Digital Law Up(to)date: Two new EU proposals of regulation to strengthen cybersecurity and information security across the EU organs

EU Law

On 22 March, the EU published two new proposals of regulation on 'cybersecurity at the institutions, bodies, offices and agencies of the Union' and on 'information security in the institutions, bodies, offices and agencies of the Union'.

On 22 March 2022, the European Commission published two new proposals of regulation:

  • a “Proposal for a regulation laying down measures on cybersecurity at the institutions, bodies, offices and agencies of the Union” (COM(2022) 122 final);
  • a “Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union” (COM(2022) 119 final).

In brief, the first initiative establishes common cybersecurity measures across the European Union institutions, bodies, offices and agencies. They must develop a framework or governance, risk management and control in the area of cybersecurity and must put in place a plan for improving their cybersecurity. They also must  implement a baseline of cybersecurity measures addressing the identified risks and share incident-related information with CERT-EU (the Computer Emergency Response Team that becomes in the proposal the Cybersecurity Centre, but keeps the short name CERT-EU). The mandate of the CERT-EU is also strengthened. Finally, a new inter-institutional Cybersecurity Board is created to drive and monitor the implementation of the regulation and to steer CERT-EU.

The second proposal states a set of minimum rules and standards for information security that is defined as “means ensuring the authenticity, availability, confidentiality, integrity and non-repudiation of information”. It creates a common approach to the categorisation of information according to its level of confidentiality. EU organs needs to assess all (classified and non-classified) information in order to categorise it with the confidentiality levels determined in the text. They also shall determine the security needs of all information considering the mentioned requirements in the definition of “information security”. Finally, it is required that the EU organs establish an information security risk management process for the protection of their information. 

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.