The European Parliament announced, on 12 March 2019, that the Members of the European Parliament (‘MEPs’) had adopted the draft Legislative Resolution of 12 March 2019 on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Network and Information Security (‘ENISA’), the EU Cybersecurity Agency, and Repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (‘the Draft Act’). In particular, the Draft Act aims to support the response to increasing cyber threats in the EU by enhancing the role of ENISA and establishing a common cybersecurity certification framework.
The Draft Act provides ENISA, which will be known as the EU Cybersecurity Agency, with a permanent mandate and reinforces its duties in advising on the development and review of EU policy and law in the field of cybersecurity by providing its independent opinion and analysis, as well as carrying out preparatory work for the ENISA Advisory Group (‘the Advisory Group’). The Advisory Group will be composed of experts representing stakeholders from the ICT industry, providers of electronic communications networks or services and experts in cybersecurity, which will raise industry issues with key stakeholders, and report back on these issues to ENISA.
The Draft Act creates a voluntary EU cybersecurity certification scheme for online services and consumer devices in the EU
The Draft Act outlines the methods in which the development of ICT products, services, or processes can improve the end users’ cybersecurity, including presuming the occurrence of cyberattacks, and anticipating and minimising their impact, and the first user receiving a device configured by default to the most secure settings possible. Additionally, the Draft Act highlights that businesses and individual consumers should be provided with accurate information regarding the assurance level with which the security of the ICT service, product, or process has been certified.
Moreover, the Draft Act creates a voluntary EU cybersecurity certification scheme (‘the Scheme’) for online services and consumer devices in the EU to enhance the security of connected devices. The objectives of the Scheme include protecting data against accidental or unauthorised storage, processing, access or disclosure, accidental or unauthorised destruction, loss, alteration or lack of availability of an ICT product, service or process and will adhere to a level of cybersecurity compliance throughout their lifecycle. The Draft Act outlines that while compliance with the Scheme is currently voluntary, it could, in the future, be necessary to impose specific cybersecurity requirements and make certification mandatory.
The Draft Act has to be formally approved by the Council of the European Union and is expected to enter into force 20 days after publication.
RHIANNON GIBBS-HARRIS Junior Privacy Analyst