Several measures to improve cybersecurity in the EU were provisionally agreed by MEPs and member states on Monday.
After the agreement was reached, rapporteur Angelika Niebler (EPP, DE) said: “This important success will enable the EU to keep up with security risks in the digital world for years to come. The agreement is a cornerstone for Europe to become a global player in cyber security. Consumers, as well as the industry, need to be able to trust in IT-solutions.”
New European cybersecurity certification for connected technological devices
Parliament and Council negotiators agreed to introduce the first EU-wide cybersecurity certification scheme to ensure that cybersecurity standards are met by products and services sold in EU countries.
Consumers will be better informed, thanks to the introduction of information on cybersecurity for certified products and services. As requested by Parliament, manufacturers shall provide detailed information including guidance on installation, the period for security support including information for security updates.
The deal underlines the particular importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems.
Companies will no longer have to pay for separate tests in every member state where they sell their products. In addition, for some of the certificates needed to ensure a minimum level of cybersecurity, companies will be able to certify their own products themselves, to avoid time-consuming and expensive tests in private labs.
The Commission shall assess by 2023 if any particular schemes should be made mandatory.
Better governance of certification schemes
As requested by the Parliament, a Union rolling work programme will be part of the governance of the cybersecurity certification schemes, making future initiatives more predictable, inclusive and transparent for industry. In addition, the creation of a stakeholders’ certification group will ensure their involvement in setting the strategic priorities on future certification requirements.
More power to EU cybersecurity agency
The EU’s cybersecurity agency ENISA will be reinforced, as Parliament wanted, to help improve cybersecurity within the European Union. Among the new tasks, ENISA will run the security drill to prepare the EU for a crisis response to major cyberattacks.
The deal will now be put to the Industry, Research and Energy Committee and plenary for approval, as well as the Council. The regulation will enter into force 20 days after its publication in the Official Journal.