On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification). The Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act as a catalyst to the anticipated certifications for GDPR-compliance.

In addition, the Cybersecurity Act provides for a new permanent mandate for the EU Agency for Cybersecurity (ENISA) with new responsibilities.

The EU Cybersecurity Certification Framework

The Cybersecurity Act establishes the EU Cybersecurity Certification Framework, intended to enhance the cybersecurity of online services and consumer devices in the European Union. The Certification allows companies to assess the cybersecurity standards of a specific product or service, and rank them in order of risk severity (basic, substantial, high). Products or services may be required to acquire a different level of Certification depending on their use (e.g., a basic Certification may be sufficient for a smart TV, but insufficient for a medical device).

The Certification will be available for every consumer device or service offered in the EU market, such as connected devices, fintech services, AI applications, health services, cloud services, and e-health services. For instance, when a consumer uses a certified smartphone or internet banking website, the Certification will inform them about the security standards and protocols in place, ways to securely operate the device/website, and how long the manufacturer will support the device/website through security patches.

The Certification will be recognized in all EU Member States through a one-stop-shop mechanism, which ENISA will administer, meaning that a company that wants to offer a product or a service in the EU only needs to undertake this exercise once for all 28 EU countries. This is cost saving for companies, especially small- and medium-sized enterprises that would otherwise need to apply for several certificates in different countries. The single Certification will also remove potential market-entry barriers and may be used as a selling point for companies that wish to emphasize their cybersecurity standards.

The Certification encourages “security by design”, meaning that manufacturers or providers must implement appropriate measures at the early stages of design and development of a product or service. The Certification will rely as much as possible on international standards, including ISO standards, to minimize trade barriers and technical interoperability issues.

Although the Certification is currently voluntary, the European Commission may decide to mandate the Certification for sectors of critical importance or elevated risk (e.g., banking sector, healthcare services, and insurance services).

ENISA will design different Certification schemes, taking into account a number of elements when doing so: a) the categories of products and services, b) the cybersecurity requirements, c) the type of evaluation (third-party v. self-assessment), and d) the intended level of assurance (basic; substantial; high). ENISA will also have a pivotal role in helping implement the Certification mechanism.

The EU Cybersecurity Agency

ENISA was created in 2004 to improve network and information security in the EU. It supports all EU member states in improving their capabilities (e.g., with cybersecurity exercises, guidelines and opinions, and national cybersecurity strategies). The Cybersecurity Act gives ENISA a permanent mandate and strengthens its existing tasks, such as policy development and implementation, and cyber capacity building. The Certification mechanism is the most prominent new function of ENISA, but the Cybersecurity Act further furnishes ENISA with a number of other functions:

  • Provide concrete implementation advice to EU Member States for information security-related requirements set forth in the GDPR, and in particular, information security requirements and the “security by design” principle.
  • Undertake market related tasks (standardization, cybersecurity certification) to support the new Certification. ENISA is expected to soon announce further details regarding the Certification, such as when it will be available to companies, and ways to self-certify or certify via a third party.
  • Coordinate at the EU level to effectively respond to cyberattacks, including helping EU Member States handle cybersecurity incidents, and supporting EU coordination in case of large-scale, cross border cyberattacks.
  • Assist the coordination between organizations, manufacturers, or providers of high-risk products and services.