Cybersecurity Act

The Cybersecurity Act (Regulation EU 2019/881) is a key EU instrument for the promotion of cybersecurity, cyber resilience and trust within the Union. The Cybersecurity Act strengthened the EU Agency for Cybersecurity (ENISA) by giving it a permanent mandate, more resources and new tasks. The Act also established the European cybersecurity certification framework, which is managed and overseen by ENISA.

What does this mean?

  • ENISA was founded already in 2004 to ensure a high and effective level of network and information security within the EU. The Cybersecurity Act reinforced ENISA’s role as the EU center of expertise on cybersecurity and assigned ENISA the tasks described in the Act. Among other tasks, ENISA provides independent technical advice and assistance to EU Member States and bodies on cybersecurity, develops and implements EU cybersecurity policy and law, and engages in cybersecurity capacity-building, certification and standardization activities.
  • The European cybersecurity certification framework is a new mechanism to establish European cybersecurity certification schemes intended to attest that ICT products, ICT services and ICT processes evaluated in accordance with such schemes comply with specified security requirements. Recourse to certification is voluntary, unless otherwise provided for in Union or EU Member State law.
  • The European Commission may request ENISA to prepare a candidate cybersecurity certification scheme. Based on ENISA’s candidate scheme, the European Commission adopts an implementing act providing for the respective cybersecurity certification scheme.
    • In 2023, ENISA facilitated the adoption of the first European cybersecurity certification scheme, the Common Criteria-based Cybersecurity Certification Scheme (EUCC), dedicated to certifying ICT products such as hardware and software products and components (e.g., chips and smart cards). The European Commission adopted an implementing act for the EUCC on 31 January 2024.
    • ENISA is also in the process of developing candidate certification schemes covering cybersecurity of cloud services, 5G, artificial intelligence, and managed security services. ENISA offers different ways for stakeholders to participate in the creation of the candidate schemes, including public consultations and ad-hoc working groups.
  • Following the establishment of a European cybersecurity certification scheme, national cybersecurity certification schemes or procedures for ICT products, ICT services or ICT processes covered by the European scheme should cease to be effective from a date established by the European Commission in its implementing act.
    • National cybersecurity certification schemes or procedures for ICT products, ICT services or ICT processes covered by the EUCC cease to be effective 12 months from entry into force of the implementing act.

Who?

  • Manufacturers and providers of ICT products, ICT services and ICT processes should consider the cybersecurity certification and related advantages, such as benefits in marketing and competitive advantage.

Timeline

  • The Cybersecurity Act entered into force on 27 June 2019.
  • On 18 April 2023, the European Commission proposed a targeted amendment to the Cybersecurity Act, which would enable the adoption of cybersecurity certification schemes for managed security services. The EU legislative process regarding the amendment is currently ongoing.
  • The EUCC implementing act will apply as of 27 February 2025.