The Council of the European Union has taken note of the 2025 annual report of the Interinstitutional Cybersecurity Board (IICB), which details progress by EU institutions, bodies, and agencies in implementing cybersecurity measures under Regulation (EU, Euratom) 2023/2841. The report, published on 1 September 2026, highlights that Union entities have met key regulatory milestones, including establishing cybersecurity frameworks and completing maturity and risk assessments. The Council's acknowledgment marks a procedural step in overseeing the EU's cybersecurity resilience efforts.
The document, a Council note dated for the meeting of 1 December 2026, serves as a formal record of the IICB's annual report. It is not a legislative act but an assessment of implementation progress. The report focuses on achieving a high common level of cybersecurity across Union entities, as mandated by the 2023 regulation. Key strategic priorities include enhancing supply chain security, reducing overreliance on non-EU vendors, and promoting shared services through the FREIA common procurement framework.
Policy orientations and trade-offs
The report underscores a push for digital sovereignty by encouraging Union entities to diversify suppliers and adopt shared cybersecurity services. This approach aims to reduce vulnerabilities from single-vendor dependencies and improve cost-efficiency through pooled resources. However, it may limit flexibility for entities with specialised needs and could increase short-term transition costs. The emphasis on common frameworks also raises questions about balancing standardisation with the autonomy of individual agencies.
Impact on stakeholders
EU institutions and agencies benefit from improved cybersecurity resilience and potential cost savings via shared services, but face administrative burdens in aligning with common frameworks and transitioning away from non-EU vendors. EU cybersecurity vendors: non-EU suppliers may see reduced market access, while EU-based vendors could gain opportunities under the procurement framework. EU taxpayers may see long-term savings from shared services and reduced cyber incidents offset initial transition costs. National cybersecurity authorities may need to coordinate more closely with EU-level frameworks, potentially adding complexity to existing national systems.
Institutional follow-up
The Council's note-taking is a formal acknowledgment; further action is expected from the European Commission and the IICB in monitoring implementation. The next annual report will likely track progress on supply chain diversification and shared service adoption. No immediate legislative steps are anticipated, but the report may inform future policy reviews under the 2023 regulation.