Governance & Risk Management , IT Risk Management

EU Enhances Cybersecurity Requirements for Agencies

Cyber Regulation Requires EU Agencies to Assess Risks and Report Incidents
EU Enhances Cybersecurity Requirements for Agencies
The European Union adopted a regulation intended to strengthen institutional cybersecurity. (Image: Shutterstock)

The European Union adopted a regulation on mandatory cyber hygiene intended to beef up cybersecurity at EU government agencies amid concerns that trading bloc institutions have failed to keep pace with mounting digital threats.

See Also: The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

Proposed by the European Commission in 2022, the Cybersecurity Regulation lays down uniform cyber compliance requirements for EU institutions, bodies, offices and agencies. It came into force on Sunday, giving all agencies until September 2024 to conform to it, including its mandates for the adoption of controls against known risks and regular cybersecurity maturity assessments.

The regulation strengthens the role of CERT-EU as a hub for cybersecurity assistance and information exchange. EU agencies must share nonclassified incident-related information with the body. The agency currently employs around 40 staffers.

The measure comes amid concerns about cyberattacks against European critical infrastructure, which spiked in the wake of Russia's February 2022 invasion of Ukraine (see: Russian APT Hackers Actively Targeting European NATO Allies).

A European oversight body in May 2022 concluded that European agencies failed to achieve a "level of cyber preparedness commensurate with the threat."

The European Court of Auditors found after an investigation that lasted more than a year that many agencies had not implemented good cybersecurity practices, "including some essential controls." A number agencies "are clearly underspending on cybersecurity," it said.

A new body, the Interinstitutional Cybersecurity Board, will now monitor implementation of the regulation and supervise the CERT-EU.

Since effective cyber risk management entails processing personal identifiable information such as IP and email addresses, the regulation grants CERT-EU the legal authority to process and retain such sensitive information. CERT-EU must ensure that it has taken safeguards to protect the privacy of the affected users.

Under the regulation, the new IICB board is set to be functional by Sept. 8. The IICB and CERT-EU will then be required to submit their initial report on the status of the policy implementation in January 2025.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.