1) Cybersecurity Act almost adopted
The European Parliament, the Council and the European Commission reached a political agreement on the Cybersecurity Act, reinforcing the mandate and competences of ENISA, the European Union Agency for Network and Information and Security. Moreover, the political text is set to create a certification framework for products and services.
Following a political agreement reached in December 2018, the European Parliament, on 12 March 2019, approved the new Regulation. It still needs to be approved by the Council and will come into force 20 days after being published.
The new proposed mandate reinforces ENISA’s role and enables the Agency to better support the Member States in implementing the NIS (security of network and information systems) Directive and to counter particular threats more actively by becoming a centre of expertise on cybersecurity certification. The name of the Agency will be changed to EU Cybersecurity Agency.
Certification Framework for connected devices
The political agreement on the Cybersecurity Act will also create a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. It establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards. This is considered as a ground breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates. The creation of such a cybersecurity certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables their users to ascertain the level of security assurance, and ensures that these security features are independently verified.
After the vote on the Cybersecurity Act at the plenary meeting of the European Parliament, rapporteur Angelika Niebler (EPP, DE) said: “This significant success will enable the EU to keep up with security risks in the digital world for years to come. The legislation is a cornerstone for Europe to become a global player in cyber security. Consumers, as well as the industry, need to be able to trust in IT-solutions."
2) Strengthening technical expertise in Cybersecurity at EU level: A pool of EU cybersecurity experts to be set-up
Following the adoption by the European Parliament of the proposal for a regulation of the European Parliament and of the Council establishing the European Centre for European Cybersecurity Industrial, Technology and Research Competence Centre and Network of National Coordination Centres, negotiations have started with the Council mid-March in order to adopt these new measures. Together, these structures will help secure the digital single market and increase the EU's autonomy in the area of cybersecurity.
The Cybersecurity Industrial, Technology and Research Centre will enhance the coordination of research and innovation in the field of cybersecurity. It will also be the EU's main instrument to pool investment in cybersecurity research, technology and industrial development.
The Cybersecurity Competence Network will consist of National Coordination Centres designated by member states. The national centres will either possess or have access to technological expertise in cybersecurity, for example in areas such as cryptography, intrusion detection or human aspects of security.