On October 10, 2024, the Council of the European Union adopted the EU’s new regulation on horizontal cybersecurity requirements for products with digital elements.
Background
On September 15, 2022, the European Commission presented its proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (the “Cyber Resilience Act”). According to the European Commission, the Cyber Resilience Act will be the first EU-wide legislation introducing “cybersecurity requirements for products with digital elements, throughout their whole lifecycle.”
On March 12, 2019, the European Parliament (“Parliament”) approved the proposal for a regulation of the European Parliament and of the Council on ENISA, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (collectively, the “Cybersecurity Act”). The Parliament’s approval follows a political agreement between the European Commission, the Parliament and the Council of the European Union (“Council”) reached last December.
The Cybersecurity Act aims to achieve a high level of cybersecurity and cyber resilience, and to promote individuals’ trust in the EU digital single market.
The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.
On February 5, 2014, the Member States of the EU and European Free Trade Association (“EFTA”) as well as the European Network and Information Security Agency (“ENISA”) issued Standard Operational Procedures (“SOPs”) to provide guidance on how to manage cyber incidents that could escalate to a cyber crisis.
On February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU (the “Directive”).
On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.
The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market. Reports of the completed privacy impact assessments must be made available to the national data protection authorities. The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks. It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.
On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies. Some security and privacy considerations.”
On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).
Currently, there is wide debate throughout the EU regarding data breach notification requirements. The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011. The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code