Several measures to improve cybersecurity in the EU were provisionally agreed by Members of the European Parliament and member states on December 10.
Parliament and European Council negotiators agreed to introduce the first EU-wide cybersecurity certification scheme to ensure that cybersecurity standards are met by products and services sold in EU countries.
Consumers will be better informed, thanks to the introduction of information on cybersecurity for certified products and services. As requested by Parliament, manufacturers shall provide detailed information including guidance on installation, the period for security support including information for security updates.
The deal underlines the particular importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems.
Companies will no longer have to pay for separate tests in every member state where they sell their products. In addition, for some of the certificates needed to ensure a minimum level of cybersecurity, companies will be able to certify their own products themselves, to avoid time-consuming and expensive tests in private labs.
The European Commission shall assess by 2023 if any particular schemes should be made mandatory.
In addition, a rolling work program will form part of the governance of the cybersecurity certification schemes, making future initiatives more predictable, inclusive and transparent for industry. The creation of a stakeholders’ certification group will ensure their involvement in setting the strategic priorities on future certification requirements.
As part of the new agreement, the EU’s cybersecurity agency ENISA will be reinforced to help improve cybersecurity within the European Union. Among the new tasks, ENISA will run the security drill to prepare the EU for a crisis response to major cyber attacks.
The deal will now be put to the Industry, Research and Energy Committee and plenary for approval, as well as the European Council. The regulation will enter into force 20 days after its publication in the Official Journal.