The European Parliament originally began the process of creating an agency to address cybersecurity threats in 2017. As part of that effort, it formally adopted the EU Cybersecurity Act this year. This new mandate of ENISA, the EU Agency for Cybersecurity, has some potential ramifications for international businesses.
We’ve tried to answer all of your burning questions about this important new mandate. So, we have reviewed the goals of the EU Cybersecurity Act, the framework and the certification process. We also wanted to discuss what this means for businesses and how it relates to other EU cybersecurity legislation.
What is the EU Cybersecurity Act?
The EU Cybersecurity Act (Regulation (EU) 2019/881) entered into force on June 27, 2019. It is significant because it’s the first set of rules addressing cybersecurity certification for all of the countries in the European Union. This act accomplishes two things:
- The establishment of the EU Cybersecurity Agency (formerly the ENISA) as a permanent regulatory agency.
- The creation of a cybersecurity certification framework.
Watch this video to learn more about the EU Cybersecurity Act and the union-wide cybersecurity certification framework for digital products, services, and processes.
What Are the Goals of the EU Cybersecurity Act?
The European Parliament has taken these steps for the express purpose of supporting member states in handling cybersecurity threats and attacks. It aims to do this by formulating a unified cybersecurity certification framework. The framework is designed to clarify the compliance standards for companies operating in EU countries.
The EU Cybersecurity Act not only strengthens the powers of ENISA, but will enable companies doing business in the member states to have information and communications technology (ICT) goods certified across the Union.
How is the Certification Framework Structured?
The European cybersecurity certification framework effectively supersedes all national frameworks. It will ensure the application of a single set of common certification standards for ICT products, processes and services. Within the framework, there are three levels of assurance for these goods:
The European Commission plans to adopt multiple schemes for each level of cybersecurity certification. ENISA will develop these schemes outlining the type of ICT goods covered, the purpose, required security standards, evaluation methods, and period of validity for issued certificates.
The details of these schemes are expected to be released to the public in the coming months. But, we can predict that they cover issues such as:
- Preventing unauthorized storage, processing, access, disclosure, destruction, loss, or modification of data,
- Limiting access to protected data to authorized persons, programs and devices,
- Ensuring that transactions involving protected data are tracked and can be reviewed,
- Disaster recovery plans.
Once adopted, these certification schemes must then be enforced by each EU member state. Then, ENISA will be responsible for reviewing adopted certification schemes regularly – every five years – to verify that they meet the criteria set out by the EU Cybersecurity Act.
How Will the Certification Process be Handled?
Each country will appoint a national certification supervisory authority which will be charged with managing certification issuance, conformity and related penalties for non-compliance. For now, cybersecurity certification will be voluntary, unless otherwise specified by a particular EU state law.
However, this is expected to change in the future, depending on the designated level of risk. ICT products, services and processes with a low level of risk should be able to rely on self-assessment and/or third-party certification. Certification is expected to remain voluntary for these goods at the “basic” level. By 2023, the EU Cybersecurity Agency will determine if certain schemes will become mandatory for high-risk ICT items.
Statement by EU Commissioner Mariya Gabriel on the Entry into force of the EU Cybersecurity Act.
How Will the Cybersecurity Act Impact Businesses?
This act provides companies operating within the European Union the chance to certify that their products, processes or services meet EU cybersecurity standards. For now, businesses can decide whether to participate in this certification process. The main advantage is the assurance that their conformity will be recognized by all countries in the Union. In fact, the framework aims to set a unified standard for cybersecurity certification and avoid a disjointed approach with different member states introducing their own standards.
When a certification scheme has been formulated, businesses with ICT products, processes and services can apply to a national assessment body of their choice in order to request certification. Goods that comply with the framework will be certified at one of the three levels for a maximum of 3-5 years. At the end of this time period, before certificate validity expires, companies will be able to apply for renewal.
It is yet to be determined by the various EU member states what possible penalties will be issued in response to infringements or failure to comply.
How Does the Cybersecurity Act Compare to Other EU Legislation?
The EU Cybersecurity Act is one element in the European Union’s measures to increase data security. This greater legislative effort, known as the Digital Single Market, also includes the NIS Directive, which became the first set of EU-wide laws regarding cybersecurity in 2016. This directive created the foundation for notification and security requirements for operators of essential services and digital service providers, including cloud providers.
The more well-known General Data Protection Regulation (GDPR), which went into effect in May 2018, works to protect personal data and privacy for EU citizens and simplify the regulatory process for international organizations. It requires controllers and processors to follow certain protocols and implement measures to ensure that data cannot become publicly available without explicit, informed consent. Similarly, the most recent draft of the ePrivacy Regulation (EPR) has been proposed to help regulate electronic communications within the union. It addresses online communications, internet tracking technologies, and electronic direct marketing.
Other industry certification schemes are not affected by the EU Cybersecurity Act. This includes ISO 27001, Germany’s BSI C5, and France’s SecNumCloud, CSA Cloud Control Matrix, NIST 800-53, SOC 2 Trust Services Criteria, and PCI – DSS. Although we may anticipate that many of these previously established schemes will be proposed, and possibly adopted, as unified European cybersecurity certification schemes.
Be Prepared for the Cybersecurity Challenges of 2020
As we move into the new year, make sure that your company is ready to face all of the new cybersecurity challenges and respond to the latest data security compliance requirements. Schedule a consultation with the professional auditors at I.S. Partners, LLC to make sure your organization is starting 2020 with a secure foundation. Call our office or request a quote today.