European political leaders have agreed the Cybersecurity Act which creates the EU Agency for Cybersecurity and a ‘ground-breaking’ certification framework.
The Cybersecurity Act, agreed yesterday by the European Parliament, Council of the European Union and the European Commission, will rebrand ENISA as the EU Agency for Cybersecurity, increase its budget and enhance its mission.
The act also establishes an EU framework for cyber-security certification for online services and consumer devices – the first internal market law aimed at enhancing the security of connected products, internet of things (IoT) devices and critical infrastructure.
The act was part of the cyber-security package adopted on 13 September 2017 and was one of the priorities of the Digital Single Market strategy.
According to the European Commission, the "ground-breaking" certification framework "incorporates security features in the early stages of their technical design and development". It also provides for the independent verification of security features.
ENISA, the European Union Agency for Network and Information Security, was created in 2004 to improve network and information security in the EU by providing expertise to member states and EU institutions. Its mandate was due to expire in 2020.
Under the new act, ENISA will receive a permanent mandate and additional resources to allow it to provide more support to member states. It will also develop its ability to help coordinate the response to crises and prevent and respond to cyber-security incidents.
It will also work with national certification authorities and industry on the new European cyber-security certification framework, as well as enhance its support to member states and EU institutions in the development, implementation and review of cyber-security policy.
Vice president Andrus Ansip, in charge of the EU Digital Single Market, said: "In the digital environment, people as well as companies need to feel secure – it is the only way for them to take full advantage of Europe's digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening's agreement on comprehensive certification for cyber-security products and a stronger EU Cybersecurity Agency is another step on the path to its completion."
Commissioner Mariya Gabriel, in charge of Digital Economy and Society, added: "Enhancing Europe's cyber-security, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union. Major incidents such as Wannacry and NotPetya have acted as wake-up calls, because they dearly showed the potential consequences of large-scale cyber-attacks. In this perspective, I strongly believe that tonight's deal both improves our Union's overall security and supports business competitiveness."
Udo Helmbrecht, executive director of ENISA, said: "Receiving a permanent mandate is a major achievement for ENISA. The European Union has taken another important step in increasing the level of cyber-security in the European digital environment. The new cyber-security certification framework will provide business opportunities for the EU cyber-security industry, in addition to stimulating the development of more reliable ICT products and services."
Extending the mandate will strengthen cyber-security cooperation among member states, according to Faustine Felici from the Kosciuszko Institute in Poland and project manager of the European Cybersecurity Forum – CYBERSEC.
In particular it will help support the work of the Digital 3 Seas Initiative which is developing digital infrastructure and promoting investment in the central and eastern European region, she said.
"By increasing security and bringing back citizens and businesses’ trust, it will also ensure a smooth functioning of the Digital Single Market, including in the Three Seas region. In addition, the creation of a framework for European Cybersecurity certification will result in significant cost saving for companies – especially small ones – therefore boosting their development. Poland and the Three Seas region, whose ICT market mainly consist of SMEs and start-ups, will undoubtedly benefit from this," Felici said.
Following the political agreement last night, the new regulation will have to be formally approved by the European Parliament and the Council of the EU. It will then be published in the EU Official Journal and come in to force immediately.