The European Union introduced the EU Cybersecurity Act to boost cybersecurity measures and cyber resilience across EU member states. With a digitally connected Union, having consistent regulations for cybersecurity measures across member states is vital in protecting against cyber attacks.
What is the EU Cybersecurity Act?
The EU Cybersecurity Act is a landmark legislation adopted in 2019 due to the increasing landscape of global cyber threats and the need for consistent cybersecurity standards across the Union.
Key Objectives of the EU Cybersecurity Act
The EU Cybersecurity Act is broken down into two main objectives:
- Strengthen the mandate of the European Union Agency for Cybersecurity (ENISA).
- Establish a common cybersecurity certification framework for ICT products, services, and processes.
The European Union Agency for Cybersecurity (ENISA)
The EU Cybersecurity Act's first objective is strengthening the EU Agency for Cybersecurity (ENISA). ENISA’s primary focus is on improving the level of cybersecurity across EU member states.
The European Parliament and Council established ENISA in 2004 to address network and information security challenges. Their original mandate focused on information gathering and analysis, capacity building, facilitating cooperation with member states, and policy support. ENISA’s mandate was renewed and expanded a few times per the evolving cybersecurity landscape, with the most notable mandates happening in 2008 and 2013.
The most recent mandate occurred under the EU Cybersecurity Act, which solidified ENISA’s key role and expanded it further. ENISA was given a permanent mandate, securing its role as a long-term central agency for cybersecurity in the EU. Along with this came enhanced operational capabilities, an expanded policy and advisory role, more stakeholder engagement, and increased budget and personnel.
ENISA’s most considerable extension under the EU Cybersecurity Act was preparing the EU-wide cybersecurity certification framework, which would help certify products, services, and processes across the entire Union.
Roles and Responsibilities of ENISA
ENISA’s primary roles and responsibilities include:
- Expertise and Advice: Provides advice and recommendations on key cybersecurity issues to the EU Commission, member states, and businesses.
- Capacity Building: Supports member states in growing their cybersecurity measures, including national cybersecurity strategies, training, and providing best practices.
- Operational Cooperation: Helps coordinate the EU’s response to cybersecurity incidents, facilitating information sharing and encouraging cooperation between member states.
- Research and Analysis: Conducts studies and analysis on cybersecurity topics
- Awareness Raising: Organizes and facilitates campaigns, workshops, and events to provide cybersecurity education to businesses and the public.
- EU Policy Development: Provides expertise, consultation, and input on cybersecurity policy and legislative initiatives.
Under the EU Cybersecurity Act, ENISA also became responsible for preparing the groundwork for cybersecurity frameworks. These frameworks help create a consistent approach to cybersecurity standards across EU member states for Information and Communication Technology (ICT) products and services.
European Cybersecurity Certification Frameworks
The second objective of the EU Cybersecurity Act establishes a cybersecurity certification framework for Information and Communication Technology (ICT) products and services. Because of the unique nature of the European Union, providing a consistent framework for ICT products, services, and processes helps member states maintain cohesive cybersecurity measures. Once a product or service passes this conformity assessment in one EU country, it will be recognized across all member states.
The cybersecurity framework provides European cybersecurity certification schemes, which include rules, technical requirements, standards, and procedures to evaluate the security properties of an ICT-based product or service throughout its lifecycle. Each European scheme must specify the following:
- Category of Product or Services Covered
- Cybersecurity Requirements
- Type of Evaluation (Self-Assessment or Third Party)
- Intended Level of Assurance
Levels of Assurance
Within the cybersecurity framework, levels of assurance are used to help inform users of the cybersecurity risk of an ICT product or service. The three levels of assurance are:
- Basic: Poses a low cybersecurity risk. A self-assessment by the manufacturer or service provider is usually sufficient for this level.
- Substantial: Poses a significant cybersecurity risk where protection measures against known attack scenarios are needed. Requires a comprehensive evaluation by a third party.
- High: Poses a high cybersecurity risk with scenarios where the impact of an attack could be severe. Rigorous evaluation and testing by a third party are mandated for this level.
European Cybersecurity Certification Group (ECCG)
The European Cybersecurity Certification Group (ECCG) was established under the EU Cybersecurity Act to assist the Commission in developing and implementing the new cybersecurity certification framework. The ECCG comprises representatives from each EU member state, and together, the group acts as a bridge between member states and the European Commission while also acting as an assessment body for the certification frameworks.
The EU Cybersecurity Act also requires every EU member state to identify at least one National Cybersecurity Certification Authority (NCCA) in their country, which may also contribute to the ECCG.
The ECCG’s main functions and responsibilities include:
- Assisting in the preparation of certification schemes
- Facilitating consistent implementation
- Advising on matters related to certification frameworks
- Operating as a liaison with ENISA
- Providing feedback on certification schemes
Who Must Comply With the EU Cybersecurity Act?
The certification framework focuses on Information and Communication Technology (ICT) products, especially its certification framework services and processes. Unlike other cybersecurity regulations, compliance with the certification framework is not mandatory, and organizations are not forced to certify their ICT products, services, or processes. Mandatory requirements may be introduced in the future, with possible penalties for infringements.
Parties encouraged to comply with the EU Cybersecurity Act include the following:
- Manufacturers and Developers: Any business that creates ICT products and services for the European market or imports into the EU.
- Service Providers: Providers of ICT digital services, including online marketplaces, cloud computing services, and search engines.
- Critical Infrastructure Operators: Entities that operate essential services (energy, transport, banking, health) if they use ICT products or services. While the EU Cybersecurity Act does not mandate compliance with the certification framework, other regulations, like the NIS Directive, may encourage them to use certified products or services.
- Public Sector and Government Agencies: In specific situations, organizations in the public sector or government may be required to use certified ICT products or services.
Impact of the EU Cybersecurity Act
The EU Cybersecurity Act has had a widespread impact across the digital and cybersecurity landscape of the European Union. A few notable highlights include the following:
- Strengthened Role of ENISA: After implementing the EU Cybersecurity Act, ENISA was given a permanent mandate, reinforcing its rule as the EU’s central agency for cybersecurity.
- Cohesive Certification Framework: Established a harmonized cybersecurity certification framework for ICT products, services, and processes. This simplified business trade across borders, improved customer trust in ICT products and services, and similar cybersecurity standards across member states.
- Increased Market Confidence: Certification schemes provided a way for businesses to proactively demonstrate their commitment to cybersecurity, helping grow trust among companies and other industries.
- Consistency with Other EU Regulations: The EU Cybersecurity Act complements other EU regulations, helping ensure a cohesive approach to data protection and digital security.
Integration with Existing Cybersecurity Regulations
The EU Cybersecurity Act works alongside existing cybersecurity regulations in the European Union to bolster security requirements, ensure the protection of its digital single market, and protect the fundamental rights of its citizens.
General Data Protection Regulation (GDPR)
The GDPR is Europe’s cybersecurity regulation focused on protecting the personal data of its citizens. It standardizes data protection regulation in the EU, protects personal data and privacy for EU citizens, and simplifies the regulation processes for international organizations.
The EU Cybersecurity Act integrates with the GDPR in a few key ways. Because the GDPR focuses on personal data protection, any cybersecurity breach in ICT products or services could result in unauthorized access to personal data—meaning data controllers must comply with the GDPR’s 72-hour timeline for incident response. Additionally, certification frameworks within the EU Cybersecurity Act can help ICT products and services protect any personal data present in their products or services.
The EU Cybersecurity Strategy
The EU Cybersecurity Strategy, adopted in 2020, identified the need to enhance the cyberspace security of fundamental services across Europe. This included critical infrastructure like healthcare, energetics, and devices and networks in homes and properties. The strategy included two regulatory proposals: 1) the need to update the cybersecurity directive for networks and 2) the protection of other entities against cybersecurity threats.
The EU Cybersecurity Strategy and the EU Cybersecurity Act aim to enhance cybersecurity resilience, including having a centralized European entity for cybersecurity efforts. The permanent mandate of ENISA through the EU Cybersecurity Act solidified this, creating a central agency for coordinating and assisting in EU-wide cybersecurity endeavors. Both legislations also call for standardization, certification, and increased cooperation and coordination across member states.
The Network and Information Systems Directive (NIS Directive)
The NIS Directive was the first piece of cybersecurity law across the European Union explicitly applied specifically to operators of essential services (OES), requiring specific cybersecurity measures, encouraging cross-border collaboration, and implementing cybersecurity monitoring of OES in critical sectors. The NIS Directive was recently updated to NIS2, which updated and strengthened the directive due to emerging challenges in the cybersecurity landscape.
The EU Cybersecurity Act integrates with the NIS Directive through a few collaborative measures in both pieces of legislation. The NIS Directive established a Cooperation Group that helps national authorities exchange info about cyber threats, incidents, and best practices. The EU Cybersecurity Act helps foster this collaboration even further by providing a structured framework for consistent cybersecurity measures across the EU. The NIS Directive targets specific sectors vital for the EU’s economy and society, and the EU Cybersecurity Act expands that towards a broader spectrum, including ICT products, services, and processes.
Prepare for The Evolving Digital Landscape with UpGuard
As new cybersecurity legislation and legislation are passed in response to the evolving digital landscape, consider updating your organization’s cybersecurity software with UpGuard.
UpGuard BreachSight is an all-in-one platform allowing organizations to manage their attack surface confidently. BreachSight identifies the risks impacting your external security posture, ensuring your assets are constantly monitored and protected. BreachSight features include:
- Data Leak Detection: Protects your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- Continuous Monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials
- Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared Security Profile: Eliminate having to answer security questionnaires by creating an UpGuard Shared Profile
- Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
- Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface
Ready to learn more? Check out our product tour below!
