In the digital age, information and communication technology is a cornerstone of an open, efficient and independent European administration. Evolving technology and the increased complexity and interconnectedness of digital systems amplify cybersecurity risks, making Union entities more vulnerable to cyber threats and incidents, which poses a threat to their business continuity and capacity to secure their data. While the increased use of cloud services, the ubiquitous use of information and communication technology (ICT), the high level of digitalisation, remote work and evolving technology and connectivity are core features of all activities of Union entities, digital resilience is not yet sufficiently built in.
(2)
The cyber threat landscape faced by Union entities is in constant evolution. The tactics, techniques and procedures employed by threat actors are constantly evolving, while the prominent motives for such attacks change little, from stealing valuable undisclosed information to making money, manipulating public opinion or undermining digital infrastructure. The pace at which threat actors conduct their cyberattacks keeps increasing, while their campaigns are increasingly sophisticated and automated, targeting exposed attack surfaces that keep expanding and quickly exploiting vulnerabilities.
(3)
Union entities’ ICT environments have interdependencies and integrated data flows, and their users collaborate closely. That interconnection means that any disruption, even when initially confined to a single Union entity, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on other Union entities. In addition, certain Union entities’ ICT environments are connected with Member States’ ICT environments, causing an incident in a Union entity to pose a cybersecurity risk to the Member States’ ICT environments and vice versa. The sharing of incident-specific information may facilitate the detection of similar cyber threats or incidents affecting Member States.
(4)
Union entities are attractive targets that face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities vary significantly across those entities. It is thus necessary for the functioning of the Union entities that they achieve a high common level of cybersecurity through the implementation of cybersecurity measures commensurate with identified cybersecurity risks, information exchange and collaboration.
(5)
Directive (EU) 2022/2555 of the European Parliament and of the Council (2) aims to further improve the cyber resilience and incident response capacities of public and private entities, competent authorities and bodies as well as the Union as a whole. It is therefore necessary to ensure that Union entities follow suit by providing for rules that are consistent with Directive (EU) 2022/2555 and mirror its level of ambition.
(6)
To reach a high common level of cybersecurity, it is necessary that each Union entity establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’), which ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The Framework should establish cybersecurity policies, including objectives and priorities, for the security of network and information systems encompassing the entirety of the unclassified ICT environment. The Framework should be based on an all-hazards approach which aims to protect network and information systems and the physical environment of those systems from events such as theft, fire, flooding, telecommunication or power failures, or unauthorised physical access and damage to, and interference with, a Union entity’s information and information-processing facilities, which could compromise the availability, authenticity, integrity or confidentiality of data stored, transmitted, processed or accessible via network and information systems.
(7)
To manage the cybersecurity risks identified under the Framework, each Union entity should take appropriate and proportionate technical, operational and organisational measures. Those measures should address the domains and cybersecurity risk-management measures provided for in this Regulation to strengthen the cybersecurity of each Union entity.
(8)
The assets and cybersecurity risks identified in the Framework as well as conclusions derived from regular cybersecurity maturity assessments should be reflected in a cybersecurity plan established by each Union entity. The cybersecurity plan should include the adopted cybersecurity risk-management measures.
(9)
As ensuring cybersecurity is a continuous process, the suitability and effectiveness of the measures taken pursuant to this Regulation should be regularly revised in light of the changing cybersecurity risks, assets and cybersecurity maturity of the Union entities. The Framework should be reviewed on a regular basis and at least every four years, while the cybersecurity plan should be revised every two years, or more frequently where necessary, following the cybersecurity maturity assessments or any substantial review of the Framework.
(10)
The cybersecurity risk-management measures put in place by Union entities should include policies aiming, where possible, to render the source code transparent, taking into account safeguards for the rights of third parties or Union entities. Those policies should be proportionate to the cybersecurity risk and are intended to facilitate the analysis of cyber threats, while not creating obligations to disclose or rights to access third-party code beyond the applicable contractual terms.
(11)
Open-source cybersecurity tools and applications can contribute to a higher degree of openness. Open standards facilitate interoperability between security tools, benefitting the security of stakeholders. Open-source cybersecurity tools and applications can leverage the wider developer community, enabling diversification of suppliers. Open source can lead to a more transparent verification process of cybersecurity related tools and a community-driven process of discovering vulnerabilities. Union entities should therefore be able to promote the use of open-source software and open standards by pursuing policies relating to the use of open data and open source as part of security through transparency.
(12)
The differences between Union entities require flexibility in the implementation of this Regulation. The measures for a high common level of cybersecurity provided for in this Regulation should not include any obligations directly interfering with the exercise of the missions of Union entities or encroaching on their institutional autonomy. Therefore, those entities should establish their own Frameworks and should adopt their own cybersecurity risk-management measures and cybersecurity plans. When implementing such measures, due account should be taken of existing synergies between Union entities, with the aim of proper management of resources and cost optimisation. Due account should also be taken that the measures do not negatively affect efficient information exchange and cooperation among Union entities and between Union entities and Member State counterparts.
(13)
In the interest of optimising the use of resources, this Regulation should provide for the possibility for two or more Union entities with similar structures to cooperate in carrying out the cybersecurity maturity assessments for their respective entities.
(14)
In order to avoid imposing a disproportionate financial and administrative burden on Union entities, the cybersecurity risk-management requirements should be proportionate to the cybersecurity risk posed to the network and information systems concerned, taking into account the state of the art of such measures. Each Union entity should aim to allocate an adequate percentage of its ICT budget to improve its level of cybersecurity. In the longer term an indicative target in the order of at least 10 % should be pursued. The cybersecurity maturity assessment should evaluate whether the Union entity’s cybersecurity spending is proportionate to the cybersecurity risks that it faces. Without prejudice to the rules relating to the Union’s annual budget under the Treaties, in its proposal for the first annual budget to be adopted after the entry into force of this Regulation the Commission should take into account the obligations arising from this Regulation when assessing the budgeting and staffing needs of the Union entities as resulting from their estimates of expenditures.
(15)
A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union entity. The Union entity’s highest level of management should be responsible for the implementation of this Regulation, including for the establishment of the Framework, the taking of the cybersecurity risk-management measures and the approval of the cybersecurity plan. Addressing the cybersecurity culture, namely the daily practice of cybersecurity, is an integral part of the Framework and the corresponding cybersecurity risk-management measures in all Union entities.
(16)
The security of network and information systems handling EU classified information (EUCI) is essential. Union entities that handle EUCI are required to apply the comprehensive regulatory frameworks in place for protecting such information, including specific governance, policies and risk-management procedures. It is necessary for network and information systems handling EUCI to comply with more stringent security standards than unclassified network and information systems. Therefore, network and information systems handling EUCI are more resilient to cyber threats and incidents. Consequently, while recognising the need for a common framework in this regard, this Regulation should not apply to network and information systems handling EUCI. However, if explicitly requested to do so by a Union entity, the Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) should be able to provide assistance to that Union entity in relation to incidents in classified ICT environments.
(17)
Union entities should assess cybersecurity risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. Cybersecurity measures should be further specified in guidelines or recommendations issued by CERT-EU. When establishing measures and guidelines, due account should be taken of the state of the art and, where applicable, relevant European and international standards, as well as relevant Union law and policies, including cybersecurity risk assessments and recommendations issued by the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555, such as the EU coordinated risk assessment of the cybersecurity of 5G networks and the EU toolbox on 5G cybersecurity. In addition, taking into account the cyber threat landscape and the importance of building up cyber resilience for the Union entities, the certification of relevant ICT products, ICT services and ICT processes could be required under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 of the European Parliament and of the Council (3).
(18)
In May 2011, the Secretaries-General of the Union institutions and bodies decided to establish a pre-configuration team for CERT-EU, supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a Commission Taskforce with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an Interinstitutional arrangement on the organisation and operation of CERT-EU (4). This Regulation should provide for a comprehensive set of rules on the organisation, functioning and operation of CERT-EU. The provisions of this Regulation prevail over the provisions of the Interinstitutional arrangement on the organisation and operation of CERT-EU that was concluded in December 2017.
(19)
CERT-EU should be renamed Cybersecurity Service for the Union institutions, bodies, offices and agencies, but it should keep the short name CERT-EU because of name recognition.
(20)
In addition to giving CERT-EU more tasks and an expanded role, this Regulation establishes the Interinstitutional Cybersecurity Board (IICB) in order to facilitate a high common level of cybersecurity among Union entities. The IICB should have an exclusive role in monitoring and supporting the implementation of this Regulation by the Union entities and in supervising the implementation of general priorities and objectives of, and providing strategic direction to, CERT-EU. The IICB should therefore ensure representation of the Union institutions and should include representatives of bodies, offices and agencies of the Union through the EU Agencies Network (EUAN). The organisation and functioning of the IICB should be further regulated by means of internal rules of procedure, which may include further specification of regular meetings of the IICB, including annual gatherings of the political level where representatives of the highest level of management of each member of the IICB would allow the IICB to have strategic discussion and provide strategic guidance to the IICB. Furthermore, the IICB should be able to establish an executive committee to assist in its work and to delegate some of its tasks and powers to it, in particular in terms of tasks that require specific expertise of its members, for instance the approval of the service catalogue and any subsequent updates to it, arrangements for service level agreements, assessments of documents and reports submitted by the Union entities to the IICB pursuant to this Regulation or tasks related to the preparation of decisions on compliance measures issued by the IICB and to monitoring their implementation. The IICB should lay down the rules of procedure of the executive committee, including its tasks and powers.
(21)
The IICB aims to support Union entities in elevating their respective cybersecurity postures through the implementation of this Regulation. In order to support Union entities, the IICB should provide guidance to the Head of CERT-EU, adopt a multiannual strategy on raising the level of cybersecurity in the Union entities, establish the methodology for and other aspects of voluntary peer reviews, and facilitate the establishment of an informal group of local cybersecurity officers, supported by the European Union Agency for Cybersecurity (ENISA), with the aim of exchanging best practices and information in relation to the implementation of this Regulation.
(22)
In order to achieve a high level of cybersecurity in all Union entities, the interests of the bodies, offices and agencies of the Union that run their own ICT environment should be represented on the IICB by three representatives designated by the EUAN. The security of personal data processing, and therefore also the cybersecurity thereof, is a cornerstone of data protection. In light of the synergies between data protection and cybersecurity, the European Data Protection Supervisor should be represented on the IICB in its capacity as a Union entity subject to this Regulation, with specific expertise in the area of data protection, including security of electronic communications networks. Considering the importance of innovation and competitiveness in cybersecurity, the European Cybersecurity Industrial, Technology and Research Competence Centre should be represented on the IICB. In view of ENISA’s role as a centre of expertise in cybersecurity, and the support that ENISA provides, and in view of the importance of cybersecurity of Union space infrastructure and services, ENISA and the European Union Agency for the Space Programme should be represented on the IICB. In light of the role assigned to CERT-EU under this Regulation, the Head of CERT-EU should be invited by the Chair of the IICB to all of the IICB’s meetings, except when the IICB discusses matters relating directly to the Head of CERT-EU.
(23)
The IICB should monitor compliance with this Regulation as well as the implementation of guidelines and recommendations, and calls for action. The IICB should be supported on technical matters by technical advisory groups composed as the IICB sees fit. Those technical advisory groups should work in close cooperation with CERT-EU, the Union entities and other stakeholders as necessary.
(24)
Where the IICB finds that a Union entity has not effectively implemented this Regulation or the guidelines, recommendations or calls for action issued pursuant thereto, the IICB should be able, without prejudice to the internal procedures of the Union entity concerned, to proceed with compliance measures. The IICB should apply compliance measures progressively – in other words, the IICB should first adopt the least severe measure, namely a reasoned opinion, and only if necessary increasingly severe measures, culminating in the most severe measure, namely a recommendation of a temporary suspension of data flows to the Union entity concerned. Such a recommendation should be applied only in exceptional cases of long-term, deliberate, repetitive or serious infringements of this Regulation by the Union entity concerned.
(25)
The reasoned opinion represents the least severe compliance measure addressing observed gaps in the implementation of this Regulation. The IICB should be able to follow up a reasoned opinion with guidance to assist the Union entity in ensuring that its Framework, cybersecurity risk-management measures, cybersecurity plan and reporting comply with this Regulation, and then by a warning to address identified shortcomings of the Union entity within a specified period. If the shortcomings identified in the warning have not been sufficiently addressed, the IICB should be able to issue a reasoned notification.
(26)
The IICB should be able to recommend that an audit of a Union entity be carried out. The Union entity should be able to use its internal audit function for that purpose. The IICB should also be able to request that an audit be performed by a third-party audit service, including from a mutually agreed private-sector service provider.
(27)
In exceptional cases of long-term, deliberate, repetitive or serious infringements of this Regulation by a Union entity, the IICB should be able to recommend, as a last resort, to all Member States and Union entities, a temporary suspension of data flows to the Union entity, to be effective until the Union entity has brought the infringement to an end. Such a recommendation should be communicated by means of appropriate and secure communication channels.
(28)
To ensure the correct implementation of this Regulation, the IICB should, if it considers that a persistent infringement of this Regulation by a Union entity has been caused directly by the actions or omissions of a member of its staff, including at the highest level of management, request the Union entity concerned to take appropriate action, including requesting it to consider taking action of a disciplinary nature, in accordance with the rules and procedures laid down in the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (5) (the ‘Staff Regulations’) and any other applicable rules and procedures.
(29)
CERT-EU should contribute to the security of the ICT environment of all Union entities. When considering whether to provide technical advice or input on relevant policy matters upon the request of a Union entity, CERT-EU should ensure that this is no obstacle to carrying out the other tasks conferred on it pursuant to this Regulation. CERT-EU should act on the part of Union entities as the equivalent of the coordinator designated for the purposes of coordinated vulnerability disclosure pursuant to Article 12(1) of Directive (EU) 2022/2555.
(30)
CERT-EU should support the implementation of measures for a high common level of cybersecurity by means of proposals for guidelines and recommendations to the IICB or by issuing calls for action. Such guidelines and recommendations should be approved by the IICB. When needed, CERT-EU should issue calls for action describing urgent security measures which Union entities are urged to take within a set timeframe. The IICB should instruct CERT-EU to issue, withdraw or modify a proposal for guidelines or for a recommendation, or a call for action.
(31)
CERT-EU should also fulfil the role provided for it in Directive (EU) 2022/2555 concerning cooperation and information exchange with the computer security incident response teams (CSIRTs) network established pursuant to Article 15 of that Directive. Moreover, in line with Commission Recommendation (EU) 2017/1584 (6), CERT-EU should cooperate and coordinate a response with the relevant stakeholders. In order to contribute to a high level of cybersecurity across the Union, CERT-EU should share incident-specific information with Member State counterparts. CERT-EU should also collaborate with other public as well as private counterparts, including the North Atlantic Treaty Organization, subject to prior approval by the IICB.
(32)
In supporting operational cybersecurity, CERT-EU should make use of the available expertise of ENISA through structured cooperation as provided for in Regulation (EU) 2019/881. Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT-EU should cooperate with ENISA on cyber threat analysis and share its threat landscape report with ENISA on a regular basis.
(33)
CERT-EU should be able to cooperate and exchange information with relevant cybersecurity communities within the Union and its Member States to foster operational cooperation and to enable the existing networks in realising their full potential in protecting the Union.
(34)
As the services and tasks of CERT-EU are in the interest of Union entities, each Union entity with ICT expenditure should contribute a fair share to those services and tasks. Those contributions are without prejudice to the budgetary autonomy of the Union entities.
(35)
Many cyberattacks are part of wider campaigns that target groups of Union entities or communities of interest that include Union entities. To enable proactive detection, incident response or mitigating measures and recovery from incidents, Union entities should be able to notify CERT-EU of incidents, cyber threats, vulnerabilities and near misses and share appropriate technical details that enable detection or mitigation of, as well as response to, similar incidents, cyber threats, vulnerabilities and near misses in other Union entities. Following the same approach as in Directive (EU) 2022/2555, Union entities should be required to submit an early warning to CERT-EU within 24 hours of becoming aware of a significant incident. Such information exchange should enable CERT-EU to disseminate the information to other Union entities, as well as to appropriate counterparts, to help protect the Union entities’ ICT environments and the Union entities’ counterparts’ ICT environments against similar incidents.
(36)
This Regulation lays down a multiple-stage approach to the reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of significant incidents and allows Union entities to seek assistance and, on the other, in-depth reporting that draws valuable lessons from individual incidents and improves over time the cyber resilience of individual Union entities and contributes to increasing their overall cybersecurity posture. In that regard, this Regulation should include the reporting of incidents that, on the basis of an initial assessment carried out by the Union entity concerned, could cause severe operational disruption to the functioning of, or financial loss to, the Union entity concerned, or affect other natural or legal persons by causing considerable material or non-material damage. Such initial assessment should take into account, inter alia, the network and information systems affected, in particular their importance for the functioning of the Union entity, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the Union entity’s experience with similar incidents. Indicators such as the extent to which the functioning of the Union entity is affected, the duration of an incident or the number of affected natural or legal persons could play an important role in identifying whether the operational disruption is severe.
(37)
As the infrastructure and network and information systems of the relevant Union entity and the Member State where that Union entity is located are interconnected, it is crucial for that Member State to be informed without undue delay of a significant incident within that Union entity. To that end, the Union entity affected should inform any relevant Member State counterparts designated or established pursuant to Articles 8 and 10 of Directive (EU) 2022/2555 of the occurrence of a significant incident about which it is reporting to CERT-EU. Where CERT-EU becomes aware of a significant incident occurring within a Member State, it should notify any relevant counterpart in that Member State.
(38)
A mechanism to ensure effective exchange of information, coordination, and cooperation of the Union entities in the case of major incidents should be implemented, including a clear identification of the roles and responsibilities of the Union entities involved. The Commission representative in the IICB should, subject to the cyber crisis management plan, be the point of contact to facilitate the IICB’s sharing of relevant information in relation to major incidents with the European cyber crisis liaison organisation network (EU-CyCLONe), as a contribution to the shared situational awareness. The role of the Commission representative in the IICB as the point of contact should be without prejudice to the Commission’s separate and distinct role in EU-CyCLONe pursuant to Article 16(2) of Directive (EU) 2022/2555.
(39)
Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) applies to any processing of personal data pursuant to this Regulation. The processing of personal data could take place in relation to measures adopted in the context of cybersecurity risk management, vulnerability and incident handling, information sharing about incidents, cyber threats and vulnerabilities, and incident response coordination and cooperation. Such measures could require the processing of certain categories of personal data, such as IP addresses, uniform resources locators (URLs), domain names, email addresses, organisational roles of the data subject, time stamps, email subjects or file names. All measures taken pursuant to this Regulation should comply with the data protection and privacy framework, and the Union entities, CERT-EU and, where relevant, the IICB, should take all relevant technical and organisational safeguards to ensure such compliance in an accountable manner.
(40)
This Regulation establishes the legal basis for the processing of personal data by Union entities, CERT-EU and, where relevant, the IICB, for the purpose of performing their tasks and fulfilling their obligations under this Regulation, in accordance with Article 5(1), point (b), of Regulation (EU) 2018/1725. CERT-EU may act as processor or controller depending on the task it performs pursuant to Regulation (EU) 2018/1725.
(41)
In certain cases, for the purpose of complying with their obligations under this Regulation to ensure a high level of cybersecurity and in particular in the context of vulnerability and incident handling, it may be necessary for Union entities and CERT-EU to process special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725. This Regulation establishes the legal basis for the processing of special categories of personal data by Union entities and CERT-EU in accordance with Article 10(2), point (g), of Regulation (EU) 2018/1725. The processing of special categories of personal data under this Regulation should be strictly proportionate to the aim pursued. Subject to the conditions set out in Article 10(2), point (g), of that Regulation, the Union entities and CERT-EU should be able to process such data only to the extent necessary and where explicitly provided for in this Regulation. When processing special categories of personal data, the Union entities and CERT-EU should respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.
(42)
Pursuant to Article 33 of Regulation (EU) 2018/1725, Union entities and CERT-EU should, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure an appropriate level of security of personal data, such as the provision of restricted access rights on a need-to-know basis, the application of audit trail principles, the adoption of chain of custody, the storage of data at rest in a controlled and auditable environment, standardised operational procedures and privacy preserving measures such as pseudonymisation or encryption. Those measures should not be implemented in a manner affecting the purposes of incident handling and integrity of evidence. Where a Union entity or CERT-EU transfers personal data related to an incident, including special categories of personal data, to a counterpart or partner for the purposes of this Regulation, such transfers should comply with Regulation (EU) 2018/1725. Where special categories of personal data are transferred to a third party, the Union entities and CERT-EU should ensure that the third party applies measures concerning the protection of personal data at a level equivalent to Regulation (EU) 2018/1725.
(43)
Personal data processed for the purposes of this Regulation should be retained only for as long as necessary in accordance with Regulation (EU) 2018/1725. Union entities and, where applicable, CERT-EU acting as a controller, should set retention periods which are limited to what is necessary to achieve the specified purposes. In particular in relation to personal data collected for incident handling, Union entities and CERT-EU should differentiate between personal data that are collected for the detection of a cyber threat in their ICT environments to prevent an incident and personal data that are collected for the mitigation of, response to and recovery from an incident. For the detection of a cyber threat, it is important to take into account the time that a threat actor can remain undetected in a system. For the mitigation of, response to and recovery from an incident, it is important to consider whether the personal data are necessary to trace and handle a recurrent incident or an incident of similar nature for which a correlation could be demonstrated.
(44)
The handling of information by Union entities and CERT-EU should comply with the applicable rules on information security. The inclusion of human resources security as a cybersecurity risk-management measure should also comply with the applicable rules.
(45)
For the purpose of sharing information, visible markings are used to indicate that sharing boundaries are to be applied by the recipients of information on the basis of, in particular, non-disclosure agreements, or informal non-disclosure agreements such as the traffic light protocol or other clear indications by the source. The traffic light protocol is to be understood as a means to provide information about any limitations with regard to the further spreading of information. It is used in almost all CSIRTs and in some information analysis and sharing centres.
(46)
This Regulation should be evaluated on a regular basis in light of future negotiations of multiannual financial frameworks, allowing for further decisions to be made with respect to the functioning and institutional role of CERT-EU, including the possible establishment of CERT-EU as a Union office.
(47)
The IICB, with the assistance of CERT-EU, should review and evaluate the implementation of this Regulation and should report its findings to the Commission. Building on this input, the Commission should report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. That report, with the input of the IICB, should evaluate the appropriateness of including network and information systems handling EUCI within the scope of this Regulation, in particular in the absence of information security rules common to Union entities.
(48)
In accordance with the principle of proportionality, it is necessary and appropriate for the achievement of the basic objective of achieving a high common level of cybersecurity within Union entities to lay down rules on cybersecurity for Union entities. This Regulation does not go beyond what is necessary in order to achieve the objective pursued, in accordance with Article 5(4) of the Treaty on European Union.
(49)
This Regulation reflects the fact that Union entities differ in size and capacity, including in terms of financial and human resources.
(50)
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 17 May 2022 (8),