What is Regulation 2023/2841?
The EU cybersecurity Regulation, which came into force at the start of this year, aims to establish a comprehensive and standardised approach to cybersecurity across European Union Institutions, Bodies and Agencies (EUIBA). This ensures that all entities are well-protected against evolving cyber threats and capable of executing a coordinated incident response plan.
Breaking it down
In short, the new regulation emphasises the need for proactive risk management, regular assessments, and structured responses to cyber threats.
Why is this important? Setting up structures like the Cybersecurity Emergency Response Team for the EU (CERT-EU) and the Interinstitutional Cybersecurity Board (IICB) contributes to a unified effort to combat threats and protect the EU’s digital infrastructure.
The regulation passes several key messages:
- Establish a framework: Outline internal cybersecurity risk management, governance, and control processes and incorporate all aspects of cybersecurity, including cloud services and third-party hosted services.
- Be proactive: Actively identify, assess, and manage cybersecurity risks to install appropriate and proportionate security measures.
- Be consistent: Conduct regular cybersecurity maturity assessments at least once every two years.
- Stand ready: Ensure organisations have the capacity, capability, and resources to report significant incidents to the CERT-EU within 24 hours.
- Adopt preventative measures: Deploy and maintain an adequate arsenal of Information System security protection mechanisms (multi-factor authentication, encryption, secure communication methods, etc.).
- Mitigate supply chain risks: Integrate cybersecurity standards into all procurement processes.
- Implement training: Develop and promote cybersecurity education and skill-building initiatives.
The two mentioned bodies, IICB and CERT-EU, play key roles in ensuring compliance:
- The IICB will oversee the implementation of the regulation, provide strategic direction to CERT-EU, and issue opinions, warnings, and recommendations when necessary. In cases of persistent non-compliance, the IICB can recommend audits or enforce the suspension of data flows to the concerned entity.
- The CERT-EU will act as the central hub for cybersecurity services, coordination, and support for the EU entities, providing technical assistance, incident response, and operational support to enhance cybersecurity across the EU.
To be equipped with a cybersecurity framework by April 2025 and conduct maturity assessments and risk assessments throughout the rest of the year, the implementation timeline should start no later than September 2024. The goal is to have a cybersecurity plan approved by January 2026.
What role does Blackwater play?
Blackwater, a standing security partner of EU entities, now supports the entities’ compliance with the EU regulation 2023/2841, by proposing a systematic approach to follow.
The main steps identified for an optimal journey are:
- Create a comprehensive cybersecurity review: Use the results to create an initial set of internal cybersecurity policies, objectives, and priorities, outlining established roles and responsibilities for staff tasked with cybersecurity.
- Programme and perform: Run the first iteration of cybersecurity maturity assessments.
- Conduct cybersecurity risk assessments: Using methodologies, such as EBIOS RM or ITSRM², organisations can go beyond compliance with a scenario-based approach.
- Build a plan: Include the outcomes of cybersecurity maturity assessments and the measures taken to manage risks.
Once compliance is achieved, Blackwater will continue to support the EU entity through the last steps:
- Reviewing and updating the cybersecurity framework regularly, taking new risks, incidents, and assessments into account.
- Staying informed about and implementing any new guidelines and recommendations from CERT-EU.
A key factor to success in this journey is allocating at least 10% of the ICT budget to cybersecurity. Additionally, appropriate staffing levels are crucial to support cybersecurity efforts and ensure regulatory compliance.
By following these steps and maintaining ongoing vigilance, European Union institutions, bodies, and agencies can achieve compliance with Regulation (EU, Euratom) 2023/2841, thereby enhancing their cybersecurity posture and resilience against cyber threats.