On March 12, 2019, the European Parliament (“Parliament”) approved the proposal for a “Regulation of the European Parliament and of the Council on ENISA,” repealing Regulation (EU) No 526/2013 and an information and communications technology cybersecurity certification (collectively, the “Cybersecurity Act”). The Parliament’s approval follows a political agreement between the European Commission, the Parliament and the Council of the European Union (“Council”) reached last December.
The Cybersecurity Act aims to achieve a high level of cybersecurity and cyber resilience, and to promote individuals’ trust in the EU digital single market.
The Cybersecurity Act focuses on two key elements:
The European Union Agency for Cybersecurity (“ENISA”)
The Cybersecurity Act aims to reinforce ENISA’s role as the EU’s center of advice and expertise with regard to cybersecurity matters.
ENISA’s tasks under the Cybersecurity Act include:
- Development and implementation of EU policy and law: ENISA will be responsible for developing and implementing EU policy and law in the field of cybersecurity. To that end, ENISA will issue opinions and guidelines, develop best practices on various topics and assist Member States and EU institutions, bodies, offices and agencies in developing and promoting cybersecurity policies.
- Capacity-building: ENISA will assist Member States in preventing, detecting and improving their responsiveness to cyber threats and incidents, and in developing national strategies. ENISA will also support the exchange of information within and between sectors.
- Operational cooperation at EU level: ENISA will support cooperation at the EU level by promoting the exchange of know-how and best practices, by providing advice and guidelines, and by organizing cybersecurity exercises at the EU level. Furthermore, ENISA will help to develop a cooperative response at the EU and Member States level for large-scale cross-border incidents.
- Support and promotion of the European cybersecurity certification framework: ENISA will support and promote the European cybersecurity certification framework by regularly monitoring developments, recommending appropriate technical specifications for use in the development of European cybersecurity certification schemes, preparing candidate European cybersecurity certification schemes, and evaluating adopted European cybersecurity certification schemes. ENISA will also publish guidelines and develop good practices on the cybersecurity requirements of information communications technology (“ICT”) products, services, and processes, in cooperation with national cybersecurity certification authorities and industry.
- Knowledge and information, awareness-raising and education, and research and innovation: ENISA will analyze emerging technologies, provide topic-specific assessments on the expected impact of technological innovations on cybersecurity, and assess cyber threats and incidents to identify emerging trends and help prevent incidents. Based on its findings, ENISA will prepare reports with a view to providing guidance to citizens, organizations and businesses on cybersecurity.
- International cooperation: ENISA will promote international cooperation on issues related to cybersecurity by working with third countries and international organizations or within relevant international cooperation frameworks.
The European Cybersecurity Certification Framework
The Cybersecurity Act also introduces a European cybersecurity certification framework as a means of establishing European cybersecurity certification schemes for ICT products, services and processes. The Cybersecurity Act will give the Commission power to adopt European cybersecurity certification schemes.
The European Commission will publish a “Union Rolling Work program” that will identify strategic priorities for European cybersecurity certification programs to help industry, national authorities and standardization bodies prepare for such certification regimes.
ENISA will review any adopted European cybersecurity certification schemes at least every five years. It will also maintain a dedicated website on which it will publish information on European cybersecurity certification programs, European cybersecurity certificates and EU statements of conformity.
European cybersecurity certification programs will be supervised by a national supervisory authority (or authorities) designated by individual Member States. Existing national certification regimes will be replaced by new, EU-wide frameworks.
The Council must now approve the proposal before it will be published in the Official Journal of the European Union. The Cybersecurity Act will take force on the twentieth day after its publication.