EU Cybersecurity Act

The EU Cybersecurity Act

The EU Cybersecurity Act revamps and strengthens the EU Agency for cybersecurity (ENISA) and establishes an EU-wide cybersecurity certification framework for digital products, services and processes

The EU Cybersecurity Act key focused on the following actions: 

  1. Reinforces ENISA, the EU agency for cybersecurity
  2. Creates a European cybersecurity certification framework for ICT products, services and processes
  3. Complements the Directive on Security of Network and Information Systems (NIS Directive)

A new mandate for ENISA

ENISA, the EU Agency for cybersecurity, is now stronger. The EU Cybersecurity Act grants a permanent mandate to the agency, more resources and new tasks, these include:

  • CYBERSECURITY CAPACITY BUILDING: Contributing to the improvement of the EU’s and national public authorities’ cybersecurity capabilities and expertise.
  • OPERATIONAL COOPERATION & CRISIS MANAGEMENT: Strengthening the existing EU’s preventive operational capabilities (e.g. by organising pan-european cybersecurity exercises) and supporting EU’s cybersecurity operational cooperation by acting as the secretariat of the EU’s Computer Security Incident Response teams (CSIRTs) Network established under the NIS Directive.
  • COORDINATED VULNERABILITY DISCLOSURE: Assisting EU Member States and EU institutions, agencies and bodies in improving reporting of cybersecurity flaws as well as supporting the cooperation and exchange of information between key European cybersecurity players.
  • MARKET-RELATED TASKS CYBERSECURITY STANDARDISATION & CERTIFICATION: Supporting the EU’s policy development in the ICT cybersecurity standardisation and certification areas by analysing trends in the cybersecurity market as well as executing the tasks defined under the EU Cybersecurity Act.
  • POLICY DEVELOPMENT & IMPLEMENTATION: Contributing to the implementation and advancement of the EU’s cybersecurity policy.

In particular, ENISA will have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes and informing the public on the certification schemes as well as the issued certificates through a dedicated website. 

ENISA is also mandated to increase operational cooperation at EU level, helping EU Member States who would request it to handle cybersecurity incidents, and supporting the coordination of the EU in case of large-scale cross borders cyber-attacks and crises. This task builds on ENISA’s role as secretariat of the national Computer Security Incidents Response Teams (CSIRTs) Network, established by the Directive on Security of Network and Information Systems (NIS Directive).

A European cybersecurity certification framework

Enhancing trust & cybersecurity in the EU Digital Single Market

Citizens  Vendors and Providers
gain transparency on the security characteristics of products and services. enjoy a competitive advantage to satisfy the growing need for more secure digital solutions

European cybersecurity certification framework: key elements

  • Addressing key challenges in modern cybersecurity certification
  • Risk-based schemes
  • International best practices in the certification scheme structure
  • Open, inclusive and transparent governance 
  • Recognized EU-wide

The EU Cybersecurity Act establishes an EU certification framework for ICT digital products, services and processes, especially related to the operation of critical infrastructure. The European cybersecurity certification framework enables the creation of tailored and risk-based EU certification schemes. 

Certification plays a critical role in increasing trust and security in products and services that are crucial for the Digital Single Market. At the moment, a number of different security certification schemes for ICT products exist in the EU. But, without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers in the European Single Market.

The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. This will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service e.g. smart cards. It will attest that ICT products and services which have been certified in accordance with such a scheme comply with specified requirements. In particular, each European scheme should specify: 

a) the categories of products and services covered, 

b) the cybersecurity requirements, for example by reference to standards or technical specifications, 

c) the type of evaluation (e.g. self-assessment or third-party evaluation), and 

d) the intended level of assurance (e.g. basic, substantial and/or high).

To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. For example, a high assurance level means that the product that was certified has passed the highest security tests. The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.

As for the implementation of the certification framework, Member State authorities, gathered in the European Cybersecurity Certification Group (ECCG) have already met several times. 

If you are interested to participate in the following certification schemes, please contact us. 

Following the request from the European Commission in accordance with Article 48.2 of the Cybersecurity Act, ENISA has set up an Ad Hoc Working Group (AHWG) to support the preparation of a candidate EU cybersecurity certification scheme as a successor to the existing schemes operating under the SOG-IS MRA. This has been named EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme) and it looks into the certification of ICT products cybersecurity, based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation, and corresponding standards, respectively, ISO/IEC 15408 and ISO/IEC 18045.

This publication is a draft version of the EUCS candidate scheme (European Cybersecurity Certification Scheme for Cloud Services), which looks into the certification of the cybersecurity of cloud services. In accordance with Article 48.2 of the Cybersecurity Act1 (EUCSA), ENISA has set up an Ad Hoc Working Group (AHWG) to work on the preparation of the candidate scheme on cloud services, as part of the European Cybersecurity Certification Framework. This is a draft version to be used as the basis for an external review. The objective of the review is to validate the principles and general organization of the proposed scheme and to gather feedback on the proposed wording of the sections and annexes.  [ PGP Public Key ]

(PGP Fingerprint: BE11 C1CC BFE2 A3A9 4929  3D1C 10FF C3BE A51C 92F7)

Last modified: Tuesday, 23 February 2021, 4:37 PM