Council of the EU formally adopts Regulation on ENISA and on an EU cybersecurity certification scheme for products, processes and services

The Council of the EU has formally approved the European Commission’s proposal for a Regulation of the European Parliament and of the Council on ENISA (the EU Cybersecurity Agency) and on Information and Communication Technology cybersecurity certification (the Cybersecurity Act). This follows the European Parliament’s adoption of the text on 12 March 2019.

The Cybersecurity Act establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards. It includes:

  • a permanent mandate for ENISA to replace its limited mandate, that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfil its goals; and
  • a stronger basis for ENISA in the new cyber security certification framework to assist Member States in effectively responding to cyber attacks with a greater role in co-operation and co-ordination at EU level.

In addition, ENISA will help increase cyber security capabilities at EU level and support capacity building and preparedness. ENISA will be an independent centre of expertise that will help promote high levels of awareness in people and businesses, but also assist EU Institutions and Member States in policy development and implementation.

The Cyber Security Act also creates a framework for European Cyber Security Certificates for products, processes and services that will be valid throughout the EU. The certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables users to ascertain the level of security and ensures that these security features are independently verified.

The certification framework will be a one-stop shop for cyber security certification, resulting in significant cost saving for enterprises, especially SMEs that would have otherwise had to apply for several certificates in several countries. A single certification will also remove potential market-entry barriers.

The Regulation will now be published in the Official Journal and will come into force 20 days after that. To read the Council’s press announcement in full, click here.