Articles

Digital Law Up(to)date: Two new EU proposals of regulation to strengthen cybersecurity and information security across the EU organs

Digital Law Up(to)date: two new EU proposals of regulation to strengt

Digital Law Up(to)date: Two new EU proposals of regulation to strengthen cybersecurity and information security across the EU organs

26.04.2022 EU law

On 22 March, the EU published two new proposals of regulation on 'cybersecurity at the institutions, bodies, offices and agencies of the Union' and on 'information security in the institutions, bodies, offices and agencies of the Union'. A short overview of the two initiatives. 

On 22 March 2022, the European Commission published two new proposals of regulation:

  • a “Proposal for a regulation laying down measures on cybersecurity at the institutions, bodies, offices and agencies of the Union” (COM(2022) 122 final);
  • a “Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union” (COM(2022) 119 final).

 

In brief, the first initiative establishes common cybersecurity measures across the European Union institutions, bodies, offices and agencies. They must develop a framework or governance, risk management and control in the area of cybersecurity and must put in place a plan for improving their cybersecurity. They also must  implement a baseline of cybersecurity measures addressing the identified risks and share incident-related information with CERT-EU (the Computer Emergency Response Team that becomes in the proposal the Cybersecurity Centre, but keeps the short name CERT-EU). The mandate of the CERT-EU is also strengthened. Finally, a new inter-institutional Cybersecurity Board is created to drive and monitor the implementation of the regulation and to steer CERT-EU.

The second proposal states a set of minimum rules and standards for information security that is defined as “means ensuring the authenticity, availability, confidentiality, integrity and non-repudiation of information”. It creates a common approach to the categorisation of information according to its level of confidentiality. EU organs needs to assess all (classified and non-classified) information in order to categorise it with the confidentiality levels determined in the text. They also shall determine the security needs of all information considering the mentioned requirements in the definition of “information security”. Finally, it is required that the EU organs establish an information security risk management process for the protection of their information. 


By Edouard Cruysmans and Erik Valgaeren 

Team

Related news

11.05.2022 NL law
De afweging van grondrechten in het kader van corona

Articles - COVID-19 heeft de maatschappij voor dilemma’s geplaatst bij de afweging van volksgezondheid en bescherming van kwetsbaren tegenover vrijheden van het individu. In Tijdschrift voor Arbeidsrecht in Context schetsen Frederiek Fernhout en Judica Krikke de onderliggende rechten en vrijheden die vastgelegd zijn in het Europese grondrechtenkader, de AVG en nationale arbeidswetgeving en bespreken zij hoe deze tegen elkaar moeten worden afgewogen in de context van coronamaatregelen.

Read more

10.03.2022 EU law
De Dataverordening (“Data Act”)

Short Reads - De Europese Commissie heeft op 23 februari 2022 de Europese dataverordening (“Data Act”) voorgesteld, die het delen van data beoogt te bevorderen. Steeds meer gegevens worden door mensen en machines gegenereerd, bewaard en hergebruikt. Data en data-analyse kan een bijdrage leveren aan de efficiëntie van maatschappelijke processen, onderzoek en innovatie stimuleren en het concurrentievermogen van industrieën versterken. Veel data is echter niet vrij toegankelijk.  

Read more