The Proposed European Commission Proposal for Cybersecurity Regulation lays down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (EUIs). The Proposal constitutes one of the regulatory initiatives of the EU’s Cybersecurity Strategy for the Digital Decade from 16 December 2020. It will impact EUIs and CERT-EU (Computer Emergency Response Team for EUIs), and will require EUIs to:
- develop a risk and governance framework for cybersecurity,
- implement cybersecurity measures to address identified risks,
- conduct regular maturity assessments,
- develop improvement plans regarding cybersecurity, approved by senior leadership, and
- share incident-related information with CERT-EU without undue delay.
In response, the EDPS developed an Opinion on the proposed Regulation, published 17 May 2022, which provides general remarks and specific comments on the proposal. This article will present some of the key points outlined in the Opinion, which give an indication of where the EDPS will focus its attention when it comes to cybersecurity management within EUIs.
- The EDPS recommends that the proposal stipulate that minimum security requirements to be at least equal to or higher than minimum security requirements of the entities that fall under NIS and NIS 2.0 Directive Proposal. The EDPS highlights the importance more generally of aligning it with NIS 2.0 Directive, creating consistent rules that will be easier for EUIs to follow.
- EDPS stresses the importance of integrating privacy and data protection perspectives with cybersecurity management and that EU officials responsible for cybersecurity should cooperate closely with DPOs as this will better ensure a holistic approach and enable synergies without multiplying effort. For example, on data breach notifications, the EDPS highlights the benefits of having an integrated incident handling process that serves both data protection and cybersecurity obligations.
- The EDPS notes that for EUIs to comply with the Proposal, they will have to deploy certain cybersecurity processes, which are bound to generate additional processing of personal data. These include for example access control, communications security, incident management and multi-factor authentication. Organisations acting as controllers may not always realise that data processed in cybersecurity systems and services may constitute personal data, which may further risk non-compliance. To avoid and mitigate these risks, the first step is to apply data protection by design and default requirements laid down in Article 27 of the EUDPR.
- The EDPS reiterates that encryption is a critical technology for effectively protecting personal data and as it is a strong cybersecurity component that also works without involving additional personal data processing. The EDPS and recommends that ‘encryption at rest’, ‘encryption in transit’ and ‘end-to-end encryption’ be added to the list of minimum cybersecurity measures in the Proposal.
The interplay between cybersecurity and data protection are high on the EDPS’ agenda as demonstrated by Section 3.3. of the Opinion, wherein the EDPS presents recommendations for itself as a key stakeholder to monitor cybersecurity developments and their implications for data protection and privacy.
In order to comply with the Proposal EUIs will need to develop processes and measures which will lead to additional processing of personal data. To maintain compliance with Regulation (EU) 2018/1725, the EDPS strongly advises that the Proposal provide a clear legal basis for the processing of this data by EUIs, including the purposes of processing and the categories of personal data that may be processed. When the Regulation comes into effect, EUIs should be mindful of this personal data processing and ensure EUDPR obligations are followed. The existence of personal data within cybersecurity systems and services may not always be self-evident. EUIs should therefore take a careful approach in order to ensure compliance with data protection laws when implementing these measures.
Given the requirements within the Regulation call for EUIs to have an internal cybersecurity risk management, governance and control framework ensuring:
- effective management of all cybersecurity risks,
- a baseline to address the risks identified under the framework,
- regular cybersecurity maturity assessments, and
- the adoption of a cybersecurity plan (Articles 4-8)
it would be prudent for EUIs to start taking steps to put some of these requirements into place.
Additionally, EUIs would be well advised to develop processes enabling seamless sharing of any incident related information in preparation for when the Regulation is in effect. When the Regulation is in force, EUIs will need to report to CERT-EU any significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.
There is no date currently for when the Cybersecurity regulation will come into effect. The Trilateral Research Data Protection and Cyber-risk team has expertise in cybersecurity and can help you develop appropriate strategies for developing an effective cybersecurity risk management, governance and control framework.