During the previous weeks, we provided a thorough overview of the EU NIS Directive, focusing on the Operators of Essential Systems (OES), the Digital Service Providers (DSP) and the compliance frameworks. Our review of the EU cybersecurity policy and strategy would be incomplete without mentioning the EU Cybersecurity Act. On 27 June, the European Cybersecurity Act entered into force, setting the new mandate of ENISA, the EU Agency for Cybersecurity, and establishing the European cybersecurity certification framework.

The Cybersecurity Act in a Glance

The EU Cybersecurity Act (“Act”) provides a permanent mandate for the European Network and Information Systems Agency (ENISA) and changed its name to the EU Agency for Cybersecurity, while giving it substantially more authority and resources.

Many of the Act’s provisions further support or advance provisions of the NIS Directive. Most importantly, however, the Act:

  • Establishes an EU cybersecurity certification framework for information and communication technology (ICT) products, services, and processes.
  • Requires Member States to designate one or more national cybersecurity certification authorities.
  • Establishes assessment bodies to determine conformity with the Act.
  • Requires Member States to determine penalties for certification violations and infringement of European cybersecurity certification schemes.

The Act is intended to advance trust through an EU-wide certification framework consisting of cybersecurity certification schemes that include common cybersecurity requirements and evaluation criteria across national markets and sectors.

The opening clauses of the Act provide a thorough justification of the need to develop such as certification framework. IoT devices and related ICT products and services “are not sufficiently built-in by design, leading to insufficient cybersecurity.” The Act further notes that “the limited use of certification leads to individual, organizational and business users having insufficient information about the cybersecurity features of ICT products, ICT services, and ICT processes, which undermines trust in digital solutions.”

The ENISA (Read more...)