Regulation (EU, Euratom) 2023/2841 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union

Ce que fait l'acte

to establish measures to ensure a high common level of cybersecurity in the Union institutions, bodies and agencies. PROPOSED ACT: Regulation of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: evolving technology and increased complexity and interconnectedness of digital systems amplify cybersecurity risks making the Union administration more vulnerable to cyber threats and incidents . The Committee on Industry, Research and Energy adopted the report by Henna VIRKUNEN (EPP, FI) on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows: This Regulation lays down measures that aim to achieve a high common level of cybersecurity in Union entities. To that end, this Regulation lays down: - obligations that require Union entities to establish a cybersecurity risk management, handling of incidents, governance and control framework; - cybersecurity risk management and reporting obligations for Union entities; - rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements with regard to Union entities; - rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union entities (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB). Risk management, handling of incidents, governance and control framework On the basis of a full cybersecurity audit, each Union entity should establish its own cybersecurity risk management, handling of incidents, governance and control framework. The establishment of the framework should be overseen by the Union entity’s highest level of management . The risk management framework should (i) define the strategic objectives to ensure a high level of cybersecurity in the Union entities; (ii) lay down cybersecurity policies for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff of the Union entities tasked with ensuring the effective implementation of this Regulation; (iii) include the key performance indicators (KPIs). The framework should be reviewed regularly and at least every three years. Risk management measures should ensure a level of security for networks and information systems across the ICT environment that is appropriate to the risks identified in the risk management framework, taking into account the state of the art and, where appropriate, applicable European and international standards or available European cybersecurity certificates. When assessing the proportionality of those measures, due account should be taken of the degree of the Union entity’s exposure to risks, its size,…