On June 8, 2018, a political agreement was reached in the European Union ("EU") that paves the way to an EU framework that would set up certification schemes to apply to a range of online services and connected consumer devices, as well as the transformation of the mandate of the European Union Agency for Network and Information and Security ("ENISA"), to be renamed as the EU's Cyber Security Agency (the "Agency"). Negotiations will now start with the European Parliament; the EU Cybersecurity Act could be finalized as early as the end of 2018.
With the recent implementation deadline passing for the Network and Information Security ("NIS") Directive and a reinforced focus on security measures in the General Data Protection Regulation, cybersecurity is high on the EU political agenda.
What You Should Know about the EU Cybersecurity Act
EU Cybersecurity Certification Schemes
While network and information systems are playing a key role in society and an increasing number of devices are connected to the Internet, the EU considers that security and resilience are not sufficiently built into products, services or processes. Setting up EU certification schemes would, according to the EU, play an important role in addressing such concerns.
The draft EU Cybersecurity Act includes provisions to create European cybersecurity certification schemes for ICT products (i.e., any element of network and information systems); services (i.e., any service involved in the transmission, storing, retrieving or processing of information by means of network and information systems); or processes (i.e., a set of activities performed to design, develop, deliver and maintain an ICT product or services). Under the draft EU Cybersecurity Act, the use of certification schemes will be voluntary unless otherwise specified in EU law or member states' law. Among products that may be subject to the certification schemes are connected cars or smart medical devices.
A European certification scheme may specify three sets of assurance level on aspects such as, among others, resilience to accidental or malicious data loss or alteration: basic, substantial or high. The assurance level will be an indication of the requirements and evaluations the products, services or processes went through. The schemes will be based on a comprehensive set of rules, technical requirements, standards and procedures and cover the full life cycle of products, services or processes. The certificates issued under the schemes would, according to the draft EU Cybersecurity Act, be valid in all EU countries. Depending on the assurance level (and risks involved), the certification would be issued by the manufacturer or provider of ICT products and services themselves (self-certification) or by either a national cybersecurity certification authority or a conformity assessment body. The absence of fragmentation in the standards should, according to the EU, increase users’ confidence in the security of these technologies.
EU Agency for Cybersecurity
The draft EU Cybersecurity Act states that cyber attacks are on the rise. The connected economy and society is more vulnerable to cyber threats and attacks, requiring stronger defenses in the EU’s view. So far, while cyber attacks are often cross-border, policy responses by cybersecurity authorities and law enforcement competences are national.
The EU Cybersecurity Act, when adopted, will provide the Agency with a permanent mandate and new tasks in supporting member states, EU institutions and other stakeholders on cyber issues. ENISA was initially set up to help member states complying with NIS, i.e., cybersecurity rules designed to protect key industries such as banking, energy and technology from attacks. Building on this role, the Agency will be tasked to tackle cybersecurity threats and attacks.
The Agency shall, among others things, organize regular EU-level cybersecurity exercises. It shall support and promote EU policy on cybersecurity certifications and serve as an effective EU level response, building upon dedicated policies and wider instruments for European solidarity and mutual assistance. The Agency will be able to rely on a national liaison officers network at member states' level to facilitate information sharing.
What Is Next?
The text adopted on June 8, 2018, is the European Council's position for negotiations with the European Parliament. Both have to agree on the final text before it can be adopted (as early as end of 2018) and entered into force. The EU Cybersecurity Act, when adopted, will be taking the form of a regulation, a legal instrument directly applicable in all member states.
You can find the draft regulation here: http://data.consilium.europa.eu/doc/document/ST-9350-2018-INIT/en/pdf