EU Institutions Cybersecurity Regulation: adapting to the new era of cybersecurity

by Javier López-Guzmán - Compliance Consultant

by Domenico Orlando - Compliance Consultant

Nov 13, 2023 | minute read

Cybersecurity isn’t only about private industry and national governments. The European Union Institutions (EUIs) also have an important role to play in this new era of cybersecurity. Perhaps this finds its clearest expression in the proposal for a new Cybersecurity Regulation, published by the European Commission recently.

The new EU regulations, such as the proposed Cybersecurity Regulation for the European Union Institutions, have the goal of adapting to the new security landscape. To this end, they consider emerging technologies such as artificial intelligence (AI) and quantum computing, as well as state-sponsored cyberattacks and the risks posed by social media.

Consistent with existing policies and legislation

The new act, which was published on 18 March 2022, is expected to be adopted in its final form this autumn. It is fully embedded in the EU Security Union Strategy and the EU Cybersecurity Strategy. The new rules to boost cybersecurity in EU institutions are a joint effort of the EU co-legislators to enhance digital capabilities within a safe environment.

The EUIs Cybersecurity Regulation aims to ensure consistency with existing EU cybersecurity policies and legislation. The text was developed from and is closely related to:

the Directive on measures for a high common level of cybersecurity across the Union (NIS 2). This is the new cybersecurity framework for the private sector and national public sector. NIS 2 and the EUIs Cybersecurity Regulation are aligned in terms of principles and ambition while respecting the specifics of Union entities; Discover more in our NIS 2 whitepaper.
the Cybersecurity Act;
the Commission Recommendation on a coordinated response to large-scale cybersecurity incidents and crises.

Creating an internal cybersecurity framework

The EUI Cybersecurity Regulation establishes an obligation on Union institutions, bodies, and agencies to create their own internal cybersecurity risk management, governance, and control framework. That framework must include definitions of business continuity, crisis management, supply chain security, and risk management. The new Regulation also institutes cybersecurity risk management and reporting obligations for these areas.

Additionally, the Regulation imposes rules around the organisation and operation of the newly created CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, and of the Interinstitutional Cybersecurity Board (IICB), which will be established after the Regulation comes into force.

According to the new Regulation, European Union Institutions must also:

appoint a local Cybersecurity Officer within the institution;
approve a cybersecurity baseline to address the risks identified under the Framework;
provide specific training for senior management on assessing cybersecurity risks and management practices;
develop a cybersecurity maturity assessment at least every three years;
develop a cybersecurity plan, to be updated at least every three years;
notify the Interinstitutional Cybersecurity Board (IICB) of all their plans and documentation, with support from CERT-EU as necessary;
notify CERT-EU of security breaches: CERT-EU must be notified of significant cyber threats, vulnerabilities, and incidents without undue delay and no later than 24 hours after becoming aware of them.

Sopra Steria has a deep knowledge of the implementation of cybersecurity frameworks and measures in EU institutions, thanks to our ongoing partnerships and completed projects. If you are interested in this area, please reach out to our experts.