The European Union has enacted a Cybersecurity Regulation to bolster cybersecurity measures across its government agencies. Proposed in 2022 and in effect since Sunday, the regulation mandates uniform cybersecurity compliance standards for EU institutions, offices, bodies, and agencies. Agencies are given until September 2024 to adhere to the regulation, which includes requirements for adopting controls against known risks and undergoing regular cybersecurity maturity assessments. The measure also enhances CERT-EU’s role, making it a central hub for cybersecurity assistance and information exchange, with EU agencies mandated to share nonclassified incident-related information with CERT-EU.
This regulatory move comes in response to mounting concerns over cyber threats targeting European critical infrastructure, particularly following Russia’s invasion of Ukraine in February 2022. A European oversight body’s findings in May 2022 revealed that many European agencies fell short of achieving a sufficient level of cyber preparedness in the face of evolving threats. The European Court of Auditors found deficiencies in the implementation of essential cybersecurity practices and identified instances of underspending in this domain. To address these issues, the regulation establishes the Interinstitutional Cybersecurity Board (IICB), tasked with monitoring the regulation’s implementation and overseeing CERT-EU.
To facilitate effective cyber risk management, the regulation grants CERT-EU legal authority to process and retain sensitive information, including personally identifiable information like IP and email addresses. The regulation mandates the IICB and CERT-EU to submit their initial report on policy implementation by January 2025. This comprehensive approach aims to address shortcomings in the cybersecurity practices of EU agencies and strengthen their resilience against evolving digital threats.