New cybersecurity rules for EU institutions have entered into force

FLICKR/ECOLE POLYTECHNIQUE/CC BY-SA 2.0

The new Cybersecurity Regulation laying down measures for a high standard level of cybersecurity at the institutions, bodies, offices and agencies of the Union entered into force yesterday, 7 January 2024.

The Regulation lays down measures for establishing an internal cybersecurity risk management, governance and control framework for each Union entity. It sets up a new Interinstitutional Cybersecurity Board (IICB) to monitor and support its implementation by Union entities. It provides an extended Computer Emergency Response Team mandate for the EU institutions, bodies, offices and agencies (CERT-EU) as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider. In line with its mandate, CERT-EU is renamed to Cybersecurity Service for the Union institutions, bodies, offices and agencies, but it retains the short name “CERT-EU”.

EU Council: A robust security framework

In its resolution from March 2021, the Council of the European Union stressed the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. 

In this context, the Commission announced the proposal for the Cybersecurity Regulation in March 2022, and in June 2023, the European Parliament and Council reached a political agreement.

Following the timeline defined in the Regulation, the Union entities will establish internal cybersecurity governance processes. They will progressively implement specific cybersecurity risk management measures foreseen by the Regulation. The IICB will be set up and operational as soon as possible to ensure the strategic steering to CERT-EU under its extended mandate, provide guidance and support to the Union entities and monitor the implementation of the Regulation.

“As the cyber threats are becoming more pervasive and the cyber attackers more sophisticated, achieving a high common level of cybersecurity across Union entities is paramount to ensure an open, efficient, secure and resilient EU public administration. The Regulation strengthens Union entities’ cybersecurity and aligns the EU administration with the standards imposed on Member States, such as the Directive on high common levels of cybersecurity across the Union, also known as NIS 2. The rapid adoption of the Regulation proves the commitment of the EU towards these objectives. Now I call upon the co-legislators to swiftly engage in negotiations for the parallel Information Security Regulation,” said Johannes Hahn, Commissioner for Budget and Administration 

The Regulation aligns with the Commission’s policy objectives as set by the EU Security Union Strategy and the EU Cybersecurity Strategy. It ensures consistency with other legislative initiatives in the area.

Explore more