EU Cybersecurity Act finally into force

On June 27, the EU Cybersecurity Act has finally entered into force. This legislative measure will revamp and strengthens the EU Agency for Cybersecurity (ENISA). With the entry into force of the Cybersecurity Act, a new course is starting for ENISA, which will enjoy a permanent mandate, increased responsibilities and resources. First example of its kind, the European cybersecurity certification framework establishes the governance and rules for EU-wide certification of ICT products, processes and services.

The Commission will prepare the “Union rolling work programme for European Cybersecurity Certification”, which will identify strategic priorities for certification and in particular include a list of ICT products, services and processes or categories thereof that may benefit from being included in the scope of a European Cybersecurity Certification Scheme.

The Cybersecurity Act introduces for the first time EU-wide rules for cybersecurity certification. Companies in the EU will benefit from having to certify their products, processes and services only once and see their certificates recognised across the Union.
Under the framework, multiple schemes will be created for different categories of ICT products, processes and services. Each scheme will specify, among the others, the type or categories of ICT products, services and processes covered, the purpose, the security standards that shall be met and the evaluation methods.