Representatives of EU Member States yesterday approved the EU’s proposed Cybersecurity Act, which includes a standardised European cybersecurity certification programme.
The Cybersecurity Act, which will also see the European Agency for Network and Information Security (ENISA) evolve into a permanent EU Agency for Cybersecurity, will enable European cybersecurity certification for online devices, allowing consumers to make informed choices about the products they buy.
Under the draft regulation, European cybersecurity certification schemes will be made available for ICT products, processes and services. Certificates issued within the schemes will be valid in all Member States, allowing certified companies to conduct business across EU borders. Potential uses for the certificates include connected toys, smart wearable technology; and larger projects such as industrial automation controls or smart energy grids.
Schemes providing European cybersecurity certification – the process of becoming certified will be voluntary unless specified otherwise in EU or national laws – will incorporate already extant programmes operating at regional, national and EU-wide levels. The schemes will be overseen by the relevant authorities in Member States.
ENISA, which was first set up in 2004, will be granted a permanent mandate to operate as the EU’s official cybersecurity body – ENISA’s current mandate had been due to expire in June 2020. The revitalised EU Agency for Cybersecurity will be accorded new powers to support EU Member States and institutions in addressing issues pertaining to cybersecurity, implementing the European cybersecurity certification programme and organising regular cybersecurity exercises to keep affiliates up to date on emerging concerns.
The text of the Cybersecurity Act, which has been approved by members of the European Council’s Permanent Representatives Committee, will have to undergo legal and linguistic checks before being approved by the European Parliament and Council. Once it enters into force, Member States will be accorded an adjustment period of up to two years to enable them to implement the appropriate authority bodies to provide European cybersecurity certification.
