The EU Commission has launched a new cybersecurity package that includes its formal proposal for an amendment of the current Cybersecurity Act (CSA).
The CSA is a regulation adopted by the EU Parliament and Council in March 2019 to strengthen cybersecurity across the bloc. It had two main goals: establish a permanent EU-wide cybersecurity certification framework for information and communication technology (ICT) products, services and processes; and strengthen the mandate of the EU Agency for Cybersecurity (ENISA).
However, the regulation received criticisms, especially because of its voluntary nature – many companies, especially small and medium businesses (SMBs), avoid certification due to costs – and the slow rollout of certification schemes.
Furthermore, the Act was designed before the democratization of AI threats and heightened geopolitical tensions across the world.
As a result, the European Commission has been working on an update to the Cybersecurity Act, often referred to as ‘Cybersecurity Act 2.0.’
Addressing Cybersecurity Act 1.0’s Main Problems
The Commission’s final proposal, published on January 20 as part of a new cybersecurity package, identified four main problems that it aims to tackle:
- The misalignment between the Union’s cybersecurity policy framework and stakeholders’ needs
- The stalled implementation of the European cybersecurity certification framework (ECCF)
- The complexity and diversity of the cybersecurity-related policies impacting the Union’s cyber posture
- Increasing ICT supply chains security risks
To address these problems, the Commission proposed to articulate the revised regulation around five main objectives, including creating new mechanisms to support the needs of EU-based businesses while helping them achieve compliance, as well as streamlining and simplifying current cybersecurity certification schemes, especially the ECCF.
Key Changes in Cybersecurity Act 2.0
Some of the changes the EU Commission proposed include:
- Introducing a new trusted ICT supply chain security framework to identify and mitigate risks across the EU's 18 critical sectors, considering also economic impacts and market supply
- That certification schemes will be developed within 12 months by default
- That certification schemes can be used for presumption of conformity with EU legislation
- The mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox
Additionally, the proposed Cybersecurity Act 2.0 confers a much greater role to ENISA, which would get more power, resources and responsibilities to act as the EU’s central hub for cybersecurity, with new roles including:
- Leading or supporting during major cyber incidents with the support of the CSIRTs network and with the approval of the concerned member state
- Maintaining a repository of cybersecurity exercises with the support of the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe)
- Publicly sharing non-sensitive cyber threat intelligence
- Helping vet suppliers of critical tech (e.g. 5G equipment, cloud services)
- Being an assessor of harmonized standards
- Piloting a European attestation scheme for cybersecurity skills (a license for cybersecurity professionals) and exploring a quality label for skills recognition
The agency would also be getting a new leadership structure, with the addition of a Deputy Executive Director to help manage ENISA’s growing workload and a Board of Appeal to handle disputes, such as if a company disagrees with a certification decision.
The Cybersecurity Act 2.0 will be applicable immediately after approval by the European Parliament and the Council of the EU. However, the Commission has not yet specified a concrete timeline for adoption.
Once adopted, EU member states will have one year to implement the directive into national law and communicate the relevant texts to the EU Commission.
Henna Virkkunen, the EU Commission’s executive VP for tech sovereignty, security and democracy, emphasized that cyber threats are not just technical challenges, but also “strategic risks to our democracy, economy and way of life.”
“With the new cybersecurity package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber-attacks decisively. This is an important step in securing our European technological sovereignty and ensuring a greater safety for all,” she added.