1. The Authority shall establish an internal IT governance at the level of the Executive Director which establishes and manages the IT budget and ensures regular reporting to the Executive Board on compliance with applicable IT security rules and standards.
2. The Authority shall ensure that a sufficient share of its IT expenditure is transparently allocated to direct IT security. The contribution to the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU) may be counted in that share.
3. An adequate IT security monitoring, detection and response service shall be established, using the services of CERT-EU. Major incidents shall be reported to CERT-EU and to the Commission within 24 hours of detection.