In its Resolution of March 2021, the Council of the European Union stressed the importance of a robust and consistent security framework to protect all EU personnel, data, communication networks, information systems and decision-making processes. This can only be achieved through enhanced resilience and an improved security culture for EU institutions, bodies, offices and agencies.

Accordingly, the Commission has now proposed new rules to establish common cybersecurity and information security measures across the EU institutions, bodies, offices and agencies. The proposal aims to bolster their resilience and response capacities against cyber threats and incidents, as well as ensure a resilient, secure EU public administration, amidst rising malicious cyber activities in the global landscape.

The proposed Cybersecurity Regulation will establish a framework for governance, risk management and control in the cybersecurity area. It will lead to the creation of a new inter-institutional Cybersecurity Board, boost cybersecurity capabilities, and stimulate regular maturity assessments and better cyber-hygiene. It will also extend the mandate of the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies (CERT-EU), to make it a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider.

The proposed Information Security Regulation will create a minimum set of information security rules and standards for all EU institutions, bodies, offices and agencies to ensure enhanced and consistent protection against evolving threats to their information. These new rules will provide a stable ground for a secure exchange of information across EU institutions, bodies, offices and agencies and with Member States, based on standardised practices and measures to protect information flows.