangements of that Union entity, without prejudice to the formal responsibilities of other levels of management for compliance and cybersecurity risk management in their respective areas of responsibility; |
| (6) | ‘ near_miss’ means a near_miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; |
| (7) | ‘ incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; |
| (8) | ‘major incident’ means an incident which causes a level of disruption that exceeds a Union entity’s and CERT-EU’s capacity to respond to it or which has a significant impact on at least two Union_entities; |
| (9) | ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555; |
| (10) | ‘ incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555; |
| (11) | ‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (12) | ‘significant cyber_threat’ means a significant cyber_threat as defined in Article 6, point (11), of Directive (EU) 2022/2555; |
| (13) | ‘ vulnerability’ means a vulnerability as defined in Article 6, point (15), of Directive (EU) 2022/2555; |
| (14) | ‘ cybersecurity risk’ means a risk as defined in Article 6, point (9), of Directive (EU) 2022/2555; |
| (15) | ‘ cloud_computing_service’ means a cloud_computing_service as defined in Article 6, point (30), of Directive (EU) 2022/2555. |
Article 13
CERT-EU mission and tasks
1. CERT-EU’s mission shall be to contribute to the security of the unclassified ICT environment of Union_entities by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
2. CERT-EU shall collect, manage, analyse and share information with the Union_entities on cyber_threats, vulnerabilities and incidents in unclassified ICT infrastructure. It shall coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.
3. CERT-EU shall carry out the following tasks to assist the Union_entities:
| (a) | support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB; |
| (b) | offer standard CSIRT services for Union_entities by means of a package of cybersecurity services described in its service catalogue (baseline services); |
| (c) | maintain a network of peers and partners to support the services as outlined in Articles 17 and 18; |
| (d) | bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action; |
| (e) | on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA; |
| (f) | coordinate the management of major incidents; |
| (g) | act on the part of Union_entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555; |
| (h) | provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible network_and_information_systems of that Union entity. |
The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.
4. CERT-EU may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant cybersecurity communities within the Union and its Member States, including in the following areas:
| (a) | preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union_entities; |
| (b) | operational cooperation regarding the CSIRTs network, including with regard to mutual assistance; |
| (c) | cyber_threat intelligence, including situational awareness; |
| (d) | on any topic requiring CERT-EU’s technical cybersecurity expertise. |
5. Within its competence, CERT-EU shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of cyber_threats in accordance with Regulation (EU) 2019/881. CERT-EU may cooperate and exchange information with Europol’s European Cybercrime Centre.
6. CERT-EU may provide the following services not described in its service catalogue (chargeable services):
| (a) | services that support the cybersecurity of Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity cyber_threats; |
| (b) | services that support cybersecurity operations or projects of Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB; |
| (c) | upon request, a proactive scanning of the network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact; |
| (d) | services that support the security of their ICT environment to organisations other than the Union_entities that cooperate closely with Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB. |
With regard to the first subparagraph, point (d), CERT-EU may, on an exceptional basis, enter into service level agreements with entities other than the Union_entities with the prior approval of the IICB.
7. CERT-EU shall organise and may participate in cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of cybersecurity of the Union_entities.
8. CERT-EU may provide assistance to Union_entities regarding incidents in network_and_information_systems handling EUCI where it is explicitly requested to do so by the Union_entities concerned in accordance with their respective procedures. The provision of assistance by CERT-EU under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.
9. CERT-EU shall inform Union_entities about its incident handling procedures and processes.
10. CERT-EU shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).
11. CERT-EU shall, in cooperation with the EDPS, support the Union_entities concerned when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.
12. CERT-EU may, if expressly requested by Union_entities’ policy departments, provide technical advice or input on relevant policy matters.
Article 17
Cooperation of CERT-EU with Member State counterparts
1. CERT-EU shall, without undue delay, cooperate and exchange information with Member State counterparts, in particular the CSIRTs designated or established pursuant to Article 10 of Directive (EU) 2022/2555, or, where applicable, the competent authorities and single points of contact designated or established pursuant to Article 8 of that Directive, with regard to incidents, cyber_threats, vulnerabilities, near_misses, possible countermeasures as well as best practices and on all matters relevant for improving the protection of the ICT environments of Union_entities, including by means of the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555. CERT-EU shall support the Commission in EU-CyCLONe established pursuant to Article 16 of Directive (EU) 2022/2555 on the coordinated management of large-scale cybersecurity incidents and crises.
2. Where CERT-EU becomes aware of a significant incident occurring within the territory of a Member State, it shall, without delay, notify any relevant counterpart in that Member State, in accordance with paragraph 1.
3. Provided that personal data are protected in accordance with applicable Union data protection law, CERT-EU shall, without undue delay, exchange relevant incident-specific information with Member State counterparts to facilitate detection of similar cyber_threats or incidents, or to contribute to the analysis of an incident, without the authorisation of the Union entity affected. CERT-EU shall exchange incident-specific information which reveals the identity of the target of the incident only in the event of one of the following:
| (a) | the Union entity affected consents; |
| (b) | the Union entity affected does not consent as provided for in point (a) but the disclosure of the identity of the Union entity affected would increase the probability that incidents elsewhere would be avoided or mitigated; |
| (c) | the Union entity affected has already made public that it was affected. |
Decisions to exchange incident-specific information which reveals the identity of the target of the incident pursuant to the first subparagraph, point (b), shall be endorsed by the Head of CERT-EU. Prior to issuing such a decision, CERT-EU shall contact the Union entity affected in writing, explaining clearly how the disclosure of its identity would help to avoid or mitigate incidents elsewhere. The Head of CERT-EU shall provide the explanation and explicitly request the Union entity to state whether it consents within a set timeframe. The Head of CERT-EU shall also inform the Union entity that, in light of the explanation provided, he or she reserves the right to disclose the information even in the absence of consent. The Union entity affected shall be informed before the information is disclosed.
Article 21
Reporting obligations
1. An incident shall be considered to be significant if:
| (a) | it has caused or is capable of causing severe operational disruption to the functioning of, or financial loss to, the Union entity concerned; |
| (b) | it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. |
2. Union_entities shall submit to CERT-EU:
| (a) | without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate that the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-entity or a cross-border impact; |
| (b) | without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; |
| (c) | upon the request of CERT-EU, an intermediate report on relevant status updates; |
| (d) | a final report not later than one month after the submission of the incident notification under point (b), including the following:
|
| (e) | in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month of their handling of the incident. |
3. A Union entity shall, without undue delay and in any event within 24 hours of becoming aware of a significant incident, inform any relevant Member State counterparts referred to in Article 17(1) in the Member State where it is located that a significant incident has occurred.
4. The Union_entities shall notify, inter alia, any information enabling CERT-EU to determine any cross-entity impact, impact on the hosting Member State or cross-border impact following a significant incident. Without prejudice to Article 12, the mere act of notification shall not subject the Union entity to increased liability.
5. Where applicable, Union_entities shall communicate, without undue delay, to the users of the network_and_information_systems affected, or of other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber_threat, and, where appropriate, need to take mitigating measures, any measures or remedies that they can take in response to that incident or that threat. Where appropriate, Union_entities shall inform those users of the significant cyber_threat itself.
6. Where a significant incident or significant cyber_threat affects a network_and_information_system, or a component of a Union entity’s ICT environment that is knowingly connected with another Union entity’s ICT environment, CERT-EU shall issue a relevant cybersecurity alert.
7. The Union_entities, upon the request of CERT-EU, shall, without undue delay, provide CERT-EU with digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may provide further details of the types of information that it requires for situational awareness and incident response.
8. CERT-EU shall submit to the IICB, ENISA, the EU INTCEN and the CSIRTs network, every three months, a summary report including anonymised and aggregated data on significant incidents, incidents, cyber_threats, near_misses and vulnerabilities pursuant to Article 20 and significant incidents notified pursuant to paragraph 2 of this Article. The summary report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.
9. By 8 July 2024, the IICB shall issue guidelines or recommendations further specifying the arrangements for, and format and content of, the reporting pursuant to this Article. When preparing such guidelines or recommendations, the IICB shall take into account any implementing acts adopted pursuant to Article 23(11) of Directive (EU) 2022/2555 specifying the type of information, the format and the procedure of notifications. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union_entities.
10. The reporting obligations laid down in this Article shall not extend to:
| (a) | EUCI; |
| (b) | information the further distribution of which has been excluded by means of a visible marking, unless the sharing thereof with CERT-EU has been explicitly allowed. |
Article 22
Incident response coordination and cooperation
1. In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to incidents, cyber_threats, vulnerabilities and near_misses among:
| (a) | Union_entities; |
| (b) | the counterparts referred to in Articles 17 and 18. |
2. CERT-EU, where relevant in close cooperation with ENISA, shall facilitate coordination among Union_entities on incident response, including:
| (a) | contribution to consistent external communication; |
| (b) | mutual support, such as sharing information relevant to Union_entities, or providing assistance, where relevant directly on site; |
| (c) | optimal use of operational resources; |
| (d) | coordination with other crisis response mechanisms at Union level. |
3. CERT-EU, in close cooperation with ENISA, shall support Union_entities regarding situational awareness of incidents, cyber_threats, vulnerabilities and near_misses as well as sharing relevant developments in the field of cybersecurity.
4. By 8 January 2025, the IICB shall, on the basis of a proposal by CERT-EU, adopt guidelines or recommendations on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities, without undue delay.
5. Following a specific request from a Member State and with the approval of the Union_entities concerned, CERT-EU may call on experts from the list referred to in Article 23(4), for contributing to the response to a major incident which has an impact in that Member State, or a large-scale cybersecurity incident in accordance with Article 15(3), point (g), of Directive (EU) 2022/2555. Specific rules on access to and the use of technical experts from Union_entities shall be approved by the IICB on the basis of a proposal by CERT-EU.
whereas