As more U.S. businesses expand to offer their services oversees, they are facing new challenges in regards to how they do business in the European Union. Since the EU Cybersecurity Act took effect in 2019, companies are scrambling to understand whether this specific set of regulations impacts them.
Upon hearing the words “cyber security,” many U.S. companies believe that the act only applies to banks, credit cards, or companies that are involved directly in customer’s payment transactions. Other businesses assume that because they are following cybersecurity rules set forth by the United States government that these laws will also cover EU Cybersecurity Act parameters. However, they are still not fully aware of how the law impacts them, or that a rolling work deadline is fast approaching in 2020.
Read on to learn how this new set of cybersecurity regulations is impacting American businesses, when there are important compliance deadlines, and how to prepare in 2020.
How The EU Cybersecurity Act Applies to U.S. Businesses
Protecting customer information is paramount for every cybersecurity policy that is rolled out. The EU Cybersecurity Act applies to all information and communication technology (ICT) as it applies to products, services, and processes. This legislation is sweeping and all-encompassing. Not only does it apply directly to these ICT elements across all national markets and industry sectors, it also applies to any information system and network that is deployed with the ICT process, product, or service.
This regulatory standard defines ICT products, processes, and services as:
- ICT Process: A set of activities that will design, develop, maintain, or deliver an ICT product or service.
- ICT Product: A device, element or a group of devices and elements that comprise of an information system or a network
- ICT Service: A service that mainly or will fully gather, transmit, store, or process information using an information system or a network
At the moment, businesses with products, services, or processes which fall under the umbrella of the EU Cybersecurity Act can decide whether they want to obtain certification. Without certification, a business can find itself in violation of the regulations and be fined, or it will not be able to compete evenly on the market.
EU Cybersecurity Act Deadline
On June 28, 2020, the EU will publish the first rolling work program. This program will identify the certification priorities for the ICT products, processes, and services. Business owners who have not been paying attention to the EU Cybersecurity Act may find that the products, services, or processes are considered ICT-related and will be included in this rolling work program. If they do not have the right certification, however, they may find themselves not in compliance with the newly enforced act.
The rolling work program consists of certification schemes that will have 22 elements that will also include mutual recognition of certification from third countries, procedures that manufacturers and businesses must undergo when offering supplemental information about potential risks, and certification monitoring rules.
Renewal of Certification Schemes
U.S. businesses also need to be aware of the renewal process for the certification schemes. If your company has an ICT product, service, or process that is already included in the rolling work program, the certification scheme will be reevaluated every five years. This means that U.S. businesses may find that a product, service, or process that wasn’t previously included in the EU Cybersecurity Act will now be covered in the rolling work program. The business, therefore, will need to obtain the certification.
In addition, the voluntary certification aspect may turn mandatory by the European Commission during the assessment period for the certification schemes. This possibility is likely to further encourage participation in the voluntary certification early on to avoid operational delays as companies seek to maintain compliance.
Related article: A Single Track to EU Cybersecurity Certification Is Coming to the Cloud.
What Businesses Should Do to Prepare
Before the June 28, 2020 deadline, businesses that provide products, services, or processes to end clients in the European Union should learn more about the EU Cybersecurity Act and the certification schemes. You should identify all necessary requirements that fall within the regulation’s scope as some may not align with PCI compliance standards, or GDPR regulations, that already affect companies in the United States.
Your team should decide whether certification is an appropriate goal for your business operations. Review the requirements for supplemental information if your company discovers vulnerabilities with ICT products, services, and processes that may place transmitted and stored information at risk. In addition, you should also find out what risks or fines your company may be subject to in case of non-compliance with regulations.
Expert Advice for Today’s International Businesses
Be proactive about the EU Cybersecurity Act. Get expert advice regarding compliance schemes and the possibility of certification for your company. Contact I.S. Partners, LLC today at 215-675-1400 or use our contact form to obtain a quote.