Cybersecurity at the EU institutions, bodies, offices and agencies: Council adopts its position

The Council adopted its position on a draft regulation aimed at ensuring a high common level of cybersecurity across the EU institutions, bodies, offices and agencies.

The measures were proposed by the Commission in March 2022 against the background of a significant surge in the number of sophisticated cyberattacks affecting the EU public administration in recent years. They set out to improve the resilience and incident response capacities of all the EU entities and to address the disparities in their approach by creating a common framework.

In its position, the Council lends its general support to the key elements of the proposed regulation, such as:

  • strengthening the mandate and funding of the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies (CERT-EU)
  • setting up an interinstitutional Cybersecurity Board to drive and oversee the implementation of the new regulation
  • strengthening incident-related information sharing with CERT-EU
  • promoting coordination and cooperation in response to cyber incidents

At the same time, the Council has further aligned some elements of the draft regulation with the future directive on measures for a high common level of cybersecurity across the EU ('NIS 2' Directive), while removing references to the Joint Cyber Unit, whose mandate and composition have not been defined yet. It has also strengthened the mechanisms for ensuring the EU entities' compliance with the new regulation, while respecting their institutional autonomy, and ensured more reciprocity in the exchange of information between the EU public administration and the member states.

Next steps

Now that the Council has established its position on the proposed regulation, it is ready to start trilogues with the European Parliament, once the Parliament has voted on its negotiating mandate.

Background

In its conclusions of 20 June 2019, the European Council invited the EU institutions, together with the member states, to work on measures to enhance the resilience and improve the security culture of the EU against cyber and hybrid threats from outside the EU, and to better protect the EU’s information and communication networks, and its decision-making processes, from malicious activities of all kinds.

The proposal for a regulation setting out a common cybersecurity framework for the EU institutions, bodies, offices and agencies is one of the measures provided for in the EU's Cybersecurity Strategy for the Digital Decade, presented by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy in December 2020 to strengthen the EU's collective resilience against cyber threats.

In its conclusions of 22 March 2021 on that strategy, the Council stressed that cybersecurity is vital for the functioning of public administration and institutions at both national and EU level and for our society and the economy as a whole.