Legal provisions of COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2022)122 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
document COM(2022)122 EN
date December 13, 2023


Chapter I
GENERAL PROVISIONS

Contents

Article 1 - Subject-matter

This Regulation lays down:

(a)obligations on Union institutions, bodies and agencies to establish an internal cybersecurity risk management, governance and control framework;

(b)cybersecurity risk management and reporting obligations for Union institutions, bodies and agencies;

(c)rules on the organisation and operation of the Cybersecurity Centre for the Union institutions, bodies and agencies (CERT-EU) and on the organisation and operation of the Interinstitutional Cybersecurity Board.

Article 2 - Scope

This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies and agencies and to the organisation and operation of CERT-EU and the Interinstitutional Cybersecurity Board.

Article 3 - Definitions

For the purpose of this Regulation, the following definitions apply:

(1) ‘Union institutions, bodies and agencies’ means the Union institutions, bodies and agencies set up by, or on the basis of, the Treaty on European Union, the Treaty on the functioning of European Union or the Treaty establishing the European Atomic Energy Community;

(2) ‘network and information system’ means network and information system within the meaning of Article 4(1) of Directive [proposal NIS 2];

(3) ‘security of network and information systems’ means security of network and information systems within the meaning of Article 4(2) of Directive [proposal NIS 2];

(4) ‘cybersecurity’ means cybersecurity within the meaning of Article 4(3) of Directive [proposal NIS 2];

(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level, taking account of the high-level governance arrangements in each Union institution, body or agency;

(6) ‘incident’ means an incident within the meaning of Article 4(5) of Directive [proposal NIS 2];

(7) ‘significant incident’ means any incident unless it has limited impact and is likely to be already well understood in terms of method or technology;

(8) ‘major attack’ means any incident requiring more resources than are available at the affected Union institution, body or agency and at CERT-EU;

(9) ‘incident handling’ means incident handling within the meaning of Article 4(6) of Directive [proposal NIS 2];

(10) ‘cyber threat’ means cyber threat within the meaning of Article 2(8) of Regulation (EU) 2019/881;

(11) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incident;

(12) ‘vulnerability’ means vulnerability within the meaning of Article 4(8) of Directive [proposal NIS 2];

(13) ‘significant vulnerability’ means a vulnerability that will likely lead to a significant incident if it is exploited;

(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems;

(15) ‘Joint Cyber Unit’ means a virtual and physical platform for cooperation for the different cybersecurity communities in the Union, with a focus on operational and technical coordination against major cross-border cyber threats and incidents within the meaning of Commission Recommendation of 23 June 2021;

(16) ‘cybersecurity baseline’ means a set of minimum cybersecurity rules with which network and information systems and their operators and users must be compliant, to minimise cybersecurity risks.

Chapter II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY

Article 4 - Risk management, governance and control

1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].

2. The framework shall cover the entirety of the IT environment of the concerned institution, body or agency, including any on-premise IT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environment. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks that could impact the cybersecurity of the concerned Union institution, body or agency.

3. The highest level of management of each Union institution, body and agency shall provide oversight over the compliance of their organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility.

4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the IT budget is spent on cybersecurity.

5. Each Union institution, body and agency shall appoint a Local Cybersecurity Officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity.

Article 5 - Cybersecurity baseline

1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baseline to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex II.

2. The senior management of each Union institution, body and agency shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.

Article 6 - Maturity assessments

Each Union institution, body and agency shall carry out a cybersecurity maturity assessment at least every three years, incorporating all the elements of their IT environment as described in Article 4, taking account of the relevant guidance documents and recommendations adopted in accordance with Article 13.

Article 7 - Cybersecurity plans

1. Following the conclusions derived from the maturity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework and the cybersecurity baseline. The plan shall aim at increasing the overall cybersecurity of the concerned entity and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies and agencies. To support the entity’s mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well as measures related to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be revised at least every three years, following the maturity assessments carried out pursuant to Article 6.

2. The cybersecurity plan shall include staff members’ roles and responsibilities for its implementation.

3. The cybersecurity plan shall consider any applicable guidance documents and recommendations issued by CERT-EU.

Article 8 - Implementation

1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit these to the Interinstitutional Cybersecurity Board. Upon completion of security plans, the Union institutions, bodies and agencies shall notify the Interinstitutional Cybersecurity Board of the completion. Upon request of the Board, they shall report on specific aspects of this Chapter.

2. Guidance documents and recommendations, issued in accordance with Article 13, shall support the implementation of the provisions laid down in this Chapter.

Chapter III
INTERINSTITUTIONAL CYBERSECURITY BOARD

Article 9 - Interinstitutional Cybersecurity Board

1. An Interinstitutional Cybersecurity Board (IICB) is established.

2. The IICB shall be responsible for:

(a)monitoring the implementation of this Regulation by the Union institutions, bodies and agencies;

(b)supervising the implementation of general priorities and objectives by CERT-EU and providing strategic direction to CERT-EU.

3. The IICB shall consist of three representatives nominated by the Union Agencies Network (EUAN) upon a proposal of its ICT Advisory Committee to represent the interests of the agencies and bodies that run their own IT environment and one representative designated by each of the following:

(a)the European Parliament;

(b)the Council of the European Union;

(c)the European Commission;

(d)the Court of Justice of the European Union;

(e)the European Central Bank;

(f)the European Court of Auditors;

(g)the European External Action Service;

(h)the European Economic and Social Committee;

(i)the European Committee of the Regions;

(j)the European Investment Bank;

(k)the European Union Agency for Cybersecurity.

Members may be assisted by an alternate. Other representatives of the organisations listed above or of other Union institutions, bodies and agencies may be invited by the chair to attend IICB meetings without voting power.

4. The IICB shall adopt its internal rules of procedure.

5. The IICB shall designate a chair, in accordance with its internal rules of procedure, from among its members for a period of four years. His or her alternate shall become a full member of the IICB for the same duration.

6. The IICB shall meet at the initiative of its chair, at the request of CERT-EU or at the request of any of its members.

7. Each member of the IICB shall have one vote. The IICB’s decisions shall be taken by simple majority except where otherwise provided for in this Regulation. The chair shall not vote except in the event of a tied vote where he or she may cast a deciding vote.

8. The IICB may act by a simplified written procedure initiated in accordance with the internal rules of procedure of the IICB. Under that procedure, the relevant decision shall be deemed approved within the timeframe set by the chair, except where a member objects.

9. The Head of CERT-EU, or his or her alternate, shall participate in IICB meetings except where otherwise decided by the IICB.

10. The secretariat of the IICB shall be provided by the Commission.

11. The representatives nominated by the EUAN upon a proposal of the ICT Advisory Committee shall relay the IICB’s decisions to the Union agencies and joint undertakings. Any Union agency and body shall be entitled to raise with the representatives or the chair of the IICB any matter which it considers should be brought to the IICB’s attention.

12. The IICB may act by a simplified written procedure initiated by the chair under which the relevant decision shall be deemed approved within the timeframe set by the chair, except where a member objects.

13. The IICB may nominate an Executive Committee to assist it in its work, and delegate some of its tasks and powers to it. The IICB shall lay down the rules of procedure of the Executive Committee, including its tasks and powers, and the terms of office of its members.

Article 10 - Tasks of the IICB

When exercising its responsibilities, the IICB shall in particular:

(a)review any reports requested from CERT-EU on the state of implementation of this Regulation by the Union institutions, bodies and agencies;

(b)approve, on the basis of a proposal from the Head of CERT-EU, the annual work programme for CERT-EU and monitor its implementation;

(c)approve, on the basis of a proposal from the Head of CERT-EU, CERT-EU’s service catalogue;

(d)approve, on the basis of a proposal submitted by the Head of CERT-EU, the annual financial planning of revenue and expenditure, including staffing, for CERT-EU activities;

(e)approve, on the basis of a proposal from the Head of CERT-EU, the modalities for service level agreements;

(f)examine and approve the annual report drawn up by the Head of CERT-EU covering the activities of, and management of funds by CERT-EU;

(g)approve and monitor key performance indicators for CERT-EU defined on a proposal by the Head of CERT-EU;

(h)approve cooperation arrangements, service level arrangements or contracts between CERT-EU and other entities pursuant to Article 17;

(i)establish as many technical advisory groups as necessary to assist the IICB’s work, approve their terms of reference and designate their respective chairs.

Article 11 - Compliance

The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies and agencies. Where the IICB finds that Union institutions, bodies or agencies have not effectively applied or implemented this Regulation or guidance documents, recommendations and calls for action issued under this Regulation, it may, without prejudice to the internal procedures of the relevant Union institution, body or agency:

(a)issue a warning; where necessary in view of a compelling cybersecurity risk, the audience of the warning shall be restricted appropriately;

(b)recommend a relevant audit service to carry out an audit.

Chapter IV
CERT-EU

Article 12 - CERT-EU mission and tasks

1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified IT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to incidents and by acting as their cybersecurity information exchange and incident response coordination hub.

2. CERT-EU shall perform the following tasks for the Union institutions, bodies and agencies:

(a)support them with the implementation of this Regulation and contribute to the coordination of the application of this Regulation through the measures listed in Article 13.1 or through ad-hoc reports requested by the IICB;

(b)support them with a package of cybersecurity services described in its service catalogue (‘baseline services’);

(c)maintain a network of peers and partners to support the services as outlined in Articles 16 and 17;

(d)raise to the attention of the IICB any issue relating to the implementation of this Regulation and of the implementation of the guidance documents, recommendations and calls for action;

(e)report on the cyber threats faced by the Union institutions, bodies and agencies and contribute to the EU cyber situational awareness.

3. CERT-EU shall contribute to the Joint Cyber Unit, built in accordance with the Commission Recommendation of 23 June 2021, including in the following areas:

(a)preparedness, incident coordination, information exchange and crisis response at the technical level on cases linked to Union institutions, bodies and agencies;

(b)operational cooperation regarding the computer security incident response teams (CSIRTs) network, including on mutual assistance, and the broader cybersecurity community;

(c)cyber threat intelligence, including situational awareness;

(d)on any topic requiring CERT-EU’s technical cybersecurity expertise.

4. CERT-EU shall engage in structured cooperation with the European Union Agency for Cybersecurity on capacity building, operational cooperation and long-term strategic analyses of cyber threats in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council.

5. CERT-EU may provide the following services not described in its service catalogue (‘chargeable services’):

(a)services that support the cybersecurity of Union institutions, bodies and agencies’ IT environment, other than those referred to in paragraph 2, on the basis of service level agreements and subject to available resources;

(b)services that support cybersecurity operations or projects of Union institutions, bodies and agencies, other than those to protect their IT environment, on the basis of written agreements and with the prior approval of the IICB;

(c)services that support the security of their IT environment to organisations other than the Union institutions, bodies and agencies that cooperate closely with Union institutions, bodies and agencies, for instance by having assigned tasks or responsibilities under Union law, on the basis of written agreements and with the prior approval of the IICB.

6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for Cybersecurity whenever applicable, to test the level of cybersecurity of the Union institutions, bodies and agencies.

7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified IT environments if it is explicitly requested to do so by the constituent concerned.

Article 13 - Guidance documents, recommendations and calls for action

1. CERT-EU shall support the implementation of this Regulation by issuing:

(a)calls for action describing urgent security measures that Union institutions, bodies and agencies are urged to take within a set timeframe;

(b)proposals to the IICB for guidance documents addressed to all or a subset of the Union institutions, bodies and agencies;

(c)proposals to the IICB for recommendations addressed to individual Union institutions, bodies and agencies.

2. Guidance documents and recommendations may include:

(a)modalities for or improvements to cybersecurity risk management and the cybersecurity baseline;

(b)modalities for maturity assessments and cybersecurity plans; and

(c)where appropriate, the use of common technology, architecture and associated best practices with the aim of achieving interoperability and common standards within the meaning of Article 4(10) of Directive [proposal NIS 2].

3. The IICB may adopt guidance documents or recommendations on proposal of CERT-EU.

4. The IICB may instruct CERT-EU to issue, withdraw or modify a proposal for guidance documents or recommendations, or a call for action.

Article 14 - Head of CERT-EU

The Head of CERT-EU shall regularly submit reports to the IICB and the IICB Chair on the performance of CERT-EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).

Article 15 - Financial and staffing matters

1. The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT-EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.

2. For the application of administrative and financial procedures, the Head of CERT-EU shall act under the authority of the Commission.

3. CERT-EU tasks and activities, including services provided by CERT-EU pursuant to Article 12(2), (3), (4), (6), and Article 13(1) to Union institutions, bodies and agencies financed from the heading of the multiannual financial framework dedicated to European public administration, shall be funded through a distinct budget line of the Commission budget. CERT-EU earmarked posts shall be detailed in a footnote to the Commission establishment plan.

4. Union institutions, bodies and agencies other than those referred to in paragraph 3 shall make an annual financial contribution to CERT-EU to cover the services provided by CERT-EU pursuant to that paragraph 3. The respective contributions shall be based on orientations given by the IICB and agreed between each entity and CERT-EU in service level agreements. The contributions shall represent a fair and proportionate share of the total costs of services provided. They shall be received by the distinct budget line referred to in paragraph 3 as assigned revenue as provided for in Article 21(3), point (c) of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 8 .

5. The costs of the tasks defined in Article 12(5) shall be recovered from the Union institutions, bodies and agencies receiving the CERT-EU services. The revenues shall be assigned to the budget lines supporting the costs.

Article 16 - Cooperation of CERT-EU with Member State counterparts

1. CERT-EU shall cooperate and exchange information with national counterparts in the Member States, including CERTs, National Cybersecurity Centres, CSIRTs, and single points of contact referred to in Article 8 of Directive [proposal NIS 2], on cyber threats, vulnerabilities and incidents, on possible countermeasures and on all matters relevant for improving the protection of the IT environments of Union institutions, bodies and agencies, including through the CSIRTs network referred to in Article 13 of Directive [proposal NIS 2].

2. CERT-EU may exchange incident-specific information with national counterparts in the Member States to facilitate detection of similar cyber threats or incidents without the consent of the affected constituent. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consent of the affected constituent.

Article 17 - Cooperation of CERT-EU with non-Member State counterparts

1. CERT-EU may cooperate with non-Member State counterparts including industry sector-specific counterparts on tools and methods, such as techniques, tactics, procedures and best practices, and on cyber threats and vulnerabilities. For all cooperation with such counterparts, including in frameworks where non-EU counterparts cooperate with national counterparts of Member States, CERT-EU shall seek prior approval from the IICB.

2. CERT-EU may cooperate with other partners, such as commercial entities, international organisations, non-European Union national entities or individual experts, to gather information on general and specific cyber threats, vulnerabilities and possible countermeasures. For wider cooperation with such partners, CERT-EU shall seek prior approval from the IICB.

3. CERT-EU may, with the consent of the constituent affected by an incident, provide information related to the incident to partners that can contribute to its analysis.

Chapter V
COOPERATION AND REPORTING OBLIGATIONS

Article 18 - Information handling

1. CERT-EU and Union institutions, bodies and agencies shall respect the obligation of professional secrecy in accordance with Article 339 of the Treaty on the Functioning of the European Union or equivalent applicable frameworks.

2. The provisions of Regulation (EC) No 1049/2001 of the European Parliament and the Council 9 shall apply with regard to requests for public access to documents held by CERT-EU, including the obligation under that Regulation to consult other Union institutions, bodies and agencies whenever a request concerns their documents.

3. The processing of personal data carried out under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council.

4. The handling of information by CERT-EU and its Union institutions, bodies and agencies shall be in line with the rules laid down in [proposed Regulation on information security].

5. Any contacts with CERT-EU initiated or sought by national security and intelligence services shall be communicated to the Commission’s Security Directorate and the chair of the IICB without undue delay.

Article 19 - Sharing obligations

1. To enable CERT-EU to coordinate vulnerability management and incident response, it may request Union institutions, bodies and agencies to provide it with information from their respective IT system inventories that is relevant for the CERT-EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.

2. The Union institutions, bodies and agencies, upon request from CERT-EU and without undue delay, shall provide it with digital information created by the use of electronic devices involved in their respective incidents. CERT-EU may further clarify which types of such digital information it requires for situational awareness and incident response.

3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the consent of that entity. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consent of the entity affected by the incident.

4. The sharing obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.

Article 20 - Notification obligations

1. All Union institutions, bodies and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.

In duly justified cases and in agreement with CERT-EU, the Union institution, body or agency concerned can deviate from the deadline laid down in the previous paragraph.

2. The Union institutions, bodies and agencies shall further notify to CERT-EU without undue delay appropriate technical details of cyber threats, vulnerabilities and incidents that enable detection, incident response or mitigating measures. The notification shall include if available:

(a)relevant indicators of compromise;

(b)relevant detection mechanisms;

(c)potential impact;

(d)relevant mitigating measures.

3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities and significant incidents notified in accordance with paragraph 1.

4. The IICB may issue guidance documents or recommendations concerning the modalities and content of the notification. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies and agencies.

5. The notification obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.

Article 21 - Incident response coordination and cooperation on significant incidents

1. In acting as a cybersecurity information exchange and incident response coordination hub, CERT-EU shall facilitate information exchange with regards to cyber threats, vulnerabilities and incidents among:

(a)Union institutions, bodies and agencies; 

(b)the counterparts referred to in Articles 16 and 17.

2. CERT-EU shall facilitate coordination among Union institutions, bodies and agencies on incident response, including:

(a)contribution to consistent external communication;

(b)mutual assistance;

(c)optimal use of operational resources;

(d)coordination with other crisis response mechanisms at Union level.

3. CERT-EU shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities and incidents.

4. The IICB shall issue guidance on incident response coordination and cooperation for significant incidents. Where the criminal nature of an incident is suspected, CERT-EU shall advise on how to report the incident to law enforcement authorities.

Article 22 - Major attacks

1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major attacks. It shall maintain an inventory of technical expertise that would be needed for incident response in the event of such attacks.

2. The Union institutions, bodies and agencies shall contribute to the inventory of technical expertise by providing an annually updated list of experts available within their respective organisations detailing their specific technical skills.

3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attack in a Member State, in line with the Joint Cyber Unit’s operating procedures.

Chapter VI
FINAL PROVISIONS

Article 23 - Initial budgetary reallocation

The Commission shall propose the reallocation of staff and financial resources from relevant Union institutions, bodies and agencies to the Commission budget. The reallocation shall be effective at the same time as the first budget adopted following the entry into force of this Regulation.

Article 24 - Review

1. The IICB, with the assistance of CERT-EU, shall periodically report to the Commission on the implementation of this Regulation. The IICB may also make recommendations to the Commission to propose amendments to this Regulation.

2. The Commission shall report on the implementation of this Regulation to the European Parliament and the Council at the latest 48 months after the entry into force of this Regulation and every three years thereafter.

3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no sooner than five years after the date of entry into force.

Article 25 - Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.