Governance & Risk Management
,
IT Risk Management
Cyber Regulation Requires EU Agencies to Assess Risks and Report Incidents
The European Union adopted a regulation on mandatory cyber hygiene intended to beef up cybersecurity at EU government agencies amid concerns that trading bloc institutions have failed to keep pace with mounting digital threats.
See Also: Insider Threats: When the Attacker Has Valid Credentials
Proposed by the European Commission in 2022, the Cybersecurity Regulation lays down uniform cyber compliance requirements for EU institutions, bodies, offices and agencies. It came into force on Sunday, giving all agencies until September 2024 to conform to it, including its mandates for the adoption of controls against known risks and regular cybersecurity maturity assessments.
The regulation strengthens the role of CERT-EU as a hub for cybersecurity assistance and information exchange. EU agencies must share nonclassified incident-related information with the body. The agency currently employs around 40 staffers.
The measure comes amid concerns about cyberattacks against European critical infrastructure, which spiked in the wake of Russia’s February 2022 invasion of Ukraine (see: Russian APT Hackers Actively Targeting European NATO Allies).
A European oversight body in May 2022 concluded that European agencies failed to achieve a “level of cyber preparedness commensurate with the threat.”
The European Court of Auditors found after an investigation that lasted more than a year that many agencies had not implemented good cybersecurity practices, “including some essential controls.” A number agencies “are clearly underspending on cybersecurity,” it said.
A new body, the Interinstitutional Cybersecurity Board, will now monitor implementation of the regulation and supervise the CERT-EU.
Since effective cyber risk management entails processing personal identifiable information such as IP and email addresses, the regulation grants CERT-EU the legal authority to process and retain such sensitive information. CERT-EU must ensure that it has taken safeguards to protect the privacy of the affected users.
Under the regulation, the new IICB board is set to be functional by Sept. 8. The IICB and CERT-EU will then be required to submit their initial report on the status of the policy implementation in January 2025.