In 2015, the European Commission launched the Digital Single Market strategy, which notably seeks to reinforce the European Union’s (EU) stance on cybersecurity. As part of that strategy, an initial proposal for a Regulation titled “Cybersecurity Act” was published on September 13th, 2017 by the European Commission.

One of the strategy’s objectives is “stepping up Europe’s response to cyber-attacks by strengthening ENISA, the EU cybersecurity agency, and creating an effective EU cyber deterrence and criminal law response to better protect Europe’s citizens, businesses and public institutions”. In 2016, the NIS Directive contributed to this objective by creating new obligations for public and private entities with regards to cybersecurity.

According to the same line of reasoning, the proposed Cybersecurity Act aims to reinforce the standing and means of the European Union Agency for Network and Information Security (ENISA) and to create a new, EU-wide certification framework for ICT products, services and processes.

On December 11th, 2018, it was announced that the European Parliament, the Council and the European Commission had reached a political agreement on the final version of the Cybersecurity Act.

When will the Cybersecurity Act enter into force? What would this new Regulation contain?

No clear date of entry into force

The final version of the Cybersecurity Act remains to be formally approved by the European Parliament and the Council of the European Union, after which it will enter into force immediately. No official date has been announced for either of these procedures.

However, the deputy head of cabinet for the European commissioner for digital economy and society, gave some indications during his intervention at the CyberSec Brussels Leaders’ Foresight 2019 event on February 20th. On that occasion, he noted that the Cybersecurity Act “is likely to be enforced in May 2019”.

As European Parliament elections are to be held from May 23rd to May 26th, it seems likely that the final version would undergo the approval process before the Parliament is renewed. Should the Cybersecurity Act not be formally approved by the European Parliament by then, the process of approval might be pushed back by several months.

A reinforced position for the ENISA

The ENISA was first established in 2004 by the Regulation (EC) No 460/2004 of March 10th, 2004. Its main purpose was to assist the European Commission, Member States as well as public and private entities with regards to network and information security. The agency was initially established for five years, and its mandate has been renewed several times since then. The ENISA’s current mandate is set to expire in 2020.

The proposed Cybersecurity Act seeks to reinforce the ENISA’s standing, notably by giving it a permanent mandate and by allocating it more resources to enable it to fulfil its goals. Its main mission to contribute to a high level of cybersecurity within the European Union would remain the same.

The ENISA would be granted more leeway to organize the cooperation and coordination between Member States in response to cybersecurity incidents and crises, in line with a recommendation from the European Commission also dated September 13th, 2017.

A European framework for a cybersecurity certification

In addition to strengthening the ENISA, the proposed Cybersecurity Act creates a unified certification system throughout the European Union for ICT products, services and processes.

The December 11th official press release states that the certification will cover Internet of Things devices, the security of connected products in general, as well as the certification of critical infrastructures. The main goal of this new framework is to increase the public’s trust in ITC by turning cybersecurity into a business incentive and a competitive advantage.

By creating a single certification across Europe, the European institutions aim to remove potential market-entry barriers and reduce costs, as companies will not need to apply for a different cybersecurity certificate in each country. Consumers and companies alike will then be able to choose between more secure products and services, which should foster trust in ICT as a whole.

 

As the final version of the Cybersecurity Act has not been published, it is unclear as to how entities can get ready for this new Regulation. Mathias Avocats will keep you informed of any new developments.