The EU Cybersecurity Act Enters Into Force. The European Union (EU) Cybersecurity Act establishes a new mandate for ENISA, the EU Agency for Cybersecurity, and a European cybersecurity certification framework.
In order to scale up the EU’s response to cyber-attacks, improve cyber resilience and increase trust in the Digital Single Market, the EU Cybersecurity Act strengthens ENISA and establishes an EU cybersecurity certification framework that will allow the emergence of tailored certification schemes for specific categories of ICT products, processes and services. Companies will be able to certify their products, processes and services only once and obtain certificates that are valid across the EU.
The Cybersecurity Act works alongside both:
the EU General Data Protection Regulation, which requires security measures to be implemented when processing personal data; andthe EU Network and Information Security Directive (NIS Directive), which aims to protect critical national infrastructure.
While the NIS Directive applies only to operators of essential services and digital service providers, the Cybersecurity Act encourages all businesses to invest more in cybersecurity and to build it into their ICT devices.
How will the certification process work?
ENISA, with the help of national experts will prepare the technical ground for the certification schemes that will then be adopted by the European Commission through implementing acts. The EU-wide certification framework creates a comprehensive set of rules, technical requirements, standards and procedures to agree each scheme. Each scheme will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service. This certificate will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified cybersecurity requirements. The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand he security features of the product or service.
Security by design
The Framework also encourages manufacturers or providers involved in the design and development of products, services or processes to implement measures at the earliest stages of design and development. This will allow protecting the security of those products, services or processes to the highest possible degree, in such a way that the occurrence of cyberattacks is anticipated and minimised.
Who will benefit from this certification framework and how?
Citizens and end-users will be able to make more informed purchase decisions related to products and services they rely on a daily basis.Vendors and providers of products and services (including Small and medium-sized enterprises (SMEs) and new businesses), who will enjoy cost and time savings as they will undergo a single process for obtaining a European certificate which is valid, and therefore allows them to compete effectively, in all Member States.Besides, vendors of ICT products and services will be keen to make buyers aware possibly by using a specific label linked to the certificate. Governments, who, like all individual and commercial buyers, will be better equipped to make informed purchase decisions.
Find out more