EU cybersecurity: EU Commission welcomes deal between MEPs and EU Council

Brussels, 26 June 2023

MEPs and the Swedish Presidency of the Council have reached an agreement on plans to strengthen the European Union’s institutions, bodies and agencies against cyber threats, on Monday.

The regulation will enable a unified approach for cybersecurity across all Union entities. All EU institutions and bodies will have to establish strong cybersecurity standards, with a governance, risk management and control framework.

The agreement will establish the Interinstitutional Cybersecurity Board (IICB), which will ensure a coordinated approach across the Union. This board will be responsible for monitoring the implementation of the regulation and will provide strategic direction.

The EU’s existing Computer Emergency Response Team (CERT-EU) will be developed into a Cybersecurity Service for the Union institutions, bodies, offices and agencies. It will provide guidance, recommendations, and information about cyber vulnerabilities, incidents and attacks.

Quote

Lead MEP Henna Virkkunen (EPP, FI) said: “We are for the first time creating common rules for EU institutions, bodies and agencies on cybersecurity preparedness. EU has a number of different entities, ranging from large institutions to smaller agencies. When it comes to cybersecurity, we are only as strong as our weakest link”.

“The digital development, rapid growth of teleworking and the outsourcing of ICT services have contributed to the need to ensure a high level of cybersecurity in all instances. Strengthening cybersecurity concerns all sectors, including the EU administration. We must be prepared for the constantly evolving cyber threat environment. This requires sufficient technical capabilities, competence and resources, which the new Regulation will strengthen” she added.

Next steps

The informal agreement will now have to be endorsed by both Parliament and Council in order to become law. The Industry, Research and Energy committee will vote on the text in a forthcoming meeting.

Background

A European Parliament study highlights that the digital transformation is making the EU institutions and administration more vulnerable to cyber-threats and incidents. Their number has surged dramatically in recent years: there were as many incidents during the first half of 2021 as in the whole of 2020, for instance. Yet an analysis of 20 Union institutions, bodies and agencies showed that their governance, preparedness, cybersecurity capability and maturity vary substantially, weakening the system. This proposal for a regulation would establish a common framework to ensure that similar cybersecurity rules and measures are applied within all Union institutions, bodies, offices and agencies, to improve their resilience and incident-response capacities and rapidly improve the existing situation.

Further information

The Commission welcomes the political agreement reached between the European Parliament and the Council of the EU on the Regulation proposed by the Commission laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. Negotiations have now concluded, paving the way for final approval of the legal text by the European Parliament and the Council.

The Commission announced the proposal for the Cybersecurity Regulation in March 2022. This Regulation will put in place a framework for governance, risk management and control across EU entities in cybersecurity, with a new inter-institutional Cybersecurity Board to monitor its implementation. It will also extend the mandate of the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies (CERT-EU), as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider. CERT-EU will be renamed to ‘Cybersecurity Service for the Union institutions, bodies, offices and agencies’ to reflect its new mandate while keeping the short name CERT-EU for recognition purposes.

The key elements of the proposal for all EU institutions, bodies, offices and agencies are the following:

Have a framework for governance, risk management and control in the area of cybersecurity;
Conduct regular maturity assessments;
Implement cybersecurity measures addressing the identified risks;
Put in place a plan for improving their cybersecurity;
Share incident-related information with CERT-EU without undue delay.

Next Steps

Once the text is finalised, the European Parliament and the Council will have to formally adopt the new Regulation before it can enter into force. Union entities will then be required to comply with the obligations and meet the deadlines specified in the text. This will contribute to ensuring higher levels of cybersecurity in the EU administration and be better prepared to face future challenges.

Background

In its resolution from March 2021, the Council of the European Union stressed the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. This can only be achieved through enhanced resilience and improved security culture of the EU institutions, bodies, offices and agencies.

Following the EU Security Union Strategy and the EU Cybersecurity Strategy, the Cybersecurity Regulation will ensure consistency with existing EU cybersecurity policies, in full alignment with current European legislation:

The Directive on measures for a high common level of cybersecurity across the Union (‘NIS 2′), with which this legislation is aligned in terms of principles and level of ambition, while respecting the specificities of Union entities;
The Cybersecurity Act;
The Commission Recommendation on coordinated response to large-scale cybersecurity incidents and crises.

For More Information

Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union

Quote(s)

The agreement found by the co-legislators confirms our shared strong commitment to safeguarding that the EU public administration remains open, secure and resilient. Cybersecurity is a political and operational priority for the EU, and this Regulation is a milestone in this respect. More cooperation, certainty and efficiency will create a climate of collaboration and trust where people, data and networks can operate and interact safely.

Johannes Hahn, Commissioner for Budget and Administration – 26/06/2023

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.

EU cybersecurity: EU Commission welcomes deal between MEPs and EU Council

Quote

Next steps

Background

Further information

EU Commission welcomes political agreement on new rules to boost cybersecurity in EU institutions, bodies, offices, and agencies

Next Steps

Background

For More Information

Quote(s)

INSIGHT EU MONITORING