EU to create a common cybersecurity certification framework and beef up its agency – Council agrees its position
The EU is to enhance its cyber resilience by setting up an EU-wide certification framework for information and communication technology (ICT) products, services and processes. The industry could use the new mechanism to certify products such as connected cars and smart medical devices. The Council today agreed its general approach on the proposal, known as the Cybersecurity Act. The proposal will also upgrade the current European Union Agency for Network and Information Security (ENISA) into a permanent EU agency for cybersecurity.
“We all want our devices to be secure. This new certification framework will increase trust and confidence in innovative digital solutions.”
Ivaylo Moskovski, Bulgarian Minister for Transport, Information Technology and Communications.
Common cybersecurity certification
The draft regulation creates a mechanism for setting up European cybersecurity certification schemes for specific ICT processes, products, and services. Certificates issued under the schemes will be valid in all EU countries, making it easier for users to gain confidence in the security of these technologies, and for companies to carry out their business across borders.
Certification will be voluntary unless otherwise specified in EU law or member states’ law.
Features covered would include for instance resilience to accidental or malicious data loss or alteration.
There will be three different assurance levels: basic, substantial or high. For the basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves.
EU agency for cybersecurity
The new rules will grant ENISA a permanent mandate and clarify its role as the EU agency for cybersecurity. ENISA will be given new tasks in supporting member states, EU institutions and other stakeholders on cyber issues. It will organise regular EU-level cybersecurity exercises, and support and promote EU policy on cybersecurity certification. The first EU legal act on cybersecurity, the network and information security (NIS) directive from 2016, had already given ENISA a key role in supporting the implementation of the directive.
A national liaison officers network will be part of the mandate facilitating information sharing between ENISA and the member states.
How will the text become law?
The text agreed today is the Council’s position for negotiations with the European Parliament. Both the Council and the Parliament have to agree on the final text before it can enter into force.
Cybersecurity Act – Council general approach
Reform of cyber security in Europe (background information)