Regulation (EU) 2023/2841, the Cybersecurity Regulation for Union entities, entered into force on 7 January 2024. Two years later, on 7 January 2026, the Interinstitutional Cybersecurity Board (IICB) released its annual report for 2025 (you can find the IICB's annual report for 2024 here) and it promptly became a cyber best-seller in Brussels' EU quarter.
2025 turned out to be a busy year for CERT-EU, the IICB and all Union entities, entities which invested significant time and resources consolidating and stress-testing their internal frameworks against the Regulation's milestones and deadlines, stitching a solid cybersecurity risk-management, governance and control fabric that actually fits. The sweat is real, the work is solid, and the IICB report is the proof – if you haven't read it yet, you're missing out.
In 2025, the IICB placed particular emphasis on addressing supply chain security and strengthening Union entities' ICT environment, starting with the assessment of their potential overreliance on non-EU vendors.
Several milestones were achieved in 2025 by Union entities, including:
- Establishing a cybersecurity risk-management, governance and control framework – 8 April 2025;
- Assessing their cybersecurity maturity – 8 July 2025;
- Establishing tailored technical, operational and organisational measures to manage cybersecurity risks – 8 September 2025.
On 8 January 2026, Union entities signed off their own cybersecurity plan; work never stops around here!
Another 2025 highlight: with the FREIA framework contract up and running, entities could outsource services from trusted private sector partners, on top of CERT-EU's service catalogue.
When it comes to the bad guys, CERT-EU identified more than 30 threat actors directly targeting Union entities using over 160 different techniques. The threat level for Union entities remains very high and improving our collective cybersecurity resilience remains a top priority.
The first days of 2026 arrived already crackling with geopolitical sparks, reminding us that Union entities navigate a complex threat landscape and need all our support to reach a high common level of cybersecurity. Through these efforts we keep the Union's public administration resilient, autonomous and credible for the long haul.