EU Cybersecurity Act: What you need to know

June 3, 2019 Bryan Harper

What is it?

The EU Cybersecurity Act is the fruit of an initiative started by the European Parliament in 2017 with the goals of permanently establishing an agency to address cybersecurity threats, reducing the complexity for companies to comply with cybersecurity frameworks in each EU member state, and establishing a common cybersecurity certification framework. Formal adoption of the EU Cybersecurity Act occurred on March 27, 2019 and resulted in both the formation of the EU Cybersecurity Agency (formerly the ENISA) as a permanent agency and established a cybersecurity certification framework.

 

What does framework look like?

The framework supersedes all nation frameworks for cybersecurity certification in-force within each EU member state.  The framework contains three levels of assurance for ICT products, services, and processes, including: basic, substantial, and high.   ICT is a broad conformity self-assessment will be allowed for ICT products, services, and processes that present a low cybersecurity risk and would align with the basic level of assurance within the framework.  The certification schemes will be enforced by each member state who will appoint a national certification supervisory authority that will oversee the certification issuance and impose penalties for non-compliance.

Information communication and technology (ICT) includes any communication device or application and includes: radio, television, cellular phones, computers, network hardware, software, satellite systems, and all of the components associated with those products.

 

 

When will the certification schemes be published?

Currently, there is no defined timeline for when the cybersecurity certification scheme will be published or effective.  However, the EU Cybersecurity Act requires that a “rolling work programme” be published in advance of the cybersecurity certification scheme to allow businesses, government agencies, and standardization bodies to prepare for the future European cybersecurity certification schemes.  The first rolling work programme is required to be published within 12 months following the EU Cybersecurity Act coming into force which occurred 20 days after it was passed.

 

Is the cybersecurity certification scheme voluntary?

Although the cybersecurity schemes will be voluntary, the EU Cybersecurity Agency is required to evaluate by 2023 whether specific schemes should be mandatory for certain high-risk ICT products, services, or processes.  Additionally, if a cybersecurity certification scheme is required by another European Union regulation or a member state requirement, then the cybersecurity certification scheme would be required as it supersedes all certification schemes of each EU member state.

 

Are industry certifications allowed as alternatives?

Industry certification schemes, such as ISO 27001, BSI C5 (Germany), SecNumCloud (France), CSA Cloud Control Matrix, NIST 800-53, SOC 2 Trust Services Criteria, and PCI – DSS, are not in the purview of the EU Cybersecurity Agency, but they may be proposed and approved as formal European cybersecurity certification schemes.

 

What progress has been made?

The EU Cybersecurity Act directed the EU Cybersecurity Agency to coordinate with a new European Cybersecurity Certification Group to gather input from stakeholders and prepare the cybersecurity certification schemes.  No further progress has been announced to date.

About the Author

Bryan Harper

Bryan Harper is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman in May 2017, Bryan worked as a Senior IT Auditor, specializing in SOC 1, 2, & 3 examinations. Bryan also worked as a staff accountant in a public accounting firm performing financial audits, consulting and out­ sourced internal audit engagements for clients in banking, insurance, and healthcare industries. As a Senior Associate with Schellman, Bryan Harper is focused primarily on SOC examinations for organizations across various industries.

More Content by Bryan Harper
Previous Article
The Bright Side of Technology: Tech Hacks That Have Improved Society During This Fourth Industrial Revolution
The Bright Side of Technology: Tech Hacks That Have Improved Society During This Fourth Industrial Revolution

Even when the developments might’ve been considered fairly primitive by modern standards, techno...

Next Article
How to Build a Serverless Architecture
How to Build a Serverless Architecture

A serverless architecture can mean lower costs and greater agility, but you’ll still need to mak...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!