Entry into force of the Cybersecurity Act: Brief analysis and main developments

The date 27 June 2019 saw the entry into force of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019.

The Regulation, also known as the “Cybersecurity Act”, is one of a framework of measures aimed at strengthening ICT security for the European area.

The intervention is a necessary response to the increase in large-scale cyber attacks of a cross-border nature, and to “a greater vulnerability to cyber threats and attacks faced by an economy and its related society”.

The current framework calls for strengthening of defences in this area, but above all for a common strategy by the Member States of the Union, given that the competences in cybersecurity matters and the related politic responses have been predominantly national until now.

Objectives: Strengthening the role of ENISA and introducing a European system for certifying the security of ICT products, services and processes

The Regulation provides the European Union Agency for Cybersecurity (ENISA) with a permanent mandate and increased resources, following several extensions in the mandate following its establishment in 2004.

Given that ENISA “should act as a reference point for advice and expertise for Union sector-specific policy and law initiatives where matters related to cybersecurity are involved” (consideration 22 of the Regulation), the Cybersecurity Act assigns the agency a primary role in supporting the EU Member States in the management of cyber incidents, in addition to its existing tasks in the technical expertise area, and the additional competences set out in Articles 3-7 of the Regulation.

Among the many tasks and objectives currently assigned to ENISA, there are:

  • assisting the Union institutions and Member States “in developing and implementing policies related to cybersecurity” (Reg. Article 4.2);

  • assisting “Member States in their efforts to improve the prevention, detection and analysis of, and the capability to respond to cyber threats and incidents by providing them with knowledge and expertise” (Reg. Article 6.1a);

  • assisting “Member States in developing national strategies on the security of networks and information systems” (Reg. Article 6.1e);

  • promoting a high level of cybersecurity awareness, including cyber-hygiene (i.e. those “routine measures that, where implemented and carried out regularly by citizens, organisations and businesses, minimise their exposure to risks from cyber threats”) and cyber-literacy among citizens, organisations and businesses (Reg. Article 4.7).

ENISA is also charged with promotion of the use of European cybersecurity certification, with a view to avoiding the fragmentation of the internal market (Reg. Article 4.6).

Title III of the Cybersecurity Act, Articles 46 and following, introduces a European framework for certifying the cybersecurity of ICT products, services and processes, harmonised across all the Member States. These schemes will be adopted by the Commission by means of implementing regulations on the basis of proposals prepared by ENISA.

The objective of the Regulation is to allow recognition of the various systems of certification of ICT products, services and processes (such as medical devices or automated vehicles) already existing in the majority of Member States. The certificates issued under these schemes will then be valid and recognised in all Member States.

This will facilitate circulation of digital products and services within the European area and the creation of a digital single market, with the general aim of increasing the confidence of European citizens in the digital economy.

Cybersecurity certification plays a key role in strengthening the security and increasing the trust in ICT products.

“The digital single market, and in particular the data economy and the IoT, can thrive only if there is general public trust that such products, services and processes provide a certain level of cybersecurity.”