Privacy & Information Security Law Blog

The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.

Background

The Cybersecurity Act was introduced in a wide-ranging set of cybersecurity measures adopted by the Commission on September 13, 2017, and proposed as a priority of the Digital Single Market Strategy. The objective of these measures was to deal with cyber-attacks and build strong cybersecurity in the EU.

More Powers for ENISA

The Cybersecurity Act reinforces the ENISA’s centrality to better support Member States when facing cybersecurity threats or attacks. The Cybersecurity Act grants more powers to and new tasks for ENISA, including:

• A permanent mandate. The initial temporary mandate was due to end in 2020 and is now replaced by a permanent mandate. More resources will also be allocated to ENISA to accomplish its tasks.
• To prepare the EU for a crisis response to major cyberattacks.
• To assist Member States in responding effectively to cyber-attacks with a greater cooperation and coordination at the EU level.

ENISA will also be recognized as an independent center of expertise that will promote awareness to citizens and businesses and that will assist the EU institutions and Member States in the development and implementation of policies.

Cybersecurity Certification Framework

The Cybersecurity Act also introduces an EU-wide cybersecurity certification framework to ensure that the products and services sold in the EU comply with EU cybersecurity standards. This a great step forward as it is the first internal market law that enhances the security of connected products, Internet of Things or critical infrastructure by implementing a single certificate.

The hope is that consumers will benefit from this new regulation as manufacturers provide detailed information on cybersecurity for certified products and services including guidance on installation, the period for security support and information for security updates. The Cybersecurity Act, in this view, will increase consumers’ trust in products and services they choose to use as they will have warranties that these products and services are cyber secure.

Similarly, companies will also benefit from the Cybersecurity Act as they will save significant costs on certification. A one stop-shop cybersecurity certification means that companies and especially Small and Medium-sized Enterprises ("SMEs") will not need to apply for certificates in different countries but one certificate will be valid throughout the EU. Certification will no longer be perceived as a market-entry barrier for companies but as a competitive advantage. In addition, companies may certify their own products for a minimum level of cybersecurity.

Better Governance

To make future initiatives clearer and more transparent for industry, the Parliament requested that a Union rolling work program be a component of the cybersecurity certification framework’s governance, and involved in setting the strategic priorities on future certification requirements.

Next Steps

The Parliament’s Committee on Industry, Research and Energy and the Council of the European Union must still formally approve the proposed agreement. If approved, it will then be published in the EU Official Journal. The Cybersecurity Act will enter into force twenty days following that publication.

The press releases of the Commission and of the Parliament can be found here.