Last night European politicians reached an agreement on the Cybersecurity Act, moving it into the last round of legislation before it is officially enforced across Europe.
The Cybersecurity Act provides a permanent mandate for the European Agency for Network and Information Security (ENISA).
The 84-strong agency is based in Athens and Crete and is one of the EU’s smallest, with an annual budget of approximately £9.7 million. It is currently tasked with training EU member states in preventative and cybersecurity response methods.
Proposed in 2017 and agreed yesterday by the European Parliament, the Council and the European Commission, the Cybersecurity Act is part of a raft of measures to strengthen cybersecurity within the shared single marketplace and political institutions. It includes proposals for a “traffic light” cybersecurity labelling system.
Commissioner Mariya Gabriel, in charge of Digital Economy and Society, commented in a released statement that: “Enhancing Europe’s cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union.”
“Major incidents such as Wannacry and NotPetya have acted as wake-up calls, because they dearly showed the potential consequences of large-scale cyber-attacks. In this perspective, I strongly believe that tonight’s deal both improves our Union’s overall security and supports business competitiveness.”
Currently ENISA’s limited mandate will expire in 2020, once fully enforced the Act will provide the agency with increased resources and enable them to engage fully with member states to help them prepare their defences. It will also facilitate the running of education programmes aimed at raising best cyber practice among EU citizens.
As part of the act a European Cybersecurity Research and Competence Centre will be established. This centre will act as the focus point for member states to come together and share cybersecurity measures and best practices.
Julian King Commissioner for the Security Union commented at the launch of the Act that: “We need to work together to build our resilience, to drive technological innovation, to boost deterrence, reinforcing traceability and accountability, and harness international cooperation, to promote our collective cybersecurity.”
Cybersecurity Act: Comes with Certificates…
A major part of the Cybersecurity Act is the establishment of a Cybersecurity Certification Framework. This framework will set out technical requirements, procedures and standards to be used in creating a high-level of cybersecurity resilience in products such as IoT devices, smart cards and ICT infrastructure.
The proposed framework will ensure that all IT products manufactured in or for the EU will be developed with cybersecurity measures in-mind from the early stages of the technical design and development.
Currently EU member states are operating off of different parameters and technical requirements with regards to the construction and implementation of IT services and devices. The Cybersecurity Certification Framework will give member states a clear set of rules and will enable the homogenisation of cybersecurity standards, thus reducing market barriers between states.
Ed Williams, of cybersecurity specialists SpiderLabs at Trustwave, earlier told Computer Business Review that he had “some reservations around the certification framework…”
He said: “assurance will be broken down into different categories, basic, substantial and high; where basic ‘provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service’. I’d prefer all my ICT products to have high levels of assurance, I don’t think that’s too much to ask for?”
Vice-President Andrus Ansip, in charge of the Digital Single Market, said: “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe’s digital economy. Trust and security are fundamental for our Digital Single Market to work properly.”
“This evening’s agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”
The next stage in the legislative process for the Act is its formal approval by the European Parliament and the Council of the EU. Once it is approved by these bodies it will officially be enacted.