On 22 March 2022, the European Commission (“EC”) adopted two new proposals for a Cybersecurity Regulation and an Information Security Regulation (available here and here). These regulations aim to set common priorities and frameworks in order to further strengthen inter-institutional co-operation, minimise risk exposure and further strengthen the EU security culture.
Cybersecurity Regulation
Under the Cybersecurity Regulation, all EU institutions, bodies and agencies will have to adopt a framework for ensuring common cybersecurity rules and measures. The proposal builds on both the EU Security Union Strategy and the EU’s Cybersecurity Strategy for the Digital Decade.
EU institutions will be required to implement a baseline of measures, undertake regular maturity assessments, implement plans for improving their cybersecurity, and share any incident-related information with the “Cybersecurity Centre”. This being the renamed Computer Emergency Response Team (or “CERT-EU”), updated to bring the name in-line with the terminology used within member states and globally. The CERT-EU acronym will continue to be used to avoid confusion.
The Cybersecurity Regulation also creates a new inter-institutional Cybersecurity Board to drive and monitor the implementation of the regulation and also to help steer the CERT-EU.
Information Security Regulation
Similarly to the Cybersecurity Regulation, the proposed Information Security Regulation also builds on the EU Security Union Strategy and will create a minimum set of information security rules and standards for all EU institutions, bodies, offices and agencies. The regulation aims to ensure enhanced and consistent protection against the evolving threats faced by EU institutions and bodies to their information.
Key elements of this proposed regulation include establishing a common approach to information categorisation based on levels of confidentiality, information security policy modernisation and streamlining current practices.
It is worth nothing that both proposed Regulations will have to be discussed by the European Parliament and Council (as co-legislators), before they can be formally adopted and enter into force within the EU.