We are thrilled to announce that the EU has just taken a big step … a step that will boost the overall cybersecurity resilience of all Union entities.
On December 13, the EU co-legislators, aka the Council of the EU and the European Parliament, officially signed the long-awaited Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (for the text of the Regulation click here).
Now you may wonder what this means. Wonder no more. Just sit back and read on.
More cybersecurity for all Union entities
As the cybersecurity exchange hub and incident response centre for all the EU institutions, bodies, and agencies (EUIBAs), we provide a wide range of services spanning all functions of the NIST CSF to the 90 entities that make up the EU.
These critical entities are very heterogenous. They are different in size, mandate, sector, and cybersecurity maturity. This diversity makes our job a tad complicated.
Luckily, the new Regulation gives the impetus for the EUIBAs to further develop and nurture a cybersecurity mindset, integrating it in all their activities by design. By requiring a strong governance framework and future proof cybersecurity plans, all regularly updated, the Regulation will drive forward their cybersecurity posture.
Bruce Schneier, a renowned cybersecurity expert, once said that ‘Security is a process, not a product’. True. Effective security is not something one can achieve simply by purchasing and implementing a product (aka by throwing money at the problem). Instead, it requires constant effort, adaptation, and vigilance.
Security must be a dynamic, living thing if, as a community, we want to keep threat actors at bay and face the ever-evolving attacks they keep directing at us. We must continuously assess and address risks, update our practices, and respond to new threats and vulnerabilities.
The Regulation recognises this. On one hand, it encourages all Union entities to maintain a high level of preparedness. On the other, it extends our mandate, affirming our crucial role in supporting them.
‘Cybersecurity Service’ is the new black
Once upon a time, CERT meant Computer Emergency Response Team. But let’s face it, CERTs don’t deal anymore with computers only and many have been renamed to Service this or Service that.
Now it’s our turn. But don’t you worry though, we are still the CERT-EU you all know (and love). We’ll keep the acronym even if the Regulation elevates our role to the Cybersecurity Service for the Union institutions, bodies, offices and agencies.
More resources and a stronger mandate put us in a better position to serve our constituents. Further embracing our ‘Think Constituent, Create Value’ ethos, we will provide necessary guidelines, recommendations and calls for action to EUIBAs. We will also advise them every step of the way and step up our efforts to help them prevent, detect, and respond to cyber-attacks.
Let there be the IICB
So far, we have been governed by a Steering Board. A new ‘version’, called the Interinstitutional Cybersecurity Board (or IICB), will be created thanks to the Regulation.
The IICB aspires to be an inclusive body with representation from all Union entities, where all shall have a say and be heard. The IICB will oversee, monitor and support the implementation of the new set of rules by all EUIBAs.
Building on the solid foundations created by our Steering Board, The IICB will also provide strategic direction and governance to CERT-EU.
Keep calm and notify
At the risk of sounding like Captain Obvious while displeasing marketroids, there is no such thing as bulletproof security. And we all know that Union entities are highly attractive targets for many animals of the cyber bestiary.
We had more than our fair share of cyber-attacks, as exemplified by the public executive summaries of our Threat Landscape Reports. And unless we unplug the internet, we don’t expect this to change anytime soon.
In line with the NIS 2 Directive, the Regulation requires EUIBAs to notify us without undue delay if they are facing significant incidents. This way we can quickly spring into action to help them respond and recover using our top-notch Human Intelligence Expertise.
Towards a more resilient Union
CERT-EU not only plays a key role in information sharing within the EU but also holds reporting obligations to inform stakeholders.
We have been sharing incident-specific information with our Member State counterparts and collaborating with various public and private entities for many years. And thanks to the Regulation, we will be intensifying this long-standing tradition.
Also, working hand in hand with ENISA, the EU Cybersecurity Agency, through our structured cooperation, we will foster operational cooperation and knowledge dissemination.
Too long; didn’t read?
The EU’s new Regulation isn’t just another document. It’s a game changer for the level of cybersecurity within the EU, and we are excited to be at its heart!
And while the Regulation does not stand alone, it’s a vital piece in the EU’s cybersecurity arsenal; an arsenal which consists of various instruments that are all part of the EU’s commitment to a safer digital future for all.