On 30 September, the Czech Presidency of the EU Council submitted to the Member States the latest version of its compromise text on measures for a common high level of cybersecurity in the EU institutions, agencies and bodies (see EUROPE 13023/9).
In concrete terms, apart from minor semantic changes to certain definitions, the text mainly reiterates the importance of the creation of an Interinstitutional Cyber Security Board (IICB), as well as the extension of the tasks and role of the Computer Emergency Response Team for EU institutions, bodies and agencies (CERT-EU). The IICB’s exclusive role would be to facilitate the establishment of a common level of cyber security among EU Member States.
The document details the composition of the IICB, which would include representatives from 13 EU institutions, bodies or agencies, in particular the European Parliament, the European Council, the European Council, the EU Council, the Commission, the Court of Justice of the European Union, the Court of Auditors and the European Central Bank.
This Interinstitutional Board should meet, at the request of its Chairperson - or at the request of the CERT-T - at least three times a year. Its secretariat would be provided by the European Union Agency for Cybersecurity (ENISA), not by the Commission.
The IICB should also support the creation of an informal group of local cybersecurity officers from all entities to facilitate the exchange of best practices and information. In addition, the IICB should also develop a cyber crisis management plan to support the coordinated management of major incidents at operational level affecting EU entities.
Moreover, the Interinstitutional Cyber Security Board could request the entity concerned - where it considered that there was a “continuing violation” of the provisions of the Regulation by an EU entity “resulting directly from the actions or omissions of an official or other servant” - to take appropriate measures, including of a disciplinary nature.
The IICB could also appoint an Executive Committee to assist it in its work and delegate to it some of its powers or tasks, in particular with regard to tasks requiring specific expertise of its members, such as the approval of the service catalogue and its subsequent updates or the assessments of documents and reports submitted by Union entities to the IICB.
In addition, the document makes provisions for exchanges of information that could be of a sensitive nature between Member States and EU institutions, bodies and agencies. On this aspect, the compromise text proposes that the IICB may issue, “as a last resort”, an opinion to all Member States and EU entities recommending the temporary suspension of data flows to the EU entity accused of “durable, deliberate, repetitive and/or serious” breaches. This suspension should then be in place until the cyber security status of this entity is rectified.
See the document: https://aeur.eu/f/3gd (Original version in French by Thomas Mangin)