EU Cybersecurity Act Agreed Upon
December 11, 2018
This evening, the European Parliament, the Council and the European Commission have reached a political agreement on the Cybersecurity Act which reinforces the mandate of the EU Agency for Cybersecurity, (European Union Agency for Network and Information and Security, ENISA) so as to better support Member States with tackling cybersecurity threats and attacks. The Act also establishes an EU framework for cybersecurity certification, boosting the cybersecurity of online services and consumer devices.
Vice-President Andrus Ansip, in charge of the Digital Single Market, said: “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe's digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening's agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”
Commissioner Mariya Gabriel, in charge of Digital Economy and Society, added: "Enhancing Europe's cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union. Major incidents such as Wannacry and NotPetya have acted as wake-up calls, because they dearly showed the potential consequences of large-scale cyber-attacks. In this perspective, I strongly believe that tonight's deal both improves our Union's overall security and supports business competitiveness."
Proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity Act includes:
In addition, ENISA will help increase cybersecurity capabilities at EU level and support capacity building and preparedness. Finally, ENISA will be an independent centre of expertise that will help promote high level of awareness of citizens and businesses but also assist EU Institutions and Member States in policy development and implementation.
The Cybersecurity Act also creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. This is a ground breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates. The creation of such a cybersecurity certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables their users to ascertain the level of security assurance, and ensures that these security features are independently verified.
Benefits for citizens and businesses
The new rules will help people trust the devices they use every day because they can choose between products, like Internet of Things devices, which are cyber secure.
The certification framework will be a one-stop shop for cybersecurity certification, resulting in significant cost saving for enterprises, especially SMEs that would have otherwise had to apply for several certificates in several countries. A single certification will also remove potential market-entry barriers. Moreover, companies are incentivized to invest in the cybersecurity of their products and turn this into a competitive advantage.
Following tonight's political agreement, the new regulation will have to be formally approved by the European Parliament and the Council of the EU. It will then be published in the EU Official Journal and will officially enter into force immediately, thus paving the way for European certification schemes to be produced and for the EU Agency for Cybersecurity, ENISA, to start working on the basis of this focused and permanent mandate.
The Cybersecurity Act was proposed as part of the Cybersecurity package adopted on 13 September 2017, and as one of the priorities of the Digital Single Market strategy. To keep up with the ever-evolving cyber threats, the Commission also proposed, one year later in September 2018, to create a European Cybersecurity Industrial, Technology and Research Centre and a network of Cybersecurity Competence Centres to better target and coordinate available funding for cybersecurity cooperation, research and innovation. The proposed European Cybersecurity Competence Centre will manage cybersecurity-related financial support from the EU's budget and facilitate joint investment by the Union, Member States and industry to boost the EU's cybersecurity industry and make sure our defense systems are state-of-the-art.