keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 49
- iicb 41
- union 38
- european 38
- union_entities 30
- regulation 21
- cybersecurity 21
- entity 21
- article 20
- information 18
- cert-eu 17
- concerned 15
- incidents 15
- no / 15
- council 14
- the 14
- eu / 12
- parliament 12
- cert-eu 11
- member 11
- pursuant 10
- major 10
- rules 10
- including 10
- applicable 10
- cooperation 10
- management 9
- implementation 9
- level 9
- services 8
- accordance 8
- request 8
- referred 8
- measures 8
- within 8
- chair 8
- basis 7
- committee 7
- directive 7
- service 7
- action 7
- support 7
- procedure 7
- under 7
- relevant 7
- enisa 6
- provide 6
- first 6
- subparagraph 6
- commission 6
Article 10
Interinstitutional Cybersecurity Board
1. An Interinstitutional Cybersecurity Board (IICB) is hereby established.
2. The IICB shall be responsible for:
| (a) | monitoring and supporting the implementation of this Regulation by the Union_entities; |
| (b) | supervising the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. |
3. The IICB shall consist of:
| (a) | one representative designated by each of the following:
|
| (b) | three representatives designated by the EU Agencies Network (EUAN) on the basis of a proposal by its ICT Advisory Committee to represent the interests of the bodies, offices and agencies of the Union that run their own ICT environment, other than those referred to in point (a). |
The Union_entities represented on the IICB shall aim to achieve gender balance among the designated representatives.
4. Members of the IICB may be assisted by an alternate. Other representatives of the Union_entities referred to in paragraph 3 or of other Union_entities may be invited by the Chair to attend IICB meetings without voting power.
5. The Head of CERT-EU and the Chairs of the Cooperation Group, the CSIRTs network and EU-CyCLONe established, respectively, pursuant to Articles 14, 15 and 16 of Directive (EU) 2022/2555, or their alternates, may participate in IICB meetings as observers. In exceptional cases, the IICB may, in accordance with its internal rules of procedure, decide otherwise.
6. The IICB shall adopt its internal rules of procedure.
7. The IICB shall designate a Chair in accordance with its internal rules of procedure, from among its members for a period of three years. The Chair’s alternate shall become a full member of the IICB for the same duration.
8. The IICB shall meet at least three times a year at the initiative of its Chair, at the request of CERT-EU or at the request of any of its members.
9. Each member of the IICB shall have one vote. The IICB’s decisions shall be taken by simple majority except where otherwise provided for in this Regulation. The Chair of the IICB shall not have a vote except in the event of a tied vote, in which case the Chair may cast a deciding vote.
10. The IICB may act by means of a simplified written procedure initiated in accordance with its internal rules of procedure. Under that procedure, the relevant decision shall be deemed to be approved within the timeframe set by the Chair, except where a member objects.
11. The secretariat of the IICB shall be provided by the Commission and shall be accountable to the Chair of the IICB.
12. The representatives nominated by the EUAN shall relay the IICB’s decisions to the members of the EUAN. Any member of the EUAN shall be entitled to raise with those representatives or the Chair of the IICB any matter which it considers should be brought to the IICB’s attention.
13. The IICB may establish an executive committee to assist it in its work, and delegate some of its tasks and powers to it. The IICB shall lay down the rules of procedure of the executive committee, including its tasks and powers, and the terms of office of its members.
14. By 8 January 2025 and on an annual basis thereafter, the IICB shall submit a report to the European Parliament and to the Council detailing progress made with the implementation of this Regulation and specifying in particular the extent of cooperation of CERT-EU with Member State counterparts in each of the Member states. The report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.
Article 12
Compliance
1. The IICB shall, pursuant to Article 10(2) and Article 11, effectively monitor the implementation of this Regulation and of adopted guidelines, recommendations and calls for action by the Union_entities. The IICB may request information or documentation necessary for that purpose from the Union_entities. For the purpose of adopting compliance measures under this Article, where the Union entity concerned is directly represented on the IICB, that Union entity shall not have voting rights.
2. Where the IICB finds that a Union entity has not effectively implemented this Regulation or guidelines, recommendations or calls for action issued pursuant thereto, it may, without prejudice to the internal procedures of the Union entity concerned, and after giving an opportunity to the Union entity concerned to present its observations:
| (a) | communicate a reasoned opinion to the Union entity concerned with observed gaps in the implementation of this Regulation; |
| (b) | provide, after consulting CERT-EU, guidelines to the Union entity concerned to ensure that its Framework, cybersecurity risk-management measures, cybersecurity plan and reporting comply with this Regulation within a specified period; |
| (c) | issue a warning to address identified shortcomings within a specified period, including recommendations to amend measures adopted by the Union entity concerned pursuant to this Regulation; |
| (d) | issue a reasoned notification to the Union entity concerned, in the event that shortcomings identified in a warning issued pursuant to point (c) were not sufficiently addressed within the specified period; |
| (e) | issue:
|
| (f) | if applicable, inform the Court of Auditors, within the remit of its mandate, of the alleged non-compliance; |
| (g) | issue a recommendation that all Member states and Union_entities implement a temporary suspension of data flows to the Union entity concerned. |
For the purposes of the first subparagraph, point (c), the audience of a warning shall be restricted appropriately, where necessary in view of the cybersecurity risk.
Warnings and recommendations issued pursuant to the first subparagraph shall be directed to the highest_level_of_management of the Union entity concerned.
3. Where the IICB has adopted measures under paragraph 2, first subparagraph, points (a) to (g), the Union entity concerned shall provide details of the measures and actions taken to address the alleged shortcomings identified by the IICB. The Union entity shall submit those details within a reasonable period to be agreed with the IICB.
4. Where the IICB considers that there is persistent infringement of this Regulation by a Union entity resulting directly from actions or omissions of an official or other servant of the Union, including at the highest_level_of_management, the IICB shall request that the Union entity concerned take appropriate action, including requesting it to consider taking action of a disciplinary nature, in accordance with the rules and procedures laid down in the Staff Regulations and any other applicable rules and procedures. To that end, the IICB shall transfer the necessary information to the Union entity concerned.
5. Where Union_entities notify that they are unable to meet the deadlines set out in Article 6(1) and Article 8(1), the IICB may, in duly substantiated cases, taking into account the size of the Union entity, authorise the extension of those deadlines.
CHAPTER IV
CERT-EU
Article 13
CERT-EU mission and tasks
1. CERT-EU’s mission shall be to contribute to the security of the unclassified ICT environment of Union_entities by advising them on cybersecurity, by helping them to prevent, detect, handle, mitigate, respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
2. CERT-EU shall collect, manage, analyse and share information with the Union_entities on cyber_threats, vulnerabilities and incidents in unclassified ICT infrastructure. It shall coordinate responses to incidents at interinstitutional and Union entity level, including by providing or coordinating the provision of specialised operational assistance.
3. CERT-EU shall carry out the following tasks to assist the Union_entities:
| (a) | support them with the implementation of this Regulation and contribute to the coordination of the implementation of this Regulation through the measures listed in Article 14(1) or through ad-hoc reports requested by the IICB; |
| (b) | offer standard CSIRT services for Union_entities by means of a package of cybersecurity services described in its service catalogue (baseline services); |
| (c) | maintain a network of peers and partners to support the services as outlined in Articles 17 and 18; |
| (d) | bring to the attention of the IICB any problems relating to the implementation of this Regulation and the implementation of guidelines, recommendations and calls for action; |
| (e) | on the basis of the information referred to in paragraph 2, contribute to the Union cyber situational awareness in close cooperation with ENISA; |
| (f) | coordinate the management of major incidents; |
| (g) | act on the part of Union_entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555; |
| (h) | provide, upon the request of a Union entity, proactive non-intrusive scanning of publicly accessible network_and_information_systems of that Union entity. |
The information referred to in the first subparagraph, point (e), shall be shared with the IICB, the CSIRTs network and the European Union Intelligence and Situation Centre (EU INTCEN), where applicable and appropriate, and subject to appropriate confidentiality conditions.
4. CERT-EU may, in accordance with Article 17 or 18 as appropriate, cooperate with relevant cybersecurity communities within the Union and its Member states, including in the following areas:
| (a) | preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union_entities; |
| (b) | operational cooperation regarding the CSIRTs network, including with regard to mutual assistance; |
| (c) | cyber_threat intelligence, including situational awareness; |
| (d) | on any topic requiring CERT-EU’s technical cybersecurity expertise. |
5. Within its competence, CERT-EU shall engage in structured cooperation with ENISA on capacity building, operational cooperation and long-term strategic analyses of cyber_threats in accordance with Regulation (EU) 2019/881. CERT-EU may cooperate and exchange information with Europol’s European Cybercrime Centre.
6. CERT-EU may provide the following services not described in its service catalogue (chargeable services):
| (a) | services that support the cybersecurity of Union_entities’ ICT environment, other than those referred to in paragraph 3, on the basis of service level agreements and subject to available resources, in particular broad-spectrum network monitoring, including first-line 24/7 monitoring for high-severity cyber_threats; |
| (b) | services that support cybersecurity operations or projects of Union_entities, other than those to protect their ICT environment, on the basis of written agreements and with the prior approval of the IICB; |
| (c) | upon request, a proactive scanning of the network_and_information_systems of the Union entity concerned to detect vulnerabilities with a potential significant impact; |
| (d) | services that support the security of their ICT environment to organisations other than the Union_entities that cooperate closely with Union_entities, for instance by having tasks or responsibilities conferred under Union law, on the basis of written agreements and with the prior approval of the IICB. |
With regard to the first subparagraph, point (d), CERT-EU may, on an exceptional basis, enter into service level agreements with entities other than the Union_entities with the prior approval of the IICB.
7. CERT-EU shall organise and may participate in cybersecurity exercises or recommend participation in existing exercises, where applicable in close cooperation with ENISA, to test the level of cybersecurity of the Union_entities.
8. CERT-EU may provide assistance to Union_entities regarding incidents in network_and_information_systems handling EUCI where it is explicitly requested to do so by the Union_entities concerned in accordance with their respective procedures. The provision of assistance by CERT-EU under this paragraph shall be without prejudice to applicable rules concerning the protection of classified information.
9. CERT-EU shall inform Union_entities about its incident handling procedures and processes.
10. CERT-EU shall contribute, with a high level of confidentiality and reliability, via the appropriate cooperation mechanisms and reporting lines, relevant and anonymised information about major incidents and the manner in which they were handled. That information shall be included in the report referred to in Article 10(14).
11. CERT-EU shall, in cooperation with the EDPS, support the Union_entities concerned when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the EDPS as a supervisory authority under Regulation (EU) 2018/1725.
12. CERT-EU may, if expressly requested by Union_entities’ policy departments, provide technical advice or input on relevant policy matters.
Article 19
Information handling
1. Union_entities and CERT-EU shall respect the obligation of professional secrecy in accordance with Article 339 TFEU or equivalent applicable frameworks.
2. Regulation (EC) No 1049/2001 of the European Parliament and of the Council (10) shall apply with regard to requests for public access to documents held by CERT-EU, including the obligation under that Regulation to consult other Union_entities or, where relevant, Member states, whenever a request concerns their documents.
3. The handling of information by Union_entities and CERT-EU shall comply with the applicable rules on information security.
Article 23
Management of major incidents
1. In order to support at operational level the coordinated management of major incidents affecting Union_entities and to contribute to the regular exchange of relevant information among Union_entities and with Member states, the IICB shall, pursuant to Article 11, point (q), establish a cyber crisis management plan based on the activities referred to in Article 22(2), in close cooperation with CERT-EU and ENISA. The cyber crisis management plan shall include at least the following elements:
| (a) | arrangements concerning coordination and information flow among Union_entities for the management of major incidents at operational level; |
| (b) | common standard operating procedures (SOPs); |
| (c) | a common taxonomy of major incident severity and crisis triggering points; |
| (d) | regular exercises; |
| (e) | secure communication channels that are to be used. |
2. The Commission representative in the IICB shall, subject to the cyber crisis management plan established pursuant to paragraph 1 of this Article and without prejudice to Article 16(2), first subparagraph, of Directive (EU) 2022/2555, be the point of contact for the sharing of relevant information in relation to major incidents with EU-CyCLONe.
3. CERT-EU shall coordinate among the Union_entities the management of major incidents. It shall maintain an inventory of the available technical expertise that would be needed for incident response in the event of major incidents and assist the IICB in coordinating Union_entities’ cyber crisis management plans for major incidents referred to in Article 9(2).
4. The Union_entities shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.
CHAPTER VI
FINAL PROVISIONS
Article 26
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member states.
Done at Strasbourg, 13 December 2023.
For the European Parliament
The President
R. METSOLA
For the Council
The President
P. NAVARRO RÍOS
(1) Position of the European Parliament of 21 November 2023 (not yet published in the Official Journal) and decision of the Council of 8 December 2023.
(2) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).
(3) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
(4) Arrangement between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU) (OJ C 12, 13.1.2018, p. 1).
(5) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (OJ L 56, 4.3.1968, p. 1).
(6) Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
(7) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(8) OJ C 258, 5.7.2022, p. 10.
(9) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
(10) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
ELI: http://data.europa.eu/eli/reg/2023/2841/oj
ISSN 1977-0677 (electronic edition)