keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 6 Cybersecurity risk-management, governance and control framework
- 1 Art. 7 Cybersecurity maturity assessments
- 1 Art. 9 Cybersecurity plans
- 1 Art. 10 Interinstitutional Cybersecurity Board
- 1 Art. 11 Tasks of the IICB
- 1 Art. 25 Review
- Article 26 Entry into force
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- cybersecurity 54
- shall 53
- union 34
- cert-eu 29
- iicb 25
- article 24
- entity 22
- regulation 20
- the 18
- implementation 16
- union_entities 16
- basis 16
- european 16
- framework 14
- level 12
- pursuant 11
- each 10
- report 10
- proposal 9
- approve 9
- head 8
- board 8
- within 8
- maturity 8
- chair 8
- local 8
- plan 8
- procedure 7
- committee 7
- establish 7
- established 7
- interinstitutional 7
- from 7
- tasks 7
- referred 7
- commission 7
- by 6
- management 6
- account 6
- service 6
- assessments 6
- years 6
- highest_level_of_management 6
- internal 6
- including 6
- risk-management 6
- member 6
- rules 5
- representatives 5
- review 5
Article 6
Cybersecurity risk-management, governance and control framework
1. By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.
2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.
3. The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.
4. The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.
5. The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.
6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.
7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.
8. Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.
CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.
9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.
Article 7
Cybersecurity maturity assessments
1. By 8 July 2025 and at least every two years thereafter, each Union entity shall carry out a cybersecurity maturity assessment incorporating all the elements of its ICT environment.
2. The cybersecurity maturity assessments shall, where appropriate, be carried out with the assistance of a specialised third party.
3. Union_entities with similar structures may cooperate in carrying out cybersecurity maturity assessments for their respective entities.
4. On the basis of a request of the Interinstitutional Cybersecurity Board established pursuant to Article 10 and with the explicit consent of the Union entity concerned, the results of a cybersecurity maturity assessment may be discussed within that Board or within the informal group of local cybersecurity officers with a view to learning from experience and sharing best practices.
Article 9
Cybersecurity plans
1. Following the conclusion of the cybersecurity maturity assessment carried out pursuant to Article 7 and taking into account the assets and cybersecurity risks identified in the Framework as well as the cybersecurity risk-management measures taken pursuant to Article 8, the highest_level_of_management of each Union entity shall approve a cybersecurity plan without undue delay and in any event by 8 January 2026. The cybersecurity plan shall aim at increasing the overall cybersecurity of the Union entity and shall thereby contribute to the enhancement of a high common level of cybersecurity within the Union_entities. The cybersecurity plan shall include at least the cybersecurity risk-management measures taken pursuant to Article 8. The cybersecurity plan shall be revised every two years, or more frequently where necessary, following the cybersecurity maturity assessments carried out pursuant to Article 7 or any substantial review of the Framework.
2. The cybersecurity plan shall include the Union entity’s cyber crisis management plan for major incidents.
3. The Union entity shall submit the completed cybersecurity plan to the Interinstitutional Cybersecurity Board established pursuant to Article 10.
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
Article 10
Interinstitutional Cybersecurity Board
1. An Interinstitutional Cybersecurity Board (IICB) is hereby established.
2. The IICB shall be responsible for:
| (a) | monitoring and supporting the implementation of this Regulation by the Union_entities; |
| (b) | supervising the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU. |
3. The IICB shall consist of:
| (a) | one representative designated by each of the following:
|
| (b) | three representatives designated by the EU Agencies Network (EUAN) on the basis of a proposal by its ICT Advisory Committee to represent the interests of the bodies, offices and agencies of the Union that run their own ICT environment, other than those referred to in point (a). |
The Union_entities represented on the IICB shall aim to achieve gender balance among the designated representatives.
4. Members of the IICB may be assisted by an alternate. Other representatives of the Union_entities referred to in paragraph 3 or of other Union_entities may be invited by the Chair to attend IICB meetings without voting power.
5. The Head of CERT-EU and the Chairs of the Cooperation Group, the CSIRTs network and EU-CyCLONe established, respectively, pursuant to Articles 14, 15 and 16 of Directive (EU) 2022/2555, or their alternates, may participate in IICB meetings as observers. In exceptional cases, the IICB may, in accordance with its internal rules of procedure, decide otherwise.
6. The IICB shall adopt its internal rules of procedure.
7. The IICB shall designate a Chair in accordance with its internal rules of procedure, from among its members for a period of three years. The Chair’s alternate shall become a full member of the IICB for the same duration.
8. The IICB shall meet at least three times a year at the initiative of its Chair, at the request of CERT-EU or at the request of any of its members.
9. Each member of the IICB shall have one vote. The IICB’s decisions shall be taken by simple majority except where otherwise provided for in this Regulation. The Chair of the IICB shall not have a vote except in the event of a tied vote, in which case the Chair may cast a deciding vote.
10. The IICB may act by means of a simplified written procedure initiated in accordance with its internal rules of procedure. Under that procedure, the relevant decision shall be deemed to be approved within the timeframe set by the Chair, except where a member objects.
11. The secretariat of the IICB shall be provided by the Commission and shall be accountable to the Chair of the IICB.
12. The representatives nominated by the EUAN shall relay the IICB’s decisions to the members of the EUAN. Any member of the EUAN shall be entitled to raise with those representatives or the Chair of the IICB any matter which it considers should be brought to the IICB’s attention.
13. The IICB may establish an executive committee to assist it in its work, and delegate some of its tasks and powers to it. The IICB shall lay down the rules of procedure of the executive committee, including its tasks and powers, and the terms of office of its members.
14. By 8 January 2025 and on an annual basis thereafter, the IICB shall submit a report to the European Parliament and to the Council detailing progress made with the implementation of this Regulation and specifying in particular the extent of cooperation of CERT-EU with Member State counterparts in each of the Member States. The report shall constitute an input to the biennial report on the state of cybersecurity in the Union adopted pursuant to Article 18 of Directive (EU) 2022/2555.
Article 11
Tasks of the IICB
When exercising its responsibilities, the IICB shall, in particular:
| (a) | provide guidance to the Head of CERT-EU; |
| (b) | effectively monitor and supervise the implementation of this Regulation and support the Union_entities in strengthening their cybersecurity, including, where appropriate, requesting ad-hoc reports from Union_entities and CERT-EU; |
| (c) | following a strategic discussion, adopt a multiannual strategy on raising the level of cybersecurity in the Union_entities, asses that strategy on a regular basis and in any event every five years and, where necessary, amend that strategy; |
| (d) | establish the methodology and organisational aspects for the conduct of voluntary peer reviews by Union_entities, with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Union_entities’ cybersecurity capabilities, ensuring that such peer reviews are conducted by cybersecurity experts designated by a Union entity different from the Union entity being reviewed and that the methodology is based on Article 19 of Directive (EU) 2022/2555 and is, where appropriate, adapted to the Union_entities; |
| (e) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s annual work programme and monitor its implementation; |
| (f) | approve, on the basis of a proposal by the Head of CERT-EU, CERT-EU’s service catalogue and any updates thereof; |
| (g) | approve, on the basis of a proposal by the Head of CERT-EU, the annual financial planning of revenue and expenditure, including staffing, for CERT-EU activities; |
| (h) | approve, on the basis of a proposal by the Head of CERT-EU, the arrangements for service level agreements; |
| (i) | examine and approve the annual report drawn up by the Head of CERT-EU covering the activities of, and management of funds by, CERT-EU; |
| (j) | approve and monitor key performance indicators (KPIs) for CERT-EU established on the basis of a proposal by the Head of CERT-EU; |
| (k) | approve cooperation arrangements, service level agreements or contracts between CERT-EU and other entities pursuant to Article 18; |
| (l) | adopt guidelines and recommendations on the basis of a proposal by CERT-EU in accordance with Article 14 and instruct CERT-EU to issue, withdraw or modify a proposal for guidelines or recommendations, or a call for action; |
| (m) | establish technical advisory groups with specific tasks to assist the IICB’s work, approve their terms of reference and designate their respective Chairs; |
| (n) | receive and assess documents and reports submitted by the Union_entities under this Regulation, such as cybersecurity maturity assessments; |
| (o) | facilitate the establishment of an informal group of local cybersecurity officers of Union_entities, supported by ENISA, with the aim of exchanging best practices and information in relation to the implementation of this Regulation; |
| (p) | taking into account the information on the identified cybersecurity risks and lessons learnt provided by CERT-EU, monitor the adequacy of interconnectivity arrangements among the Union_entities’ ICT environments and advise on possible improvements; |
| (q) | establish a cyber crisis management plan with a view to supporting, at an operational level, the coordinated management of major incidents affecting Union_entities and to contributing to the regular exchange of relevant information, in particular with regard to the impacts and severity of, and the possible ways of mitigating the effects of, major incidents; |
| (r) | coordinate the adoption of individual Union_entities’ cyber crisis management plans referred to in Article 9(2); |
| (s) | adopt recommendations relating to supply chain security referred to in Article 8(2), first subparagraph, point (m), taking into account the results of Union level coordinated security risk assessments of critical supply chains referred to in Article 22 of Directive (EU) 2022/2555 to support Union_entities in adopting effective and proportionate cybersecurity risk-management measures. |
Article 25
Review
1. By 8 January 2025 and on an annual basis thereafter, the IICB, with the assistance of CERT-EU, shall report to the Commission on the implementation of this Regulation. The IICB may make recommendations to the Commission to review this Regulation.
2. By 8 January 2027 and every two years thereafter, the Commission shall assess and report on the implementation of this Regulation and on the experience gained at a strategic and operational level to the European Parliament and to the Council.
The report referred to in the first subparagraph of this paragraph shall include the review referred to in Article 16(1), on the possibility of establishing CERT-EU as a Union office.
3. By 8 January 2029, the Commission shall evaluate the functioning of this Regulation and submit a report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. The Commission shall also evaluate the appropriateness of including network_and_information_systems handling EUCI within the scope of this Regulation, taking into account other Union legislative acts applicable to those systems. The report shall be accompanied, where necessary, by a legislative proposal.
whereas