March 18, 2019

Last week MEPs adopted, with some amendments, the European Commission’s proposal for a Regulation of the European Parliament and of the Council on ENISA (the EU Cybersecurity Agency) and on Information and Communication Technology cybersecurity certification (the Cybersecurity Act).

The Cybersecurity Act establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards.

MEPs also adopted a Resolution calling for action at EU level on the security threats linked to China’s growing technological presence in the EU.

MEPs expressed deep concern about recent allegations that 5G equipment may have embedded backdoors that would allow Chinese manufacturers and authorities to have unauthorised access to private and personal data and telecommunications in the EU.

MEPs also expressed concern that third country equipment vendors might present a security risk for the EU, due to the laws of their country of origin obliging all enterprises to cooperate with the State in safeguarding a very broad definition of national security also outside their own country. In particular, the Chinese State security laws have triggered reactions in various countries, ranging from security assessments to outright bans.

MEPs called on the Commission and Member States to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment, for example by diversifying equipment from different vendors, introducing multi-phase procurement processes and establishing a strategy to reduce Europe’s dependence on foreign cybersecurity technology.

They also urged the Commission to mandate the EU Cybersecurity Agency, ENISA, to work on a certification scheme ensuring that the rollout of 5G in the EU meets the highest security standards.

The EU Cybersecurity Act, which has already been agreed informally with the Council, underlines the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems, in addition to products, processes and services. By 2023, the Commission will assess whether any of the new voluntary schemes should be made mandatory.

The Cybersecurity Act also provides for a permanent mandate and more resources for ENISA.

The Council now has to formally approve the Cybersecurity Act. The Regulation will enter into force 20 days after it is published in the Official Journal. The Resolution on Chinese IT presence in the EU will be sent to the Commission and to Member States. To read the European Parliament’s press release in full and for a link to the draft legislative Resolution, click here.