With approval by the European Parliament, which took place last March 12 with 586 votes in favor, 44 against and 36 abstentions, the long legislative process of the so-called Cybersecurity Act, which began in September 2017, is coming to its end. The approved text is now in the course of ratification by the Council, after which it will be published in the Official Gazette of the European Union. The provision will then enter into force twenty days afterwards and, being a Regulation, will be immediately effective for all member states.
The Cybersecurity Act aims at increasing the Union’s capacity of "Resilience, deterrence and defense", as stated in the title of the joint Communication to Parliament and the Council with which the Commission presented its proposal. An initiative which, although fully in line with the principles of the European Cyber Strategy of 2013, nevertheless took into consideration the increase of the cyber threat in terms of both intensity and sophistication, and therefore aimed to address specific operational actions aimed at making each member state's contribution to overall EU security more homogeneous and shared.
One key point of the Cybersecurity Act is creating a permanent and well-funded cybersecurity agency for the EU. This is done by reinforcing the role and mandate of the current European Network and Information Security Agency (ENISA). It was founded in 2004 with non-permanent agency status and limited funds, as well as a narrow mandate that essentially gave it the sole role of competence center in support of the Commission and member states. Over the years ENISA has been able to gain deep appreciation from all European institutions for the very high value of its projects undertaken, the prestige it gained in its role as strategic advisor, and the great efficiency with which it has been able to manage its small budget.
In 2013 the initial mandate of ENISA was already extended and its term prolonged for seven years. ENISA thus became the driving force behind the initiative that led to establishment of the European network of national Computer Emergency Response Teams (CERTs) and the Computer Emergency Response Team-European Union (CERT-EU), and officially also began to collaborate, in terms of exchange of skills and experiences, with the law enforcement sector that until then had been explicitly precluded. Initiatives such as coordination of the pan-European Cyber Exercises, as well as that of the European Cybersecurity Month, further contributed to consolidating the effective presence of ENISA also outside the restricted group of central institutions. Therefore, when in 2016 the European Parliament wanted to identify a supranational organization able to collect reports of data breaches and computer incidents, according, respectively, to the Genera Data Protection Regulation (GDPR) and to the Network Information Security (NIS) Directive, it had no hesitation to assign such responsibilities to ENISA.
With approval of the Cybersecurity Act ENISA is finally losing its status of temporary agency (the only one remaining) and is seeing its duties and responsibilities further expanded. It will also have more resources assigned, both in terms of personnel, whose number rises from 84 to 125 persons, and in terms of budget, which will pass in four years from the current 11 million euros per year to 23 million euros per year.
Among the new tasks that the “new ENISA” will have to perform are: providing a greater level of support to the Commission and member states in developing and implementing security policies and in constructing operational capabilities; providing operational cooperation activities, for example in the framework of implementation of the NIS Directive (for which ENISA already provides the secretariat for the European CSIRT network); becoming the reference InfoHub for the entire European security community, including EU institutions and other agencies. It will also have to prepare the schemes for the European certification framework for product cybersecurity, established by the Cybersecurity Act itself.
A common cybersecurity certification for consumer products
Another key point concerns establishment of a European scheme for the cybersecurity certification of commonly used products and services. This is an important and current need, which arises from the observation that more and more "smart" objects are coming on the market, which, by mistake or by fraud, can undermine the safety and privacy of the unsuspecting user. The currently existing certification schemes, typically based on the so-called Common Criteria, are not very suitable for verifying the security of consumer-grade devices because they are too complex and expensive to apply. Moreover, there is no mutual recognition of certifications among member states, except for a few cases covered by bilateral agreements. All this discourages producers to submit their consumer-grade products to a certification process that is costly and very limited in scope.
The Cybersecurity Act aims to create an innovative certification scheme designed specifically for consumer products, which on the one hand will be very “light” and therefore not too expensive for producers to afford, and on the other will automatically be recognized and valid in all member states. This will make it convenient for producers to have their products certified, encouraging them to market certified products and thus transform security into a competitive advantage. Also, it will increase consumers’ confidence in the products they buy or the services they use, making them prefer products and services guaranteed by European certification.
The task of developing the certification schemes suitable for each class of products has been assigned to ENISA, while each member state will need to develop the skills and the technical facilities that will carry out the necessary tests. The certifications issued by each member state according to these common schemes will be immediately and automatically recognized throughout the Union, thus favoring the preferential circulation of certified products and services. It is important to note that the current proposal does not make certification mandatory, but leaves it as an option that producers can choose on an entirely voluntary basis. However, it is expected that in future the certification for specific classes of products or in certain areas of application will be made mandatory.