|
Governance and general requirements
The Cybersecurity Regulation proposal contains the following:
- EU institutions have to implement multifactor authentication “as a norm”, as well as software supply-chain security measures and Zero-Trust architecture;
- CERT-EU (EU’s Cyber Emergency Response Team) sees its missions and budget expanded. 11 additional staff members will be hired, which will make 49 in total;
- EU institutions, bodies or agencies that face significant cyber-threats, significant vulnerabilities or significant incidents must report them to CERT-EU within a delay of 24 hours;
- the proposed legislation creates an Interinstitutional Cybersecurity Board that will oversee the implementation of the rules. This Board is composed of representatives from the EU institutions.
Specific information security requirements
Categories of information
The proposal for Information Security lays down categories of information (depending on their sensitivity) and the corresponding security measures.
The proposal defines the following categories:
- non-classified information with three levels: public use, normal and sensitive
- classified information with four levels: EU RESTRICTED, EU CONFIDENTIAL, EU SECRET and EU TOP SECRET
Handling and storing of sensitive non-classified information
EU institutions and bodies shall implement strong authentication to access sensitive non-classified information, and sensitive non-classified information shall be encrypted in transmission and in storage.
For this type of information, encryption keys used for storage shall be under the responsibility of the responsible EU institution or body. Moreover, sensitive non-classified information shall be stored and processed in the EU.
Security equipment bearing a European cybersecurity certificate (pursuant to the CSA) shall be used, where available.
Handing of classified information
European Union classified information (abbreviated EUCI) is subject to specific, stricter rules.
First, the proposal includes physical security requirements for the handling of EUCI, including physical access control.
Secondly, the storage, central processing and network components of the communication and information systems shall be installed in a Secured Area (as defined by Annex III).
Thirdly, only approved cryptographic products shall be used to transmit and store EUCI. The list of approved cryptographic products shall be maintained by the Council, on the basis of input from the National Security Authorities. Where the list does not include any suitable product for the intended purpose, the Crypto Approval Authority of the Union institution or body concerned shall request an interim approval from the Council. Where possible, a cryptographic product that is approved by the National Security Authority of a Member State shall be selected. Approval of cryptographic products is valid for 5 years maximum and reviewed on a yearly basis afterwards.
Fourthly, all the communication and information systems handling and storing EUCI shall undergo an accreditation process.
Fifthly, the proposal lays down minimum standards on industrial security. These standards notably apply to tenderers and contractors,
The proposal will enter into application two years (+20 says) after its publication in the Official Journal of the EU.
Next steps:
The proposal will go through the ordinary legislative procedure, meaning that it will be examined by the European Parliament and the Council.
If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
