Regulation 2023/2841 - Measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
Contents
official title
Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council of 13 December 2023 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union| Legal instrument | Regulation |
|---|---|
| Number legal act | Regulation 2023/2841 |
| Original proposal | COM(2022)122  |
| CELEX number i | 32023R2841 |
| Document | 13-12-2023; Date of signature |
|---|---|
| Signature | 13-12-2023 |
| Effect | 07-01-2024; Entry into force Date pub. +20 See Art 26 |
| Deadline | 08-01-2025; See Art 25.1 08-01-2027; Review See Art 25.2 08-01-2029; See Art 25.3 |
| End of validity | 31-12-9999 |
Official Journal of the European Union |
EN Series L |
2023/2841 |
18.12.2023 |
REGULATION (EU, Euratom) 2023/2841 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 13 December 2023
laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 298 thereof,
Having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106a thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Acting in accordance with the ordinary legislative procedure (1),
Whereas:
(1) |
In the digital age, information and communication technology is a cornerstone of an open, efficient and independent European administration. Evolving technology and the increased complexity and interconnectedness of digital systems amplify cybersecurity risks, making Union entities more vulnerable to cyber threats and incidents, which poses a threat to their business continuity and capacity to secure their data. While the increased use of cloud services, the ubiquitous use of information and communication technology (ICT), the high level of digitalisation, remote work and evolving technology and connectivity are core features of all activities of Union entities, digital resilience is not yet sufficiently built in. |
(2) |
The cyber threat landscape faced by Union entities is in constant evolution. The tactics, techniques and procedures employed by threat actors are constantly evolving, while the prominent motives for such attacks change little, from stealing valuable undisclosed information to making money, manipulating public opinion or undermining digital infrastructure. The pace at which threat actors conduct their cyberattacks keeps increasing, while their campaigns are increasingly sophisticated and automated, targeting exposed attack surfaces that keep expanding and quickly exploiting vulnerabilities. |
(3) |
Union entities’ ICT environments have interdependencies and integrated data flows, and their users collaborate closely. That interconnection means that any disruption, even when initially confined to a single Union entity, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on other Union entities. In addition, certain Union entities’ ICT environments are connected with Member States’ ICT environments, causing an incident in a Union entity to pose a cybersecurity risk to the Member States’ ICT environments and vice versa. The sharing of incident-specific information may facilitate the detection of similar cyber threats or incidents affecting Member States. |
(4) |
Union entities are attractive targets that face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities vary significantly across those entities. It is thus necessary for the functioning of the Union entities that they achieve a high common level of cybersecurity through the implementation of cybersecurity measures commensurate with identified cybersecurity risks, information exchange and collaboration. |
(5) |
Directive (EU) 2022/2555 of the European Parliament and of the Council (2) aims to further improve the cyber resilience and incident response capacities of public and private entities, competent authorities and bodies as well as the Union as a whole. It is therefore necessary to ensure that Union entities follow suit by providing for rules that are consistent with Directive... |
More
This text has been adopted from EUR-Lex.
This dossier is compiled each night drawing from aforementioned sources through automated processes. We have invested a great deal in optimising the programming underlying these processes. However, we cannot guarantee the sources we draw our information from nor the resulting dossier are without fault.
This page is also available in a full version containing the legal context, de Europese rechtsgrond, other dossiers related to the dossier at hand and the related cases of the European Court of Justice.
The full version is available for registered users of the EU Monitor by ANP and PDC Informatie Architectuur.
The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.