New Cybersecurity Act published in the Official Journal-welcome to new ENISA has been saved
New Cybersecurity Act published in the Official Journal-welcome to new ENISA
13 June 2019
Regulatory News Alert
On 7 June, the Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Agency for Cybersecurity) and on information and communication technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), was published in the Official Journal of the EU.
The ultimate goal of the Regulation is to strengthen the Union’s cybersecurity structures. The aim is to offer a comprehensive set of measures to develop Member States’ capabilities for responding to cyber threats (including cross-border incidents), and to foster operational cooperation between them.
The Cybersecurity Act has two focal areas:
- The first being to strengthen the powers of ENISA by making it a permanent agency of the EU
- The second is to establish a European cybersecurity certification framework to ensure the application of a common certification for information and communications technology (“ICT”) goods
ENISA’s ultimate goal is to assist the EU Member States and its institutions in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cyber threats and incidents, in relation to the security of network and information systems. In particular, ENISA should support the development and enhancement of national and Union computer security incident response teams (CSIRTs) with a view to achieving a high common level of maturity in the Union. Also, ENISA will promote the exchange of best practices between Member States.
Additionally, this Regulation aims to address the geographical fragmentation of cybersecurity certification of ICT products, ICT services, and ICT processes. With regard to this, the Regulation sets out the cybersecurity certification framework, with an objective to improve the level of cybersecurity in the Union. Such a framework will provide for a mechanism to attest that the ICT products, ICT services, and ICT processes comply with specified security requirements. This will be for the purpose of protecting the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data and the functions or services offered by the aforementioned products, services, and processes throughout their life cycle.
Member States should designate one or more national cybersecurity certification authorities in order to monitor and enforce the obligations of manufacturers or providers of ICT products, ICT services, or ICT processes established in its respective territory arising from this Regulation. National cybersecurity certification authorities should also handle complaints lodged by natural or legal persons in relation to European cybersecurity certificates.
Finally, with a view to ensuring the consistent application of the European cybersecurity certification framework, a European Cybersecurity Certification Group (ECCG) that consists of representatives of such authorities should be established to advise and assist the Commission in its work to ensure the consistent implementation of the cybersecurity program and the preparation of European cybersecurity certification schemes.
The EU Cybersecurity Act will come into force on 27 June 2019.
The provisions of the Regulation shall be directly applicable in all Member States, apart from those related to national cybersecurity certification authorities, complaint lodging, and penalties, which shall apply from 28 June 2021.
How can Deloitte help you?
Deloitte can help navigate regulatory trends to identify which are relevant for your activities with the RegWatch Kaleidoscope service.
Deloitte can help you in structuring your activity to develop new products and to adapt to regulatory and market demands.
Read more on our webpage: