Commission Proposes New Regulations to Improve Cybersecurity and Information Security of EU Administration
On 22 March 2022, the Commission made two new proposals to improve cybersecurity and information security in EU institutions, bodies, offices, and agencies: a Cybersecurity Regulation and an Information Security Regulation.
Cybersecurity Regulation
With this regulation, the Commission wishes to establish common cybersecurity measures across the EU's institutions, bodies, offices, and agencies. The regulation is in line with the Commission’s priorities to make Europe fit for the digital age. The measures include the following:
- Strengthening the mandate of the Computer Emergency Response Team (CERT-EU) and providing the resources needed to fulfil it;
- Modernising the existing CERT-EU legal framework in order to take into account the altered and increased digitisation of EU institutions, bodies, and agencies as well as the changing cybersecurity threat landscape;
- Changing the name of the computer centre from "Computer Emergency Response Team" to "Cybersecurity Centre". The abbreviation "CERT-EU" will be kept for name recognition purposes;
- Setting up a new inter-institutional Cybersecurity Board to drive and monitor implementation of the regulation and to steer CERT-EU.
All EU institutions, bodies, offices, and agencies are called on to do as follows:
- Put in place a framework for governance, risk management, and control in the area of cybersecurity;
- Implement a baseline of cybersecurity measures addressing the identified risks;
- Conduct regular maturity assessments;
- Put in place a plan for improving their cybersecurity.
Information Security Regulation
The regulation on information security is part of the EU Security Union Strategy adopted by the Commission on 24 July 2020 (→ eucrim 2/2020, 71-72), which is intended to bring the EU's added value to national efforts in the area of security. The goal is to provide a stable foundation for the secure exchange of information across EU institutions, bodies, offices, and agencies and with the Member States. With this proposal, the Commission aims to achieve the following:
- To set up an inter-institutional Information Security Coordination Group that will foster cooperation across all EU institutions, bodies, offices, and agencies;
- To establish a common approach to information categorisation, based on the level of confidentiality;
- To modernise information security policies, fully including digital transformation and remote work.
The proposals are an outcome of the EU's strategy to bolster resilience of its administration against cyber and information threats.