Cybersecurity Changes in Europe

In the last month, the European Commission proposed new cybersecurity regulations. These regulations would standardize cyber and IT security protocols throughout the EU’s public administration. The regulations would have the following effects:

First, the regulations are intended to improve the strength and response capabilities of computer systems against as many cyber threats as possible. The regulations would strengthen the mandate of the Computer Emergency Response Team for the EU (CERT-EU). CERT-EU is composed of cybersecurity experts throughout the EU. It “collects, manages, analyzes and shares information with EU institutions, bodies, and agencies on threats, vulnerabilities and incidents related to unclassified ICT [Information and Communication Technology] infrastructure.” CERT-EU coordinates responses to cyberattacks and provides specialized operational assistance to institutions that need it. The new regulations also provide more resources to CERT-EU to further improve their efforts.

Second, these regulations require all EU public institutions, bodies, offices, and agencies to draft a “framework for governance, risk management and control in the area of cybersecurity.” The regulations require minimum cybersecurity measures for each of these entities and require these entities to conduct regular maturity assessments. These entities are also required to develop a roadmap for making cybersecurity improvements and provide information to CERT-EU regarding cyber incidents as soon as possible.

Should the EU pass these regulations, they would establish a new inter-institutional Cybersecurity Board. This board would oversee the implementation of these regulations and give direction to the CERT-EU.

Finally, these regulations would rename the “Computer Emergency Response Team” the “Cybersecurity Centre.” This is to better align with the advancements of the EU. Its responsibilities would expand to heading coordination for responses to cyber incidents and being a service provider and central advisory body for the EU.

These new regulations are intended to protect the public institutions, agencies, and other organizations of the EU from the damages that cyberattacks can cause. They are meant to further enable the secure exchange of information throughout the EU. The regulations standardize the classification of information at different levels of confidentiality.?

While these regulations would create more work for those organizations that do not currently meet the proposed minimum standards, they would help them in the long run. They will potentially save the organizations a lot of money to improve their cybersecurity practices now, instead of waiting for an incident to occur.