Member States had until Wednesday 14 September to comment on the opinion of the EU Council Security Committee (CSC) on measures for a high common level of cybersecurity in EU institutions, agencies and bodies. This opinion was requested on 23 May by the Horizontal Working Party on Cyber Issues.
Specifically, the Council Security Committee considers that several changes should be made to the Commission’s original proposal. In particular, the CSC proposes that while the institutions and bodies affected by an incident can turn to the Computer Emergency Response Team for EU Institutions, Agencies and Bodies (CERT-EU), it should be up to the entities in question to define when, how and where information about the incident is communicated.
Furthermore, the CSC stresses that the regulation applies to the management, governance and control of cybersecurity risks in unclassified information networks and does not apply to EU classified information and network systems.
The CSC also points to overlaps between this regulation and the proposed regulation on information security, in particular as regards authentication for access to all unclassified information. In this case, the cybersecurity regulation requires multi-factor authentication, which is not mandatory in the information security regulation.
In addition, the CSC also refers to the missions and tasks of CERT-EU. On this point, the document clarifies that the sharing obligations do not extend to EU classified information received via an intelligence or law enforcement agency of a Member State, unless they have given their authorisation.
A similar process applies to notification requirements issued by the intelligence or law enforcement agencies of a Member State.
See the document: https://aeur.eu/f/34e (Original version in French by Thomas Mangin)