After the entry into force of the NIS Directive, the European institutions have continued their legislative efforts on the security of networks and information systems through the European Commission’s priority to present to the European legislators a comprehensive package of measures to strengthen cyber security in the European Union. One of the most important measures consists of a proposal for a Regulation which aims to create a European framework for the certification of cyber security of ICT products and digital services, as well as to strengthen the role of the European Agency for Network and Information Security (“ENISA”): the so-called Cybersecurity Act.
The Cybersecurity Act, which came into force in June 2019, can be divided into two parts: in the first part, the role and mandate of ENISA are specified, whilst, in the second part, a European system of certification of the cybersecurity of devices connected to the Internet and other digital products and services is introduced11. Since this is a regulation, once adopted and entered into force, the Cybersecurity Act will be immediately applicable in all Member States, as was the case for the GDPR.
Specifically, a first key point of the Cybersecurity Act concerns the strengthening of the role and mandate of ENISA, because currently ENISA has a temporary and limited mandate that will expire in 2020. Until today, the role of ENISA has been mainly to assist in technical terms both Member States and the European institutions in the development of policies on the security of networks and information systems; therefore, strengthening their capacity to prevent, detect and react to cyber accidents. With the new mandate that will be introduced by the Cybersecurity Act, the operational management of cyber incidents will be an exclusive competence of the Member States. The Cybersecurity Act intends to reinforce the role of ENISA by guaranteeing it a permanent mandate and allowing it to carry out not only technical consultancy activities, as it has been up to now, but also perform tasks that are partly operational. In this way ENISA will be able to provide concrete support to Member States, European institutions and businesses in key sectors, including the implementation of the NIS Directive. ENISA will also have a leading role in the management and support of the certification system introduced by the Cybersecurity Act.
More precisely, the Cybersecurity Act introduces an EU wide ICT security certification system for digital products and services. This specific objective will attempt to solve the problem of the numerous existing certification schemes in some Member States but not recognized in other Member States. The Cybersecurity Act will provide an overall framework with a set of rules that will govern the European ICT certification schemes for specific categories of products and services – to ensure that those future certification schemes will be validly recognized in all Member States of Europe.
Under this mandate, ENISA could perform functions to support the internal market and cover a cybersecurity ‘market observatory’ to analyze the trends of the cybersecurity market and then reflect that in the EU policy development in the ICT standardization. ENISA would also be involved in the EU Cybersecurity Blueprint, in order to coordinate responses to large-scale cross-border cybersecurity incidents and crises at the EU level. This blueprint will be applicable only to cybersecurity incidents with extensive effects on two or more Member States and with political significance on the EU political level.
The Commission’s second draft, after having consulted several Committees (such as the Internal Market and Consumer Protection, Budgets and Civil liberties committees, and the Industry committee) enhances the initial mandate that the first draft created – by making some cybersecurity framework schemes for ICT products, services and processes mandatory.12 Additionally, the second draft requests that the certification schemes not only include ICT products and services but also processes, which covers a wider scope of application.
On March 12, 2019, the EU Parliament approved the proposal for the Cybersecurity Act. The next step is for the Council to approve the proposal before it can be published in the Official Journal of the European Union. The Cybersecurity Act would enter into force on the 20th day after its publication.