December 17, 2018

The European Parliament, the Council and the European Commission have reached a political agreement on the Cyber Security Act, which reinforces the mandate of the European Union Agency for Network and Information and Security (ENISA) so as to better support Member States with tackling cyber security threats and attacks. The Act also establishes a EU framework for cyber security certification, boosting the cyber security of online services and consumer devices.

Proposed in 2017 as part of a wide-ranging set of measures to deal with cyber attacks and to build strong cyber security in the EU, the Cyber Security Act includes:

• a permanent mandate for ENISA to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfil its goals; and
• a stronger basis for ENISA in the new cyber security certification framework to assist Member States in effectively responding to cyber attacks with a greater role in co-operation and co-ordination at EU level.

In addition, ENISA will help increase cyber security capabilities at EU level and support capacity building and preparedness. ENISA will be an independent centre of expertise that will help promote high levels of awareness in people and businesses, but also assist EU Institutions and Member States in policy development and implementation.

The Cyber Security Act also creates a framework for European Cyber Security Certificates for products, processes and services that will be valid throughout the EU. The certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables users to ascertain the level of security and ensures that these security features are independently verified.

The certification framework will be a one-stop shop for cyber security certification, resulting in significant cost saving for enterprises, especially SMEs that would have otherwise had to apply for several certificates in several countries. A single certification will also remove potential market-entry barriers.

The new Regulation will now have to be formally approved by the European Parliament and the Council of the EU. It will then be published in the EU Official Journal and will officially enter into force immediately. To read the European Commission press release in full, click here.