The European Union adopts a new regulation to strengthen cybersecurity

The Commission expresses its satisfaction with the political agreement obtained between the European Parliament and the EU Council on the Regulation, proposed by the Commission itself, which establishes measures for a high common level of cybersecurity in the institutions, bodies, offices and agencies of the 'Union. The negotiations are now concluded, paving the way for the final approval of the legal text by the European Parliament and the Council.

The cybersecurity framework

In March 2022, the Commission announced the proposal for cybersecurity regulation. This will establish a framework for cybersecurity governance, risk management and control across EU entities, with a new Interinstitutional Cybersecurity Council charged with monitoring its implementation. It will also extend the mandate of the Computer Emergency Response Team for EU institutions, bodies, offices and agencies (CERT-EU), transforming it into a hub for threat intelligence, information exchange and incident response coordination, a central advisory body and a service provider. CERT-EU will be renamed 'Cybersecurity Service of Union Institutions, Bodies, Offices and Agencies' to reflect its new mandate, while keeping the short name CERT-EU for reasons of recognisability.

Key elements and next steps

Key elements of the proposal for all EU institutions, bodies, offices and agencies include: a framework for cybersecurity governance, risk management and control; regular maturity assessments; the implementation of cybersecurity measures that address the identified risks; the preparation of a plan to improve their cybersecurity; and sharing incident information with CERT-EU without undue delay. Once the text is finalised, the European Parliament and the Council will need to formally adopt the new Regulation before it can enter into force. Union entities will then have to comply with the obligations and meet the deadlines specified in the text. This will help ensure higher levels of cybersecurity in the EU administration and be better prepared to face future challenges.

Background and alignment with existing policies

In March 2021, the Council of the European Union underlined the importance of a robust and coherent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. This can only be achieved through enhanced resilience and a better security culture of the EU institutions, bodies, offices and agencies. Following the European Union Security Strategy and the EU Cybersecurity Strategy, the Cybersecurity Regulation will ensure consistency with current EU cybersecurity policies, in full alignment with current European legislation, including the Directive on measures for a high common level of cybersecurity across the Union ('NIS 2'), with which this legislation is in line in terms of principles and level of ambition, respecting the specificities of Union entities, the Cybersecurity Act and Commission Recommendation on coordinated response to large-scale cybersecurity incidents and crises.