On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act.
Initiatives to build strong EU-wide cybersecurity
The EU Cybersecurity Act was proposed in 2017 to:
i) Provide a permanent mandate for ENISA (to replace its limited mandate that would have expired in 2020);
ii) Allocate more resources to ENISA to enable it to fulfil its goals; and
iii) Establish an EU framework for cybersecurity certification for products, processes and services that will be valid throughout the EU.
The European Parliament, Council and Commission reached an informal trialogue agreement on the proposal of the EU Cybersecurity Act in December last year. Now that the European Parliament adopted its first-reading position, it is expected that the European Council will adopt the proposed Regulation without further amendments. The Regulation will then be published into the EU Official Journal and will enter into force 20 days following that publication.
Some noteworthy points should be taken from the European Parliament’s comments:
- The EU Cybersecurity Act offers businesses the opportunity to apply a range of voluntary security measures at the earliest stages of design and development. This will reinforce trust in their information and communications technology (ICT) products, services and processes at the Union level. This is known as ‘security by design’.
- The EU Cybersecurity Act also encourages businesses to configure their ICT products, services and processes so that users can receive from the very beginning a default configuration that is easy, reliable and secure when implemented. Users should not need to have extensive knowledge of configuration or technical understanding. This is known as ‘security by default’.
- Cyber threats are a global issue and closer international cooperation is imperative to improve cybersecurity standards. This calls for the adoption of common codes of conduct, information sharing, the use of international standards and collaboration on a global scale. Accordingly, ENISA’s main mandate under the EU Cybersecurity Act will be to boost the EU’s cooperation with third countries and international organisations.
The EU Cybersecurity Act is a welcome step towards shaping a safer cyber environment within the EU. The voluntary certification framework should benefit consumers in particular, to help them understand what level of security they can expect when purchasing ICT products and services. As the certification is voluntary, however, its effectiveness will be dependent upon how many businesses choose to certify.