Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

The EU Cybersecurity Act: What You Need to Know

What is it?

The EU Cybersecurity Act is the fruit of an initiative started by the European Parliament in 2017 with the goals of permanently establishing an agency to address cybersecurity threats, reducing the complexity for companies to comply with cybersecurity frameworks in each EU member state, and establishing a common cybersecurity certification framework. Formal adoption of the EU Cybersecurity Act occurred on March 27, 2019 and resulted in both the formation of the EU Cybersecurity Agency (formerly the ENISA) as a permanent agency and established a cybersecurity certification framework.

 

What does framework look like?

The framework supersedes all nation frameworks for cybersecurity certification in-force within each EU member state.  The framework contains three levels of assurance for ICT products, services, and processes, including: basic, substantial, and high.   ICT is a broad conformity self-assessment will be allowed for ICT products, services, and processes that present a low cybersecurity risk and would align with the basic level of assurance within the framework.  The certification schemes will be enforced by each member state who will appoint a national certification supervisory authority that will oversee the certification issuance and impose penalties for non-compliance.

Information communication and technology (ICT) includes any communication device or application and includes: radio, television, cellular phones, computers, network hardware, software, satellite systems, and all of the components associated with those products.

 

 

When will the certification schemes be published?

Currently, there is no defined timeline for when the cybersecurity certification scheme will be published or effective.  However, the EU Cybersecurity Act requires that a “rolling work programme” be published in advance of the cybersecurity certification scheme to allow businesses, government agencies, and standardization bodies to prepare for the future European cybersecurity certification schemes.  The first rolling work programme is required to be published within 12 months following the EU Cybersecurity Act coming into force which occurred 20 days after it was passed.

 

Is the cybersecurity certification scheme voluntary?

Although the cybersecurity schemes will be voluntary, the EU Cybersecurity Agency is required to evaluate by 2023 whether specific schemes should be mandatory for certain high-risk ICT products, services, or processes.  Additionally, if a cybersecurity certification scheme is required by another European Union regulation or a member state requirement, then the cybersecurity certification scheme would be required as it supersedes all certification schemes of each EU member state.

 

Are industry certifications allowed as alternatives?

Industry certification schemes, such as ISO 27001, BSI C5 (Germany), SecNumCloud (France), CSA Cloud Control Matrix, NIST 800-53, SOC 2 Trust Services Criteria, and PCI – DSS, are not in the purview of the EU Cybersecurity Agency, but they may be proposed and approved as formal European cybersecurity certification schemes.

 

What progress has been made?

The EU Cybersecurity Act directed the EU Cybersecurity Agency to coordinate with a new European Cybersecurity Certification Group to gather input from stakeholders and prepare the cybersecurity certification schemes.  No further progress has been announced to date.

About BRYAN HARPER

Bryan Harper is a Director with Schellman. Prior to joining Schellman in 2017, Bryan worked as a Senior IT Auditor, specializing in SOC examinations. Bryan also worked as a staff accountant in a public accounting firm performing financial audits, consulting, and out-­sourced internal audit engagements for clients in the banking, insurance, and healthcare industries. Bryan is now focused primarily on SOC examinations for organizations across various industries. At Schellman, Bryan is involved with technical training development specific to auditing cloud services and supports Schellman's cybersecurity task force, which is responsible for monitoring developments in and responding to cybersecurity regulations and related cybersecurity compliance frameworks.