The European Commission (EC) has proposed two new regulations aimed at establishing standard cyber and information security measures across the EU, with the aim of improving resilience and response capacity against a range of cyber threats.
All European Union (EU) institutions, bodies, offices, and agencies will be required to have cyber security frameworks in place for governance, risk management, and control under the proposed cybersecurity regulation, which was published on March 22, 2022.
They must also undertake conduct regular assessments, implement plans for improvement, and “without undue delay” disclose any incident-related information with the Computer Emergency Response Team (CERT-EU).
In addition, the regulation would establish a new inter-institutional Cybersecurity Board to oversee drive and monitor the implementation of the regulation. The new board will further help to steer CERT-EU, whose scope will be expanded to include the triple role of being an incident response coordination hub, a central advisory body, and a service provider.
The EC is proposing a minimal set of security rules to both enhance and standardise how EU public organisations protect themselves against evolving threats to their information under a separate Information Security Regulation proposal published the same day.
Johannes Hahn, the EU’s budget and administration commissioner, in a statement said “In a connected environment, a single cyber security incident can affect an entire organisation. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act,”
“The regulations we are proposing today are a milestone in the EU cyber security and information security landscape. They are based on reinforced cooperation and mutual support among EU institutions, bodies, offices and agencies and on a coordinated preparedness and response. This is a real EU collective endeavour.”