What is it?
The EU Cybersecurity Act is the fruit of an initiative started by the European Parliament in 2017 with the goals of permanently establishing an agency to address cybersecurity threats, reducing the complexity for companies to comply with cybersecurity frameworks in each EU member state, and establishing a common cybersecurity certification framework. Formal adoption of the EU Cybersecurity Act occurred on March 27, 2019 and resulted in both the formation of the EU Cybersecurity Agency (formerly the ENISA) as a permanent agency and established a cybersecurity certification framework.
What does framework look like?
The framework supersedes all nation frameworks for cybersecurity certification in-force within each EU member state. The framework contains three levels of assurance for ICT products, services, and processes, including: basic, substantial, and high. ICT is a broad conformity self-assessment will be allowed for ICT products, services, and processes that present a low cybersecurity risk and would align with the basic level of assurance within the framework. The certification schemes will be enforced by each member state who will appoint a national certification supervisory authority that will oversee the certification issuance and impose penalties for non-compliance.
Information communication and technology (ICT) includes any communication device or application and includes: radio, television, cellular phones, computers, network hardware, software, satellite systems, and all of the components associated with those products.
When will the certification schemes be published?
Currently, there is no defined timeline for when the cybersecurity certification scheme will be published or effective. However, the EU Cybersecurity Act requires that a “rolling work programme” be published in advance of the cybersecurity certification scheme to allow businesses, government agencies, and standardization bodies to prepare for the future European cybersecurity certification schemes. The first rolling work programme is required to be published within 12 months following the EU Cybersecurity Act coming into force which occurred 20 days after it was passed.
Is the cybersecurity certification scheme voluntary?
Although the cybersecurity schemes will be voluntary, the EU Cybersecurity Agency is required to evaluate by 2023 whether specific schemes should be mandatory for certain high-risk ICT products, services, or processes. Additionally, if a cybersecurity certification scheme is required by another European Union regulation or a member state requirement, then the cybersecurity certification scheme would be required as it supersedes all certification schemes of each EU member state.
Are industry certifications allowed as alternatives?
Industry certification schemes, such as ISO 27001, BSI C5 (Germany), SecNumCloud (France), CSA Cloud Control Matrix, NIST 800-53, SOC 2 Trust Services Criteria, and PCI – DSS, are not in the purview of the EU Cybersecurity Agency, but they may be proposed and approved as formal European cybersecurity certification schemes.
What progress has been made?
The EU Cybersecurity Act directed the EU Cybersecurity Agency to coordinate with a new European Cybersecurity Certification Group to gather input from stakeholders and prepare the cybersecurity certification schemes. No further progress has been announced to date.