The new Cybersecurity Regulation will make all EU entities assess and improve their security standards and will establish a new board to oversee these measures.

The EU has adopted new regulation that aims to protect its various institutions from cyberattacks by creating a common standard of cybersecurity.

The bloc’s Cybersecurity Regulation entered into force earlier this week to protect its connected offices, agencies, bodies and institutions. The regulation began in 2021 when the EU Council stressed the importance of a robust and consistent security framework to protect itself.

The legislation is one of various endeavours the EU is taking in the cybersecurity space. At the end of 2023, European Commission reached an agreement on the terms of the Cyber Resilience Act, which aims to improve the level of cybersecurity of digital products for consumers and businesses across the EU.

But what are the specific details for the EU’s Cybersecurity Regulation and what does it aim to accomplish?

What does the new regulation aim to achieve?

In short, the new regulation aims to protect all EU personnel, data, communication networks, information systems and decision-making processes from the risk of cyberattacks. It aims to do this by establishing better internal risk management and creating a high cybersecurity standard across EU entities.

The regulation says that new technology and the interconnectedness of digital systems amplifies cybersecurity risks and makes EU entities more vulnerable to cyberattacks.

“While the increased use of cloud services, the ubiquitous use of information and communication technology (ICT), the high level of digitalisation, remote work and evolving technology and connectivity are core features of all activities of Union entities, digital resilience is not yet sufficiently built in,” the regulation states.

The regulation also states that EU entities are valuable targets for cyberattackers. In 2022, the European Parliament website was hit by a “sophisticated” cyberattack. This happened after EU lawmakers passed a resolution declaring Russia a “state sponsor of terrorism” for Moscow’s attacks on Ukrainian civilian targets.

To ensure the EU has a high common level of cybersecurity, this regulation aims to make its various entities establish an “internal cybersecurity risk-management, governance and control framework” to establish security protocols.

The regulation states that this framework should be based on “an all-hazards approach” that protects networks, information systems and their physical environments from threats. The regulation suggests that each EU entity should aim to allocate an “adequate percentage” of its ICT budget to improve its level of cybersecurity.

The EU aims for each of its entities to have established an internal framework by 8 April 2025 – and this framework will be reviewed on a regular basis “and at least every four years”.

By 8 September 2025, EU entities should take proportionate technical, operational and organisational measures to manage the cybersecurity risks they have identified. These potential measures are various, such as having multifactor authentication as the norm across its systems or regular cybersecurity training for staff.

How will this Cybersecurity Regulation be enforced?

To ensure EU entities are taking the right steps to raise their security standards, the regulation will also set up the Interinstitutional Cybersecurity Board (IICB), which will monitor and support the regulation’s implementation.

The regulation also extends the role of the Computer Emergency Response Team for all EU institutions, bodies, offices and agencies – CERT-EU – into a threat intelligence, information exchange and incident response coordination hub, as well as a central advisory body, and a service provider.

What are the next steps?

Now that the regulation has entered into force, EU entities have a set timeframe to apply their cybersecurity risk management measures. The EU also aims to establish the IICB as soon as possible.

Meanwhile, the European Commission is pushing for extra rules to set a minimum information security standard across all EU entities. This proposed regulation was presented in 2022 – at the same time when the Cybersecurity Regulation was officially proposed. Negotiations between the co-legislators on this proposal Information Security Regulation have not yet started.

“The regulation strengthens Union entities’ cybersecurity and aligns the EU administration with the standards imposed on member states, such as the directive on high common levels of cybersecurity across the Union,” said EU budget and administration commissioner Johannes Hahn.

“The rapid adoption of the regulation proves the commitment of the EU towards these objectives. Now I call upon the co-legislators to swiftly engage on negotiations for the parallel Information Security Regulation.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.