CyberItalia: The Cybersecurity Law in brief – from the role of ENISA to a European cybersecurity certification framework

In the fourth article in our CyberItalia column, we provide a concise overview of the Cybersecurity Act. The Act complements the EU's cyber resilience framework by establishing European certification schemes for the cybersecurity of ICT products and strengthening the role of ENISA.

The Cybersecurity Act (Regulation (EU) 2019/881) accompanies and partially complements the provisions of the NIS 1 Directive, with the aim of further strengthening the cybersecurity framework at European level.

The aim of the Cybersecurity Act is twofold: to create a European framework for cybersecurity certification of ICT products and digital services, and to strengthen the role of the EU Agency for Network and Information Security (ENISA). ENISA was established in 2004 with a temporary mandate to ensure the security of networks and information systems in the EU.

 

When?

Adopted on 17 April 2019, as a European Regulation it’s directly applicable in all Member States from 27 June 2019. Currently in force.

 

Who is it aimed at?

The Cybersecurity Act addresses two main actors: ENISA, with a view to consolidating and strengthening its role and tasks, and the European Commission, which is tasked, with ENISA, with establishing a single certification scheme at EU level.

 

What does it provide for?

The Cybersecurity Act was created with a twofold objective:

• Strengthening the role of ENISA – ENISA (originally the European Network and Information Security Agency) was set up in 2004 with a five-year mandate (later extended to 2019). It’s aim was to help EU institutions and organizations protect their infrastructure and systems from cyber threats. But with the development of ICT technologies and the exponential growth of security risks, it’s become necessary to strengthen ENISA’s operational and coordinating role to create uniform prevention and response strategies at European level.

The Cybersecurity Act aims to achieve this objective. The regulation gives ENISA a permanent mandate and increased resources and new tasks. Its role is no longer limited to giving technical advice. ENISA will also support and coordinate Member States’ management of cyber incidents.

• European certification scheme – The Cybersecurity Act establishes a regulatory framework for the establishment of European cybersecurity certification schemes for digital products and services.

There are several certification schemes for ICT products in different countries, but without mutual recognition. To avoid the risk of fragmentation at European level, the Cybersecurity Act calls for the creation of a common cybersecurity certification framework that allows the resulting certificates to be recognized by all Member States. The new framework should not only promote a “security by design” approach, but also make it easier for cross-border operators to understand the security features of the product or service.

As the nature of the risk can vary considerably depending on the ICT product or service in question, the Regulation proposes a three-level certification framework (basic, essential and high), ranging from simple self-certification to more in-depth assessment.

ENISA will prepare the European certification schemes in the first instance, and then the European Commission will formally adopted them through implementing acts.

The use of certification will be optional, unless it’s explicitly required for certain categories of products or services by sector-specific standards, which the European Commission reserves the right to evaluate on a regular basis.

ENISA, with the support of expert groups, is currently working on developing three different certification schemes:

• EUCC – based on the Common Criteria and covering software and hardware products
• EUCS – for cloud services
• EU5G – for 5G architectures

The first of these has already been submitted to the European Commission, which launched a public consultation on the draft implementing act on 3 October 2023. A first draft of the EU5G scheme is expected by the end of 2023.

On 18 April 2023, the Commission proposed an amendment to the Cybersecurity Act to extend the scope of the European cybersecurity certification schemes to “managed security services.” This means the Act is not limited to ICT products and services already covered by the Cybersecurity Act. Managed security services (eg incident response, penetration testing, security audits) play an increasingly important role in preventing and mitigating cybersecurity incidents. The proposal is currently under discussion in the EU Council and Parliament.