European Union: The New EU Cybersecurity Act: One Step Closer To A More Secure Future

Last Updated: 14 January 2020
Article by Charles-Henri Caron and Anne-Laure Morise

Introduction

The proliferation of connected devices across industry sectors has led to the emergence of a significant and distinct threat to many types of organisations. However, a majority of European companies continue to underestimate just how exposed they are to cyber risk9. This lack of awareness translates into low investment in Internet of Things (IoT) cybersecurity and limited legal risk management.

Against this backdrop, the European Commission (the "Commission") has been developing and adopting the EU Cybersecurity Strategy, with the European Network and Information Security Agency (ENISA), created in 2004, making an active contribution to policy10. Initially established for a period of five years, ENISA's mandate has been progressively extended11, revised and modernised.

At launch, ENISA's mission was principally to provide advice and assistance and enhance cooperation between EU bodies and Member States in the field of cybersecurity. Over the 2013- 2016 period, ENISA's performance, governance and organisational structure were evaluated by the Commission12. Based inter alia on its findings and on the consultation of various stakeholders, the Commission concluded that ENISA's mandate was not sufficient and adopted a new cybersecurity package on 13 September 201713. It proposed a new Regulation providing ENISA with a strengthened and permanent mandate and creating an EU-wide cybersecurity certification framework14.

Enisa's strong mandate

The cybersecurity ecosystem is changing all the time with new challenges emerging from the transformed cyber threat landscape. To ensure ENISA can fit into and respond to this new environment, the Cybersecurity Act strengthened its powers to improve coordination and cooperation in cybersecurity across the EU and granted it a permanent status from 27 June 2019.15 The financial and human resources allocated to ENISA have also been increased.

From now on, ENISA will act as the EU's cybersecurity expert, providing advice and expertise to Member States, private stakeholders, European institutions and policymakers,16 and helping Member States to implement the Directive on the Security of Network and Information Systems.17

Its new objectives are to raise cybersecurity standards across the EU by (i) assisting Member States and EU institutions, bodies, offices and agencies in developing and implementing EU general cybersecurity policy,18 (ii) supporting capacity building and preparedness,19 (iii) supporting operational cooperation and coordination among the various actors,20 and (iv) promoting the use of cybersecurity certification.21 To that end, ENISA will perform various analyses of emerging technologies, cyber threats and incidents. It will also provide advice and guidance, and develop guidelines and best practices.22

ENISA works with competent authorities to issue warnings targeted at manufacturers and providers, and requiring them to improve the security of their information and communications technology (ICT) products and services where these do not meet cybersecurity standards.23 More generally, it assists Member States and national authorities to prevent and improve responsiveness to cyber threats and incidents.

EU cybersecurity certification framework

The Commission wants connected devices and IoT technologies to incorporate security features in the early stages of development. It is also important that customers should be able to identify the level of security of the products or services they purchase.24 This is particularly true for devices – like connected products and services in the healthcare sector – that require a high level of security. To achieve this goal, the Cybersecurity Act creates the first EU-wide cybersecurity certification framework.

At the moment, security certification schemes exist in some sectors where cybersecurity is a critical consideration, such as automated cars and electronic medical devices.25 But when such certification exists, it is only recognised in the Member State concerned.26 This means that companies have to certify their ICT products in several Member States if they plan to market them across the EU, which is costly for companies and inefficient for the Digital Single Market (DSM).

For that reason, the Cybersecurity Act adopts a uniform approach to prevent "certification shopping".27 Specifically, it establishes "a European cybersecurity certification framework that lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognised and used in all Member States".28

ENISA will assist with designing candidate cybersecurity certification schemes that will then be adopted by the Commission.29 Every certification scheme will specify an assurance level ("basic", "substantial", or "high").30 Conformity self- assessment is possible for products and services presenting a low risk with a "basic" assurance level. In such cases, manufacturers and providers issue a statement of conformity under their sole responsibility.31

ENISA will also launch a European Cybersecurity Certification website.32 This will contain certification schemes, certificates and statements of conformity, and should build trust among end-users.

Each European cybersecurity certification scheme must include inter alia the "maximum period of validity of European cybersecurity certificates issued under the scheme."33 ENISA will evaluate each adopted European certificate scheme at least every five years.34

Recourse to European cybersecurity certification is voluntary, unless otherwise specified by EU or Member State law.35

Any existing national certification scheme covered by the new European certification scheme will cease to be effective.36 Any existing certificate issued under a national certification scheme and covered by the new European certification scheme remains valid until its expiry date.37

Comment

The Cybersecurity Act further strengthens EU cybersecurity policy, enabling manufacturers of ICT products to demonstrate – across the EU – that their products are secure. It should also improve access to information and build trust among the end-users of certified connected products.

The success of the new certification framework will depend on how readily it can be adapted to deal with constantly evolving cyber threats, market developments and industry specifics. The Commission will play a significant role here by regularly assessing "the efficiency and use of the adopted European cybersecurity certification schemes".

Also, because certification is not mandatory, the framework's objectives will be met only if ICT manufacturers and providers make full use of it. Last, it remains to be seen how this new Regulation will work with existing regulations, including the General Data Protection Regulation (GDPR) and the NIS Directive.

Footnotes

9. European Commission, Commission Staff Working Document, Impact assessment accompanying the document proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification, Part 1/6, p. 41.

10. Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency.

11. ENISA's mandate was last extended until 19 June 2020 by Regulation (EU) No 526/2013.

12. Study on the Evaluation of the European Union Agency for Network and Information Security, Final Report.

13. European Commission, Press release, State of the Union 2017 - Cybersecurity: Commission scales up EU's response to cyber-attacks, September 19, 2017.

14. Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification.

15. Cybersecurity Act, Recital 16.

16. Cybersecurity Act, Article 3.

17. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive)

18. Cybersecurity Act, Article 5.

19. Cybersecurity Act, Article 6.

20. Cybersecurity Act, Article 7.

21. Cybersecurity Act, Article 8.

22. Cybersecurity Act, Article 9.

23. Cybersecurity Act, Recital 51.

24. Cybersecurity Act, Recitals 7 and 10.

25. Cybersecurity Act, Recital 65.

26. Cybersecurity Act, Recital 67.

27. Cybersecurity Act, Recital 70.

28. Cybersecurity Act, Recital 69.

29. Cybersecurity Act, Articles 8 and 48.

30. Cybersecurity Act, Article 52.

31. Cybersecurity Act, Article 53.

32. Cybersecurity Act, Article 50.

33. Cybersecurity Act, Article 54.

34. Cybersecurity Act, Article 49.

35. Cybersecurity Act, Article 56.

37. Cybersecurity Act, Article 57.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions