We have previously discussed the NIS2 Directive, the new cybersecurity framework for certain private and public sector entities. While public administration entities of central and regional governments in Member States are considered as entities in sectors of high criticality under NIS2, the EU itself – consisting of its many institutions, bodies, offices, and agencies – is not covered by that framework. A new proposal that aims to impose a similar framework to the EU is moving through the interinstitutional dialogue now and will likely be adopted later this year.
Today, it no longer requires explanation that there is an increased prevalence of cyber-attacks on (and between) government actors. This was the main reason for the inclusion of central and regional Member State governments under the NIS2 framework. However, also the EU institutions, bodies and agencies are not immune to these cyber-threats. The Computer Emergency Response Team for the EU institutions, bodies, and agencies, “CERT-EU”, has detected a worrisome uptick in significant incidents. Just in the first half of 2021, more significant incidents were reported than in the whole of 2020. A tenfold increase can be found compared to 2018.
Moreover, an analysis of the level of cyber defence of the EU institutions, bodies and agencies found that cybersecurity maturity varies greatly. Best practices in the field are applied unevenly, and there is a clear lack of mature business continuity management, compliance, audit, and continuous improvement.
It was therefore decided that we do not just need a minimum level of cybersecurity in the EU, but also in EU institutions, bodies, and agencies. A proposal for a regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices, and agencies of the Union was published in 2022. Interinstitutional dialogue concerning this draft is currently taking place and an agreement will likely be reached soon. The text is expected to still be adopted this year.
At its core, the framework aims to be consistent with NIS2 and to mirror its ambitions (recital 5). It requires EU institutions, bodies, and agencies to establish an internal cybersecurity risk management, governance, and control framework, as well as to implement cybersecurity risk management and reporting obligations. Additionally, the existing CERT-EU and a new Interinstitutional Cybersecurity Board are getting provisions on their organisation and operations.
At every EU institution, body, or agency, upper management must oversee the adoption of the internal cybersecurity risk management, governance, and control framework. This framework should cover the entity’s entire IT environment – whether on-site, outsourced or cloud-based. Where (part of) the IT environment is outsourced or cloud-based, this new framework may intersect with the application of the NIS2 Directive. In addition, a Local Cybersecurity Officer must become the single point of contact for cybersecurity aspects, and sufficient budgets must be made available.
Similar to NIS2, senior officials must be trained in cybersecurity risk and management practices. In addition, the highest level of management must approve the entity’s cybersecurity baseline. Every three years a maturity assessment must be conducted. The results of this assessment will feed into the entity’s cybersecurity plans. Those plans must be effectively implemented and submitted to the Interinstitutional Cybersecurity Board.
A new body is established, the Interinstitutional Cybersecurity Board (IICB). The IICB will monitor the implementation of the framework and supervise CERT-EU. It will include representatives of the Union Agencies Network and certain core institutions, bodies, and agencies.
When non-compliance is found, the IICB can issue a warning and recommend the relevant audit service to carry out an audit.
CERT-EU is given a few more specific tasks to support the institutions, bodies, and agencies in implementing this framework. For instance, it will determine a package of baseline cybersecurity services and it will report on cyber-threats faced by EU institutions, bodies, and agencies.
It will contribute to the Joint Cyber Unit (a new platform that aims to strengthen cooperation among EU Institutions, Agencies, Bodies, and the authorities of the Member States), for instance regarding preparedness, incident coordination, operational cooperation, etc. It will also contribute to policy and the implementation thereof, and cooperate with its Member State counterparts.
CERT-EU may also offer additional services outside of the service catalogue, which are chargeable services and it may organise cybersecurity exercises.
Professional secrecy must be observed in carrying out the obligations under this framework. CERT-EU may request institutions, bodies, and agencies to share information regarding vulnerabilities and incidents. Cooperation with these requests is mandatory.
Institutions, bodies, and agencies must notify to CERT-EU significant cyber-threats, vulnerabilities, and incidents without undue delay and not later than 24 hours after becoming aware of them. CERT-EU will facilitate information exchange with relevant stakeholders.
In case of a major attack, CERT-EU will coordinate among institutions, bodies and agencies.
This initiative is certainly a welcome one. In light of the EU’s increased efforts in the field of cybersecurity and NIS2 as the new core framework in this field, it can be considered as quite a blind spot that EU institutions, bodies, and agencies would not be subject to similar cybersecurity standards.
For private actors, the framework will mainly be important when they provide cybersecurity-related services to the EU. For instance, a cloud provider providing its services to an EU agency will now find that agency subject to this framework, which may entail additional requirements. On the contrary, a cloud subject to NIS2 may find that it already complies with most of the obligations of this proposal.
For more questions regarding cybersecurity, please contact Timelex.