March 5. 2024. 1:53

The Daily

Read the World Today

European Parliament agrees cybersecurity requirements for EU bodies


The European Parliament’s Industry committee voted Thursday (9 March) in favour of MEP Henna Virkkunen’s draft report proposing introducing common cybersecurity standards across EU institutions, paving the way for starting trilogue negotiations.

The draft law is the EU version of the revised Networks and Information Security Directive (NIS2), which introduced cybersecurity requirements at the national level for entities that play an essential role in the functioning of society.

It aims to institute a “high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union”.

This legislation responds to growing cybersecurity concerns, triggered mainly by the increasing digitisation of public bodies, administrative procedures and the under-preparedness of EU bodies to deal with potential attacks.

“A high level of cybersecurity preparedness must be the norm in the EU entities,” Virkkunen said. “We must ensure sufficient technical capabilities, knowledge and resources to effectively tackle increasingly sophisticated cybersecurity threats.”

The European Commission proposed the legislation in March 2022, the same month the European Court of Auditors released a study highlighting the urgency to upscale the EU institutions’ cybersecurity capacity amid a worsening threat landscape.

According to the auditors, EU bodies were increasingly attractive targets for cyber-attackers, with serious incidents booming by more than 10 times between 2018 and 2021. This trend was partly driven by the COVID-19 pandemic, with more people working from home.

The auditors also found the Union’s cyber-resilience capacities were significantly lacking and that targeted attacks posed a widespread risk given the interconnectedness of EU institutions.

The report called for a revamp of the bloc’s cybersecurity infrastructure, saying “the EU needs to do more to protect its own authorities.”

EU institutions not prepared for increase in cyberattacks

EU institutions are not sufficiently prepared for the increasing number of cyberattacks, a new special report by the European Court of Auditors on Tuesday (29 March) reads. EURACTIV Germany reports.

The Commission’s proposal introduced common cybersecurity standards such as governance frameworks, risk assessments and cybersecurity improvement plans would be required.

The regulation would also expand the capacity and funding of the EU’s Computer Security Incident Response Team (CERT-EU), which oversees the ICT security of Union institutions and organisations.

The Parliamentary draft report introduced additional responsibilities for CERT-EU, such as playing a coordinating role in the disclosure of vulnerabilities and tasking it with proposing the criteria and scale for the cybersecurity frameworks adopted by EU entities.

Also included in the amendments is a provision to establish CERT-EU as an “autonomous interinstitutional service provider for all Union entities” integrated into a Commission department, with regular assessments of its functioning.

These would allow for changes to its structure, including its possible reestablishment as a Union office, in reaction to what the draft report identifies as “the growing criticality of cybersecurity and the constantly arising threat level.”

The report also reorganises the timeframe for reporting significant cyber incidents, aligning the notification timing requirements with those of the NIS2 Directive.

Under the report’s amendments, entities must submit an early warning of an incident within 24 hours of becoming aware and a formal incident notification, indicating an initial assessment of its severity and impact, within 72.

“A common framework for cybersecurity measures for EU entities is needed to improve their resilience and incidence response capabilities”, rapporteur Virkkunen said following the Industry committee’s unanimous approval of the draft report.

“EU entities are all interconnected, and there should be no weak link in the chain. An interinstitutional approach will enable EU entities to develop their cybersecurity measures and responses to cyber threats and potential attacks.”

The parliamentary report is set to be adopted without a plenary vote. As the EU Council of ministers agreed to its position on the file in November, interinstitutional negotiations, so-called trilogues, will begin in the coming weeks.

In its approach, the Council identified elements for strengthening CERT-EU, particularly its information-sharing capacities, and bolstering coordination when responding to significant cyber incidents.