Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council of 13 December 2023 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 298 thereof,

Having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106a thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1) In the digital age, information and communication technology is a cornerstone of an open, efficient and independent European administration. Evolving technology and the increased complexity and interconnectedness of digital systems amplify cybersecurity risks, making Union entities more vulnerable to cyber threats and incidents, which poses a threat to their business continuity and capacity to secure their data. While the increased use of cloud services, the ubiquitous use of information and communication technology (ICT), the high level of digitalisation, remote work and evolving technology and connectivity are core features of all activities of Union entities, digital resilience is not yet sufficiently built in.

(2) The cyber threat landscape faced by Union entities is in constant evolution. The tactics, techniques and procedures employed by threat actors are constantly evolving, while the prominent motives for such attacks change little, from stealing valuable undisclosed information to making money, manipulating public opinion or undermining digital infrastructure. The pace at which threat actors conduct their cyberattacks keeps increasing, while their campaigns are increasingly sophisticated and automated, targeting exposed attack surfaces that keep expanding and quickly exploiting vulnerabilities.

(3) Union entities’ ICT environments have interdependencies and integrated data flows, and their users collaborate closely. That interconnection means that any disruption, even when initially confined to a single Union entity, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on other Union entities. In addition, certain Union entities’ ICT environments are connected with Member States’ ICT environments, causing an incident in a Union entity to pose a cybersecurity risk to the Member States’ ICT environments and vice versa. The sharing of incident-specific information may facilitate the detection of similar cyber threats or incidents affecting Member States.

(4) Union entities are attractive targets that face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities vary significantly across those entities. It is thus necessary for the functioning of the Union entities that they achieve a high common level of cybersecurity through the implementation of cybersecurity measures commensurate with identified cybersecurity risks, information exchange and collaboration.

(5) Directive (EU) 2022/2555 of the European Parliament and of the Council (2) aims to further improve the cyber resilience and incident response capacities of public and private entities, competent authorities and bodies as well as the Union as a whole. It is therefore necessary to ensure that Union entities follow suit by providing for rules that are consistent with Directive (EU) 2022/2555 and mirror its level of ambition.

(6) To reach a high common level of cybersecurity, it is necessary that each Union entity establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’), which ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The Framework should establish cybersecurity policies, including objectives and priorities, for the security of network and information systems encompassing the entirety of the unclassified ICT environment. The Framework should be based on an all-hazards approach which aims to protect network and information systems and the physical environment of those systems from events such as theft, fire, flooding, telecommunication or power failures, or unauthorised physical access and damage to, and interference with, a Union entity’s information and information-processing facilities, which could compromise the availability, authenticity, integrity or confidentiality of data stored, transmitted, processed or accessible via network and information systems.

(7) To manage the cybersecurity risks identified under the Framework, each Union entity should take appropriate and proportionate technical, operational and organisational measures. Those measures should address the domains and cybersecurity risk-management measures provided for in this Regulation to strengthen the cybersecurity of each Union entity.

(8) The assets and cybersecurity risks identified in the Framework as well as conclusions derived from regular cybersecurity maturity assessments should be reflected in a cybersecurity plan established by each Union entity. The cybersecurity plan should include the adopted cybersecurity risk-management measures.

(9) As ensuring cybersecurity is a continuous process, the suitability and effectiveness of the measures taken pursuant to this Regulation should be regularly revised in light of the changing cybersecurity risks, assets and cybersecurity maturity of the Union entities. The Framework should be reviewed on a regular basis and at least every four years, while the cybersecurity plan should be revised every two years, or more frequently where necessary, following the cybersecurity maturity assessments or any substantial review of the Framework.

(10) The cybersecurity risk-management measures put in place by Union entities should include policies aiming, where possible, to render the source code transparent, taking into account safeguards for the rights of third parties or Union entities. Those policies should be proportionate to the cybersecurity risk and are intended to facilitate the analysis of cyber threats, while not creating obligations to disclose or rights to access third-party code beyond the applicable contractual terms.

(11) Open-source cybersecurity tools and applications can contribute to a higher degree of openness. Open standards facilitate interoperability between security tools, benefitting the security of stakeholders. Open-source cybersecurity tools and applications can leverage the wider developer community, enabling diversification of suppliers. Open source can lead to a more transparent verification process of cybersecurity related tools and a community-driven process of discovering vulnerabilities. Union entities should therefore be able to promote the use of open-source software and open standards by pursuing policies relating to the use of open data and open source as part of security through transparency.

(12) The differences between Union entities require flexibility in the implementation of this Regulation. The measures for a high common level of cybersecurity provided for in this Regulation should not include any obligations directly interfering with the exercise of the missions of Union entities or encroaching on their institutional autonomy. Therefore, those entities should establish their own Frameworks and should adopt their own cybersecurity risk-management measures and cybersecurity plans. When implementing such measures, due account should be taken of existing synergies between Union entities, with the aim of proper management of resources and cost optimisation. Due account should also be taken that the measures do not negatively affect efficient information exchange and cooperation among Union entities and between Union entities and Member State counterparts.

(13) In the interest of optimising the use of resources, this Regulation should provide for the possibility for two or more Union entities with similar structures to cooperate in carrying out the cybersecurity maturity assessments for their respective entities.

(14) In order to avoid imposing a disproportionate financial and administrative burden on Union entities, the cybersecurity risk-management requirements should be proportionate to the cybersecurity risk posed to the network and information systems concerned, taking into account the state of the art of such measures. Each Union entity should aim to allocate an adequate percentage of its ICT budget to improve its level of cybersecurity. In the longer term an indicative target in the order of at least 10 % should be pursued. The cybersecurity maturity assessment should evaluate whether the Union entity’s cybersecurity spending is proportionate to the cybersecurity risks that it faces. Without prejudice to the rules relating to the Union’s annual budget under the Treaties, in its proposal for the first annual budget to be adopted after the entry into force of this Regulation the Commission should take into account the obligations arising from this Regulation when assessing the budgeting and staffing needs of the Union entities as resulting from their estimates of expenditures.

(15) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union entity. The Union entity’s highest level of management should be responsible for the implementation of this Regulation, including for the establishment of the Framework, the taking of the cybersecurity risk-management measures and the approval of the cybersecurity plan. Addressing the cybersecurity culture, namely the daily practice of cybersecurity, is an integral part of the Framework and the corresponding cybersecurity risk-management measures in all Union entities.

(16) The security of network and information systems handling EU classified information (EUCI) is essential. Union entities that handle EUCI are required to apply the comprehensive regulatory frameworks in place for protecting such information, including specific governance, policies and risk-management procedures. It is necessary for network and information systems handling EUCI to comply with more stringent security standards than unclassified network and information systems. Therefore, network and information systems handling EUCI are more resilient to cyber threats and incidents. Consequently, while recognising the need for a common framework in this regard, this Regulation should not apply to network and information systems handling EUCI. However, if explicitly requested to do so by a Union entity, the Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) should be able to provide assistance to that Union entity in relation to incidents in classified ICT environments.

(17) Union entities should assess cybersecurity risks related to relationships with suppliers and service providers, including providers of data storage and processing services or managed security services, and take appropriate measures to address them. Cybersecurity measures should be further specified in guidelines or recommendations issued by CERT-EU. When establishing measures and guidelines, due account should be taken of the state of the art and, where applicable, relevant European and international standards, as well as relevant Union law and policies, including cybersecurity risk assessments and recommendations issued by the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555, such as the EU coordinated risk assessment of the cybersecurity of 5G networks and the EU toolbox on 5G cybersecurity. In addition, taking into account the cyber threat landscape and the importance of building up cyber resilience for the Union entities, the certification of relevant ICT products, ICT services and ICT processes could be required under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 of the European Parliament and of the Council (3).

(18) In May 2011, the Secretaries-General of the Union institutions and bodies decided to establish a pre-configuration team for CERT-EU, supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a Commission Taskforce with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an Interinstitutional arrangement on the organisation and operation of CERT-EU (4). This Regulation should provide for a comprehensive set of rules on the organisation, functioning and operation of CERT-EU. The provisions of this Regulation prevail over the provisions of the Interinstitutional arrangement on the organisation and operation of CERT-EU that was concluded in December 2017.

(19) CERT-EU should be renamed Cybersecurity Service for the Union institutions, bodies, offices and agencies, but it should keep the short name CERT-EU because of name recognition.

(20) In addition to giving CERT-EU more tasks and an expanded role, this Regulation establishes the Interinstitutional Cybersecurity Board (IICB) in order to facilitate a high common level of cybersecurity among Union entities. The IICB should have an exclusive role in monitoring and supporting the implementation of this Regulation by the Union entities and in supervising the implementation of general priorities and objectives of, and providing strategic direction to, CERT-EU. The IICB should therefore ensure representation of the Union institutions and should include representatives of bodies, offices and agencies of the Union through the EU Agencies Network (EUAN). The organisation and functioning of the IICB should be further regulated by means of internal rules of procedure, which may include further specification of regular meetings of the IICB, including annual gatherings of the political level where representatives of the highest level of management of each member of the IICB would allow the IICB to have strategic discussion and provide strategic guidance to the IICB. Furthermore, the IICB should be able to establish an executive committee to assist in its work and to delegate some of its tasks and powers to it, in particular in terms of tasks that require specific expertise of its members, for instance the approval of the service catalogue and any subsequent updates to it, arrangements for service level agreements, assessments of documents and reports submitted by the Union entities to the IICB pursuant to this Regulation or tasks related to the preparation of decisions on compliance measures issued by the IICB and to monitoring their implementation. The IICB should lay down the rules of procedure of the executive committee, including its tasks and powers.

(21) The IICB aims to support Union entities in elevating their respective cybersecurity postures through the implementation of this Regulation. In order to support Union entities, the IICB should provide guidance to the Head of CERT-EU, adopt a multiannual strategy on raising the level of cybersecurity in the Union entities, establish the methodology for and other aspects of voluntary peer reviews, and facilitate the establishment of an informal group of local cybersecurity officers, supported by the European Union Agency for Cybersecurity (ENISA), with the aim of exchanging best practices and information in relation to the implementation of this Regulation.

(22) In order to achieve a high level of cybersecurity in all Union entities, the interests of the bodies, offices and agencies of the Union that run their own ICT environment should be represented on the IICB by three representatives designated by the EUAN. The security of personal data processing, and therefore also the cybersecurity thereof, is a cornerstone of data protection. In light of the synergies between data protection and cybersecurity, the European Data Protection Supervisor should be represented on the IICB in its capacity as a Union entity subject to this Regulation, with specific expertise in the area of data protection, including security of electronic communications networks. Considering the importance of innovation and competitiveness in cybersecurity, the European Cybersecurity Industrial, Technology and Research Competence Centre should be represented on the IICB. In view of ENISA’s role as a centre of expertise in cybersecurity, and the support that ENISA provides, and in view of the importance of cybersecurity of Union space infrastructure and services, ENISA and the European Union Agency for the Space Programme should be represented on the IICB. In light of the role assigned to CERT-EU under this Regulation, the Head of CERT-EU should be invited by the Chair of the IICB to all of the IICB’s meetings, except when the IICB discusses matters relating directly to the Head of CERT-EU.

(23) The IICB should monitor compliance with this Regulation as well as the implementation of guidelines and recommendations, and calls for action. The IICB should be supported on technical matters by technical advisory groups composed as the IICB sees fit. Those technical advisory groups should work in close cooperation with CERT-EU, the Union entities and other stakeholders as necessary.

(24) Where the IICB finds that a Union entity has not effectively implemented this Regulation or the guidelines, recommendations or calls for action issued pursuant thereto, the IICB should be able, without prejudice to the internal procedures of the Union entity concerned, to proceed with compliance measures. The IICB should apply compliance measures progressively – in other words, the IICB should first adopt the least severe measure, namely a reasoned opinion, and only if necessary increasingly severe measures, culminating in the most severe measure, namely a recommendation of a temporary suspension of data flows to the Union entity concerned. Such a recommendation should be applied only in exceptional cases of long-term, deliberate, repetitive or serious infringements of this Regulation by the Union entity concerned.

(25) The reasoned opinion represents the least severe compliance measure addressing observed gaps in the implementation of this Regulation. The IICB should be able to follow up a reasoned opinion with guidance to assist the Union entity in ensuring that its Framework, cybersecurity risk-management measures, cybersecurity plan and reporting comply with this Regulation, and then by a warning to address identified shortcomings of the Union entity within a specified period. If the shortcomings identified in the warning have not been sufficiently addressed, the IICB should be able to issue a reasoned notification.

(26) The IICB should be able to recommend that an audit of a Union entity be carried out. The Union entity should be able to use its internal audit function for that purpose. The IICB should also be able to request that an audit be performed by a third-party audit service, including from a mutually agreed private-sector service provider.