The European Cybersecurity Act entered into force on June 27, setting a new mandate for ENISA, the EU Agency for Cybersecurity, and establishing the European cybersecurity certification framework.
Vice-President for the Digital Single Market Andrus Ansip said the European Commission has pushed forward in making sure Europe has the necessary capabilities, including by proposing a European certification framework and having financing for cybersecurity research and development under the next long-term EU budget. He added that work on 5G security is a particular priority.
ENISA will now have a permanent mandate, increased resources and responsibilities. The agency will play a key role in setting up and maintaining the cybersecurity certification framework by preparing the technical ground for specific certification schemes and informing the public on the certification schemes and the issued certificates through a dedicated website.
ENISA is also mandated to increase operational cooperation at EU level, helping member states to handle cyber incidents, and supporting EU coordination in the case of large-scale attacks and crises. In order to fulfil its new mandate, the resources of the agency have been doubled, raising from 11 to 23 million EUR over a period of five years.
The Cybersecurity Act introduces EU-wide rules for cybersecurity certification. Companies in the EU will benefit from having to certify their products, processes and services only once and see their certificates recognised across the Union.
Under the framework, multiple schemes will be created for different categories of ICT products, processes and services. Each scheme will specify, among the others, the type or categories of ICT products, services and processes covered, the purpose, the security standards that shall be met and the evaluation methods. The schemes will also indicate the period of validity for the certificates issued. ENISA will prepare the certification schemes that will then be adopted by the Commission through implementing acts.
Alongside third party certification, conformity self-attestation by the manufacturer is allowed for the products that present low level of risk. While the certification will remain voluntary, the Commission will assess whether mandatory certification is required for certain categories of products and services.
Using a European Cybersecurity Certificate, a company can demonstrate both the security of its products as well as its secure development practices and hence meet the requirements of its clients not only in one EU member state but also across the whole of the EU. Vendors of ICT products and services will be keen to make buyers and could use a specific label linked to the certificate.
EU citizens will be able to consult ENISA’s European Cybersecurity Certification website. If, for example, they are looking to purchase a smart TV, they will be able to find a model that has been certified with the appropriate cybersecurity requirements and additional information including guidance from the vendor on how to setup, configure and operate the TV in a secure way and for how long the vendor commits to provide cybersecurity patches if new vulnerabilities are found.
The European Commission will now prepare a rolling work program for European Cybersecurity Certification, which will identify strategic priorities for certification and in particular include a list of ICT products, services and processes or categories thereof that may benefit from being included in the scope of a European Cybersecurity Certification Scheme. The program will be subject to a public consultation.