On June 8, 2018, a political agreement was reached in the European Union ("EU") that paves the way to an EU framework that would set up certification schemes to apply to a range of online services and connected consumer devices, as well as the transformation of the mandate of the European Union Agency for Network and Information and Security ("ENISA"), to be renamed as the EU's Cyber Security Agency (the "Agency"). Negotiations will now start with the European Parliament; the EU Cybersecurity Act could be finalized as early as the end of 2018.
With the recent implementation deadline passing for the Network and Information Security ("NIS") Directive and a reinforced focus on security measures in the General Data Protection Regulation, cybersecurity is high on the EU political agenda.
What You Should Know about the EU Cybersecurity Act
EU Cybersecurity Certification Schemes
While network and information systems are playing a key role in society and an increasing number of devices are connected to the Internet, the EU considers that security and resilience are not sufficiently built into products, services or processes. Setting up EU certification schemes would, according to the EU, play an important role in addressing such concerns.
The draft EU Cybersecurity Act includes provisions to create European cybersecurity certification schemes for ICT products (i.e., any element of network and information systems); services (i.e., any service involved in the transmission, storing, retrieving or processing of information by means of network and information systems); or processes (i.e., a set of activities performed to design, develop, deliver and maintain an ICT product or services). Under the draft EU Cybersecurity Act, the use of certification schemes will be voluntary unless otherwise specified in EU law or member states' law. Among products that may be subject to the certification schemes are connected cars or smart medical devices.
A European certification scheme may specify three sets of assurance level on aspects such as, among others, resilience to accidental or malicious data loss or alteration: basic, substantial or high. The assurance level will be an indication of the requirements and evaluations the products, services or processes went through. The schemes will be based on a comprehensive set of rules, technical requirements, standards and procedures and cover the full life cycle of products, services or processes. The certificates issued under the schemes would, according to the draft EU Cybersecurity Act, be valid in all EU countries. Depending on the assurance level (and risks involved), the certification would be issued by the manufacturer or provider of ICT products and services themselves (self-certification) or by either a national cybersecurity certification authority or a conformity assessment body. The absence of fragmentation in the standards should, according to the EU, increase users' confidence in the security of these technologies.
EU Agency for Cybersecurity
The draft EU Cybersecurity Act states that cyber attacks are on the rise. The connected economy and society is more vulnerable to cyber threats and attacks, requiring stronger defenses in the EU's view. So far, while cyber attacks are often cross-border, policy responses by cybersecurity authorities and law enforcement competences are national.
The EU Cybersecurity Act, when adopted, will provide the Agency with a permanent mandate and new tasks in supporting member states, EU institutions and other stakeholders on cyber issues. ENISA was initially set up to help member states complying with NIS, i.e., cybersecurity rules designed to protect key industries such as banking, energy and technology from attacks. Building on this role, the Agency will be tasked to tackle cybersecurity threats and attacks.
The Agency shall, among others things, organize regular EU-level cybersecurity exercises. It shall support and promote EU policy on cybersecurity certifications and serve as an effective EU level response, building upon dedicated policies and wider instruments for European solidarity and mutual assistance. The Agency will be able to rely on a national liaison officers network at member states' level to facilitate information sharing.
What Is Next?
The text adopted on June 8, 2018, is the European Council's position for negotiations with the European Parliament. Both have to agree on the final text before it can be adopted (as early as end of 2018) and entered into force. The EU Cybersecurity Act, when adopted, will be taking the form of a regulation, a legal instrument directly applicable in all member states.
You can find the draft regulation here: http://data.consilium.europa.eu/doc/document/ST-9350-2018-INIT/en/pdf
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2018. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.