The EU Cybersecurity Act

Regulation (EU) 2019/881 on ENISA and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013

What is the EU Cybersecurity Act? 

The EU Cybersecurity Act came into force on 27 June 2019 and will apply in full across the EU from 28 June 2021. 

It has two main purposes: 

  1. To give ENISA (the EU Agency for Network and Information Security) a permanent mandate; and 
  2. To establish a European cyber security certification framework for ICT (information and communications technology) products, services and processes. 

Read the full text of the Regulation here

Why is an EU framework for cyber security certification needed?

Independently audited cyber security certification demonstrates that your organisation has implemented best practice, and is an important way of increasing stakeholder trust.  

However, there are many different cyber security certification schemes and standards in existence across Europe – such as the UK’s Cyber Essentials scheme, the Dutch scheme for BSPA (Baseline Security Product Assessment) and France’s CSPN (Certification Sécuritaire de Premier Niveau).

This, combined with the relatively slow uptake of certification to international standards such as ISO 27001, means that it can be difficult for individuals and organisations to accurately assess the cyber security risks associated with using potential providers’ ICT products, processes or services.

The European cyber security certification framework aims to remove this difficulty so that consumers can make better-informed decisions about the products, processes and services they use.

What does the EU cyber security certification framework do?

The framework sets EU-wide parameters for the rules, technical requirements, standards and procedures surrounding risk-based certification schemes covering different categories of ICT products, processes and services.

Organisations will be able to obtain certifications that are valid across the EU, reducing the compliance burden on those that currently maintain multiple certifications to meet requirements across different markets.

This harmonised approach to cyber security certification will supersede member states’ individual certification schemes from mid-2021, although certificates issued under them will be valid until expiry.

Cyber security objectives (Article 51)

The new cyber security certification schemes must achieve a number of cyber security objectives, which are aligned with established best practice.

These include:

Information security

To protect data against accidental or unauthorised storage, processing, access, disclosure, destruction, loss, alteration or lack of availability during the entire lifecycle of the ICT product, service or process.

Learn more about information security

Access control

That authorised persons, programs or machines are able to access only the data, services or functions to which their access rights refer.

Vulnerability assessment

To verify that ICT products, services and processes do not contain known vulnerabilities.

User activity monitoring

To record and make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom.

Cyber resilience

To restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident.

Learn more about cyber resilience

Security by design

That ICT products, services and processes are secure by design and by default.

Patch management

That ICT products, services and processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.

Cyber security certification: levels of assurance

There will be three levels of assurance for certificates issued under the framework: basic, substantial and high.

Achieving certification to each level will require different forms of evaluation:

Basic

Evaluation activities should include at least a review of technical documentation. This can be carried out by self-assessment.

Substantial

Evaluation activities should include at least “a review to demonstrate the absence of publicly known vulnerabilities and testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities”.

High

Evaluation activities should include at least “a review to demonstrate the absence of publicly known vulnerabilities; testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities at the state of the art; and an assessment of their resistance to skilled attackers using penetration testing”.

User activity monitoring

To record and make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom.

Cyber resilience

To restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident.

Learn more about cyber resilience

Security by design

That ICT products, services and processes are secure by design and by default.

Patch management

That ICT products, services and processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.

Future review and compulsory certification (Article 56)

Certification to the new schemes will initially be voluntary, but the European Commission will periodically review the schemes’ efficiency and use, and whether certification should be mandatory.

The first such assessment must take place by 31 December 2023, and subsequent assessments will be carried out every two years thereafter.

Schemes affecting Operators of Essential Services as defined by Annex II of the NIS Directive will be assessed as a priority.

EU Cybersecurity Act enforcement and penalties

Individuals and organisations have the right to lodge a complaint with the issuer of any European cyber security certificate, and the right to an effective judicial remedy with regard to decisions taken by conformity assessment bodies or the national cyber security certification authority.

The Act also prescribes a regime of “effective, proportionate and dissuasive” penalties for infringements – the same language used in the GDPR and NIS Directive, which prescribe penalties of up to €20 million or 4% of an organisation’s annual global turnover – whichever is greater.

Entry into force

The Regulation was published in the Official Journal of the European Union on 7 June 2019 and came into force on 27 June 2019.

Articles 58 (National Cybersecurity certification authorities), 60 (Conformity assessment bodies), 61 (Notification), 63 (Right to lodge a complaint), 64 (Right to an effective judicial remedy) and 65 (Penalties) will apply from 28 June 2021.

Brexit

As to the UK’s future relationship with the EU, the UK government’s EU regulation on ENISA and Cyber Security Certification – NOTICE explains:

The Regulation does not introduce any directly operational cyber security certification schemes, so there will be no operational implications for industry that arise as a direct result of this legislation following the UK’s departure from the EU.

If there are EU Certification Schemes in operation when the UK leaves the EU as a result of this framework, then the UK’s future relationship with those will be considered in the context of the individual schemes. Article 54 of the Regulation requires individual certification schemes to include conditions for the mutual recognition of those schemes with third countries.​

Start your journey to being cyber secure today

For all your cyber security needs – from consultancy services to training, staff awareness programmes, security testing, documentation toolkits, standards, software, books and guides – we have everything you need to support and enhance your security programme.

NCSAM:
Save 15%
here