EU-wide cybersecurity certification will soon be available for Internet-connected devices, enabling consumers to make more informed choices and making it easier for companies to market their smart products across Europe. Today, member states’ ambassadors approved the proposed Cybersecurity Act, which will also upgrade the current European Agency for Network and Information Security (ENISA) into a permanent EU Agency for Cybersecurity. A provisional agreement on the new law was reached between the presidency and the European Parliament on 10 December.
Common cybersecurity certification
The draft regulation creates a mechanism for setting up European cybersecurity certification schemes for specific ICT processes, products, and services. Certificates issued under the schemes will be valid in all EU countries, making it easier for users to gain trust in these technologies, and for companies to carry out their business across borders. Possible uses for such certificates are extremely varied, ranging from connected toys and smart wearables to industrial automation control systems and smart energy grids.
The actual certification schemes will be built on what already exists at international, European and national level. The schemes will be adopted by the Commission, and implemented and supervised by national cybersecurity certification authorities.
Certification will be voluntary unless otherwise specified in EU law or member states’ law. The Commission will regularly monitor the impact of certification schemes and assess their level of use by manufacturers and service providers.
There will be three different assurance levels, based on the level of risk associated with the intended use of the product. For the most basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves.
EU cybersecurity agency
Greek-based ENISA has been contributing to the EU’s network and information security since it was set up in 2004. The new rules will grant the agency a permanent mandate and clarify its role as the EU agency for cybersecurity. ENISA’s current mandate was due to expire in June 2020.
ENISA will be given new tasks in supporting member states, EU institutions and other stakeholders on cyber issues. It will support EU policy on cybersecurity certification e.g. by playing a central role in the preparation of certification schemes. It will promote the uptake of the new certification system for example by setting up a website providing information on certificates.
The agency will also organise regular EU-level cybersecurity exercises, including a large-scale comprehensive exercise once every two years.
A national liaison officers network will be part of the mandate facilitating information sharing between ENISA and the member states.
The first EU legal act on cybersecurity, the 2016 directive on the security of network and information systems (NIS), already allocated ENISA a key role in supporting the implementation of the directive. For example, ENISA provides the secretariat for the network of computer security incident response teams (CSIRTs) set up under the NIS directive and actively supports the cooperation among the CSIRTs.
Procedure and next steps
The provisional agreement on the proposal was endorsed by the meeting of ambassadors in the Council’s Permanent Representatives Committee (Coreper).
The agreed text will now undergo legal and linguistic finalisation. It must then be formally adopted, first by the Parliament and then by the Council. Following adoption, the regulation will be published in the EU’s Official Journal. It will enter into force 20 days after publication.
The rules will start to apply the same day, except for certain provisions related to cybersecurity certification which require member states to designate certain authorities. To give member states the time needed to adapt their national structures, these provisions will become applicable two years after the regulation has been published.
The agreed text will be made available here.