The EU Cybersecurity Act (CSA) comes into force from today, establishing an EU framework for cybersecurity certification under a reinforced and rebranded ENISA.
Originally proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity Act includes:
- A permanent mandate for the ENISA to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfill its goals
- A stronger basis for ENISA in the new cybersecurity certification framework to assist member states in effectively responding to cyber-attacks with a greater role in cooperation and coordination at Union level
In addition, ENISA will help increase cybersecurity capabilities at the EU level to support capacity building and preparedness as part of its new title of the EU Cybersecurity Agency. This will see ENISA become an independent center of expertise that will help promote awareness of citizens and businesses, and also assist EU Institutions and member states in policy development and implementation helping to raise awareness of cybersecurity risks, leading on “research needs and priorities in the field of cybersecurity.”
According to the regulation, “there is a need for a comprehensive set of measures that would build on previous Union action and would foster mutually reinforcing objectives” which would include further increasing the capabilities and preparedness of member states and businesses, as well as improving cooperation, information sharing and coordination across Member States and Union institutions, bodies, offices and agencies.
“Furthermore, given the borderless nature of cyber-threats, there is a need to increase capabilities at Union level that could complement the action of member states, in particular in cases of large-scale cross-border incidents and crises, while taking into account the importance of maintaining and further enhancing the national capabilities to respond to cyber threats of all scales,” it said.
Article seven of the regulation, which deals with “operational cooperation at Union level” states that “ENISA shall support operational cooperation among member states, Union institutions, bodies, offices and agencies, and between stakeholders.” This article also states that ENISA shall support member states with respect to operational cooperation within the CSIRTs network by:
- Advising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more member states, providing advice in relation to a specific cyber threat
- Assisting, at the request of one or more member states, in the assessment of incidents having a significant or substantial impact through the provision of expertise and facilitating the technical handling of such incidents including in particular by supporting the voluntary sharing of relevant information and technical solutions between member states
- Analyzing vulnerabilities and incidents on the basis of publicly available information or information provided voluntarily by member states for that purpose
- At the request of one or more member states, providing support in relation to ex-post technical inquiries regarding incidents having a significant or substantial impact within the meaning of Directive (EU) 2016/1148
ENISA will also regularly organize cybersecurity exercises at Union level, and shall support member states and Union institutions, bodies, offices and agencies in organizing cybersecurity exercises following their requests.
Commissioner Mariya Gabriel, EU Commissioner in charge of Digital Economy and Society, said that the EU Cybersecurity Act “has demonstrated the urgency to opt for an EU approach” and the reinforcement of ENISA was needed as “it is crucial for citizens, businesses and member states to feel more secure.”
“The Cybersecurity Act also enables EU-wide cybersecurity certification for the very first time, thus boosting the Single Market for cybersecurity,” Gabriel said. “Through the Cybersecurity Act, the Directive on the security of networks and information systems and the proposed European Cybersecurity Competence Centre, we have put forward a strong EU pattern, based on values and open for strengthening cooperation with international partners.”
Udo Helmbrecht, executive director of ENISA, said: “I welcome the Cybersecurity Act and thank the Council, European Parliament and Commission for their support in the drafting and passing of this important piece of cybersecurity legislation. I also welcome the reinforced role of ENISA in the European cybersecurity ecosystem and the opportunity for ENISA to support the Digital Single Market.
“I believe the European Cybersecurity Certification Framework detailed in the Act will play a leading role for the advancement and harmonization of cybersecurity certification in Europe and beyond.”