A political agreement was reached between the European Parliament, the Council of the European Union (EU) and the European Commission on the EU Cybersecurity Act (Act) and announced on December 10, 2018. The pace of the adoption of the Act (with less than three months of discussions among the EU institutions) confirms that cybersecurity is high on the EU political agenda.
Background: What is the Purpose of the EU Cybersecurity Act?
The EU institutions considered that security and resilience are not sufficiently built into products, services or processes and want to advance the cybersecurity of online services and consumer devices within the EU. Proposed in 2017 as part of a wide-ranging set of measures to deal with cyberattacks and to promote enhanced cybersecurity in the European Union (along with the Network and Information Security "NIS" Directive and a reinforced focus on security measures in the General Data Protection Regulation), the Act should, according to the EU institutions, play an important role in addressing such concerns. It will lead to setting EU cybersecurity certification schemes for ICT products (i.e., hardware and software elements of network and information systems); services (i.e., services involved in transmitting, storing, retrieving or processing information via network and information systems); and processes (i.e., sets of activities performed to design, develop, deliver and maintain ICT products or services). The European Union Agency for Network (ENISA or the Agency) and Information Security will be tasked to prepare candidate schemes (for specific groups of ICT products, processes and services) for adoption by the European Commission.
Each of the schemes would have its own scope and may include specific conditions for recognition with third countries. Any certification schemes may specify three sets of assurance level on aspects such as, among others, resilience to accidental or malicious data loss or alteration: basic, substantial or high. The assurance level will be an indication of the requirements and evaluations to which the products, services or processes are subject. The schemes will be based on a comprehensive set of rules, technical requirements, standards and procedures and cover the full life cycle of products, services or processes.
The certificates issued under the schemes would be valid in all EU Member States. Depending on the assurance level (and risks involved), the certification may entail self-assessment by the manufacturer or provider of ICT products and services themselves or involve either a national cybersecurity certification authority or a conformity assessment body. The absence of fragmentation in the standards should, according to the EU institutions, increase users’ confidence in the security of these technologies.
The Act also provides the ENISA with a permanent mandate and new tasks to support member states, EU institutions and other stakeholders on cyber issues. The Agency will have more resources to assist member states in responding to cyberattacks and play a greater role in cooperation and coordination at the EU level.
The adoption of the Act was one of the goals of the Austrian presidency, which managed to (almost) get it through completion before its end-of-year term. The Act now needs to be formally approved by the European Parliament (a first reading vote in the EU Parliament is scheduled for March 2019) and the Council of the EU. It will then be published in the Official Journal of the European Union and will officially enter into force. The Act is an EU regulation, a legal instrument directly applicable in all EU Member States.
For more details on the Act, please see previous coverage.