EU institutions have reached agreement on new cyber security legislation, which will give new powers to the region’s cyber security regulator and establish a cyber security certification framework.
In December, the European Parliament, the Council and the European Commission reached political agreement on the Cyber Security Act. Proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks, the Act will strengthen the powers of the EU Agency for Network and Information and Security (ENISA), transforming it into a permanent EU Cyber Security Agency.
Going forward, ENISA will enjoy increased resources and a permanent mandate to improve cyber security in Europe. The organisation will continue to assist EU member states in responding to major cyber-attacks, but with a greater role in cooperation and coordination at an EU level. In its new responsibility, ENISA will develop an EU crisis response and act as an independent centre of expertise, promoting cyber security awareness and assisting EU institutions and member states in policy development and implementation.
Significantly, the Act also establishes a single pan-EU framework for cyber security certification, aimed at improving cyber security for online services and consumer devices. The ground-breaking legislation is the first EU law seeking to enhance the security of so-called Internet of Things (IoT) devices, including consumer products and those used in critical infrastructure.
The cyber security certification framework will require developers and manufacturers of IoT devices to adopt security by design, incorporating cyber security features in the early stages of their design. National cyber security certification authorities will be established to issue a common cyber security certificate for a range of products and services, from connected toys and smart wearables to industrial automation control systems, smart energy grids and banking systems.
Certification, which is voluntary, is intended to help consumers choose between products and build trust through improved cyber security.
There will be three levels of the certification process; basic, substantial and high. At the basic level, suppliers are allowed to self-certify, while certification at higher levels will involve a third party. The certificate will be valid throughout the EU.
Now that the Cyber Security Act has gained political agreement, the text of the Act will need to be formally adopted, first by Parliament and then by the Council.
Following adoption, the regulation will be published in the EU’s Official Journal. It will enter into force 20 days after publication, although member states will have two years to implement the legislation and establish a cyber security certification regime.
Download Cyber Decoder
For more information, please contact Shannon Groeber, Senior Vice President, Cyber / Errors & Omissions Practice on 215.309.4495.