The European Parliament originally began the process of creating an agency to address cybersecurity threats in 2017. As part of that effort, it formally adopted the EU Cybersecurity Act in 2019. This mandate from ENISA, the EU Agency for Cybersecurity, has some potential ramifications for international businesses.
In this article, we try to answer all of your burning questions about this important mandate. Here, we review the goals of the EU Cybersecurity Act, the framework and the certification process. We also want to discuss what this means for businesses and how it relates to other EU cybersecurity legislation.
What is the EU Cybersecurity Act?
The EU Cybersecurity Act (Regulation (EU) 2019/881) entered into force on June 27, 2019. It was significant as the first set of rules addressing cybersecurity certification for all of the countries in the European Union. This act accomplished two main things:
- The establishment of the EU Cybersecurity Agency (formerly the ENISA) as a permanent regulatory agency.
- The creation of a cybersecurity certification framework.
What Are the Goals of the EU Cybersecurity Act?
The European Parliament has taken these steps for the express purpose of supporting member states in handling cybersecurity threats and attacks. It aims to do this by formulating a unified cybersecurity certification framework. The framework is designed to clarify the compliance standards for companies operating in EU countries.
The EU Cybersecurity Act not only strengthens the powers of ENISA, but will enable companies doing business in the member states to have information and communications technology (ICT) goods certified across the Union.
How is the Certification Framework Structured?
The European cybersecurity certification framework effectively supersedes all national frameworks. It supports the application of a single set of common certification standards for ICT products, processes, and services. Within the framework, there are three levels of assurance for these goods:
- Basic,
- Substantial,
- High.
The European Commission plans to adopt multiple schemes for each level of cybersecurity certification. ENISA will develop these schemes outlining the type of ICT goods covered, the purpose, required security standards, evaluation methods, and period of validity for issued certificates.
The full details of these schemes are expected to be released to the public in the coming year when implementation is endorsed by all EU member states. Currently, there are three cybersecurity certification schemes being developed that address:
- ICT products,
- Cloud services, and
- 5G networks.
We also predict that additional schemes released in the future will cover issues such as:
- Preventing unauthorized storage, processing, access, disclosure, destruction, loss, or modification of data,
- Limiting access to protected data to authorized persons, programs, and devices,
- Ensuring that transactions involving protected data are tracked and can be reviewed,
- Disaster recovery plans.
Once adopted, these certification schemes must then be enforced by each EU member state. Then, ENISA will be responsible for reviewing adopted certification schemes regularly – every five years – to verify that they meet the criteria set out by the EU Cybersecurity Act.
When Was the Deadline for the EU Cybersecurity Act?
From June 2020 to September 2021, the rolling work program has been meeting regularly This program is charged with identifying certification priorities for the ICT products, processes, and services. Business owners who have not been paying attention to the EU Cybersecurity Act may find that the products, services, or processes are considered ICT-related and will be included in this rolling work program. If they do not have the right certification, however, they may find themselves not in compliance with the newly enforced act.
The rolling work program consists of certification schemes that will have 22 elements that will also include mutual recognition of certification from third countries, procedures that manufacturers and businesses must undergo when offering supplemental information about potential risks, and certification monitoring rules.
How Will the Certification Process be Handled?
Each country will appoint a national certification supervisory authority which will be charged with managing certification issuance, conformity and related penalties for non-compliance. For now, cybersecurity certification will be voluntary, unless otherwise specified by a particular EU state law.
However, this is expected to change in the future, depending on the designated level of risk. ICT products, services and processes with a low level of risk should be able to rely on self-assessment and/or third-party certification. Certification is expected to remain voluntary for these goods at the “basic” level. By 2023, the EU Cybersecurity Agency will determine if certain schemes will become mandatory for high-risk ICT items.
How Is the Cybersecurity Act Impacting Businesses?
This act provides companies operating within the European Union the chance to certify that their products, processes, or services meet EU cybersecurity standards. For now, businesses can decide whether to participate in this certification process. The main advantage is the assurance that their conformity will be recognized by all countries in the Union. In fact, the framework aims to set a unified standard for cybersecurity certification and avoid a disjointed approach with different member states introducing their own standards.
When a certification scheme has been formulated, businesses with ICT products, processes, and services can apply to a national assessment body of their choice in order to request certification. Goods that comply with the framework will be certified at one of the three levels for a maximum of 3-5 years. At the end of this time period, before certificate validity expires, companies will be able to apply for renewal.
It is yet to be determined by the various EU member states what possible penalties will be issued in response to infringements or failure to comply.
How Does the EU Cybersecurity Act Affect American Businesses?
As more U.S. businesses expand to offer their services overseas, they are facing new challenges in regard to how they do business in the European Union. Since the EU Cybersecurity Act took effect in 2019, companies are scrambling to understand whether this specific set of regulations impacts them.
Upon hearing the words “cyber security,” many U.S. companies believe that the act only applies to banks, credit cards, or companies that are involved directly in customer’s payment transactions. Other businesses assume that because they are following cybersecurity rules set forth by the United States government that these laws will also cover EU Cybersecurity Act parameters. However, they are still not fully aware of how the law impacts them.
Protecting customer information is paramount for every cybersecurity policy that is rolled out. The EU Cybersecurity Act applies to all information and communication technology (ICT) as it applies to products, services, and processes. This legislation is sweeping and all-encompassing. Not only does it apply directly to these ICT elements across all national markets and industry sectors, it also applies to any information system and network that is deployed with the ICT process, product, or service.
This regulatory standard defines ICT products, processes, and services as:
- ICT Process: A set of activities that will design, develop, maintain, or deliver an ICT product or service.
- ICT Product: A device, element or a group of devices and elements that comprise of an information system or a network
- ICT Service: A service that mainly or will fully gather, transmit, store, or process information using an information system or a network
At the moment, businesses with products, services, or processes that fall under the umbrella of the EU Cybersecurity Act can decide whether they want to obtain certification. Without certification, a business can find itself in violation of the regulations and be fined, or it will not be able to compete evenly on the market.
Renewal of Certification Schemes
U.S. businesses also need to be aware of the renewal process for the certification schemes. If your company has an ICT product, service, or process that is already included in the rolling work program, the certification scheme will be reevaluated every five years. This means that U.S. businesses may find that a product, service, or process that wasn’t previously included in the EU Cybersecurity Act will now be covered in the rolling work program. The business, therefore, will need to obtain the certification.
In addition, the voluntary certification aspect may become mandatory by the European Commission during the assessment period for the certification schemes. This possibility is likely to further encourage participation in the voluntary certification early on to avoid operational delays as companies seek to maintain compliance.
How Does the Cybersecurity Act Compare to Other EU Legislation?
The EU Cybersecurity Act is one element in the European Union’s measures to increase data security. This greater legislative effort, known as the Digital Single Market, also includes the NIS Directive, which became the first set of EU-wide laws regarding cybersecurity in 2016. This directive created the foundation for notification and security requirements for operators of essential services and digital service providers, including cloud providers.
The more well-known General Data Protection Regulation (GDPR), which went into effect in May 2018, works to protect personal data and privacy for EU citizens and simplify the regulatory process for international organizations. It requires controllers and processors to follow certain protocols and implement measures to ensure that data cannot become publicly available without explicit, informed consent. Similarly, the most recent draft of the ePrivacy Regulation (EPR) has been proposed to help regulate electronic communications within the union. It addresses online communications, internet tracking technologies, and electronic direct marketing.
Other industry certification schemes are not affected by the EU Cybersecurity Act. This includes ISO 27001, Germany’s BSI C5, and France’s SecNumCloud, CSA Cloud Control Matrix, NIST 800-53, SOC 2 Trust Services Criteria, and PCI – DSS. Although we may anticipate that many of these previously established schemes will be proposed, and possibly adopted, as unified European cybersecurity certification schemes.
Be Prepared for the Cybersecurity Challenges of 2022
As we move into the new year, make sure that your company is ready to face all of the new cybersecurity challenges and respond to the latest data security compliance requirements. Schedule a consultation with the professional auditors at I.S. Partners, LLC to make sure your organization is starting 2022 with a secure foundation. Call our office or request a quote today.
