On Monday 26 June, negotiators from the Council of the European Union and the European Parliament reached a provisional political agreement on the regulation aimed at ensuring a high common level of cybersecurity in EU institutions, agencies and bodies.
“We need to be prepared for the constant evolution of cyber threats. This requires sufficient technical capacity, skills and resources, which the new regulation will strengthen”, commented the rapporteur for the dossier, Henna Virkkunen (EPP, Finnish).
The rules, proposed by the Commission in 2022 in response to an increase in the number of cyber-attacks, aim to create a common framework for all EU entities in the field of cyber-security through regular assessments and appropriate measures. The text also provides for the role of the EU Computer Emergency Response Team (CERT-EU) to be strengthened. This point was one of the last aspects on which negotiations were continuing (see EUROPE 13166/15).
Renamed the ‘Cybersecurity Service for the Institutions, Bodies and Agencies of the European Union’ - but keeping its acronym - CERT-EU will advise all EU institutions, bodies and agencies and help them to prevent, detect and respond to incidents.
This service will also act as a hub for information exchange and coordination on cyber security and incident response. All EU entities will be required to share unclassified incident information with CERT-EU without delay.
A new Interinstitutional Cyber Security Council will be created. It will have the task of monitoring the implementation of the regulation within EU entities, at a time when cybersecurity levels are still very uneven. It will also be responsible for providing guidance to CERT-EU and will be made up of representatives from all the institutions as well as the European Union Agency for Cybersecurity (ENISA), the European Data Protection Supervisor and the European Investment Bank, among others. (Original version in French by Thomas Mangin)