The EU Cybersecurity Act

What is the EU Cybersecurity Act?

Regulation (EU) 2019/881 on ENISA and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (the EU Cybersecurity Act) has two functions:

1. Granting a permanent mandate to ENISA (the European Union Agency for Network and Information Security); and
2. Setting out a European cyber security certification framework for ICT (information and communications technology) products, services and processes.

It entered into force on 27 June 2019 and will apply in full across the EU from 28 June 2021.

 Read the full text of the EU Cybersecurity Act here

What is the EU framework for cyber security certification?

Demonstrating that your organisation has implemented and maintains best-practice cyber security measures is an important way of reassuring regulators, stakeholders and potential customers that you take cyber security seriously.

There are many ways to achieve this, such as self-assessed adherence to approved national certification schemes and independently audited certification to international standards, such as ISO 27001.

Unfortunately, the number of different and varying national schemes and standards, and the relatively low uptake of certification to international standards, can make it difficult for potential customers to assess the security risks associated with suppliers’ ICT products, services and processes, even if they are certified.

The European cyber security framework aims to address this difficulty by setting parameters for the rules, technical requirements, standards and procedures that should apply to risk-based certification schemes for ICT products, processes and services.

Consumers will then be able to make more informed decisions about the service providers they use.

Moreover, this harmonised approach to cyber security certification will help create a digital single market for ICT products, services and processes across the EU, removing the need for organisations to maintain multiple certifications to meet different requirements for different markets.

Certifications issued under the framework will supersede member states’ individual certification schemes from mid-2021, although certificates issued under existing schemes will be valid until their expiry.

Security objectives of European cyber security certification schemes

Article 51 states that cyber security certification schemes issued under the framework must achieve a number of cyber security objectives, including:

• To protect data against accidental or unauthorised storage, processing, access, disclosure, destruction, loss, alteration or lack of availability during the entire lifecycle of the ICT product, service or process.
• That authorised persons, programs or machines are able to access only the data, services or functions to which their access rights refer.
• To verify that ICT products, services and processes do not contain known vulnerabilities.
• To record and make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom.
• To restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident.
• That ICT products, services and processes are secure by design and by default.
• That ICT products, services and processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.

Assurance levels of European cyber security certification schemes

Article 52 states that certificates issued under the framework will have one of three assurance levels, commensurate with the risks associated with the use of the ICT product, service or process to which it applies.

Each level will require different evaluation:

Will certification be mandatory?

Certification to the new schemes will be voluntary, unless otherwise specified by law, but the European Commission will review the schemes at least every two years from 31 December 2023 to determine whether certification should be mandatory.

Schemes affecting operators of essential services as defined by Annex II of the NIS Directive will be assessed as a priority, at least two years after the adoption of the first certification scheme.

Enforcement and penalties

Both natural and legal persons will have the right to lodge a complaint with the issuer of any European cyber security certificate or the relevant national cyber security certification authority.

They also have the right to an effective judicial remedy with regard to decisions taken by conformity assessment bodies (accredited organisations that issue cyber security certificates) or the national cyber security certification authority.

The Act also prescribes a regime of “effective, proportionate and dissuasive” penalties for infringements – the same language used in the GDPR and NIS Directive, which prescribe penalties of up to €20 million or 4% of an organisation’s annual global turnover – whichever is greater.