Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Summaries of EU Legislation

The EU Cybersecurity Act

 

SUMMARY OF:

Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act)

WHAT IS THE AIM OF THE REGULATION?

It aims to achieve a high level of cybersecurity*, cyber resilience and trust in the European Union (EU) by setting:

  • objectives, tasks and organisational matters for a strengthened and renamed European Union Agency for Cybersecurity (ENISA), with a new permanent mandate;
  • a framework for voluntary European cybersecurity certification schemes for Information and communications technology (ICT) products, services and processes.

KEY POINTS

ENISA’s mandate is to:

  • achieve a high common level of cybersecurity across the EU;
  • support national authorities and EU institutions, bodies, offices and agencies in improving cybersecurity;
  • serve as a reference point for scientific and technical advice and expertise on cybersecurity for EU institutions, bodies, offices and agencies, as well as for other relevant stakeholders;
  • contribute to reducing the fragmentation of the internal market;
  • act independently, avoid duplicating national activities and take account of national expertise;
  • develop its own technical, human and skill resources.

ENISA’s tasks are to:

  • help develop and implement EU policy and law;
  • promote capacity-building, for instance, through improved prevention, detection and analysis of, and response to, cyber threats* and by assisting the development of national computer security incident response teams (CSIRTs), or through the organisation of cybersecurity exercises at EU level;
  • support EU operational cooperation among all actors involved, including the EU’s Computer Emergency Response Team (CERT-EU), by means of, notably, exchange of know-how and best practices, supply of relevant guidelines and servicing of the EU and national CSIRTs network;
  • support and promote the development and implementation of EU cybersecurity certification of ICT products, services and processes, as part of the role in preparing schemes under the new European cybersecurity certification framework;
  • collect and analyse knowledge and information on cybersecurity, like notably on emerging technologies, cyber threats and incidents, to provide information and advice for national authorities, relevant stakeholders and, through a dedicated portal, to the public (citizens, organisations and businesses);
  • raise public awareness of cybersecurity risks and provide good practices guidance for individual users and promote cybersecurity awareness and education in general;
  • advise on research needs and priorities and contribute to the EU’s strategic cybersecurity research and innovation agenda;
  • contribute to the EU’s efforts to cooperate on cybersecurity with its international partners and organisations.

ENISA has the following administrative and management structure:

  • a Management Board. With 1 representative from each EU country and two members appointed by the European Commission; it establishes the general direction of the agency’s activities and ensures that the Agency carries out its tasks under conditions which enable it to serve in accordance with the founding regulation;
  • an Executive Board of 5 members, which prepares decisions to be adopted by the Management Board;
  • an independent Executive Director, accountable to the Management Board and reporting to the European Parliament and the Council when asked to do so, is responsible for managing the Agency;
  • an ENISA Advisory Group of recognised experts from relevant stakeholders such as the ICT industry, providers of electronic communications networks or services, SMEs, consumers, academics, operators of essential services, as well as representatives of competent authorities notified under the European Electronic Communications Code, standardisation organisations, law enforcement and data protection supervisory authorities, focuses on issues relevant to stakeholders and brings them to the attention of ENISA;
  • a National Liaison Officers Network composed of representatives of all EU countries facilitates the exchange of information between ENISA and the EU countries and supports ENISA in making its activities, findings and recommendations widely known.

The regulation creates the following:

  • a Stakeholder Cybersecurity Certification Group of recognised experts to, for instance, advise the Commission on strategic issues regarding the EU cybersecurity certification framework and, upon request, ENISA on general and strategic issues concerning the Agency's relevant tasks;
  • a European Cybersecurity Certification Group (ECCG) composed of national representatives to advise and assist the Commission in its work to ensure the consistent implementation and application of the Act, and ENISA in relation to the preparation of candidate cybersecurity certification schemes.

ENISA:

  • is established for an indefinite period as of 27 June 2019;
  • operates according to a single programming document containing its annual and multiannual programming;
  • follows the Commission’s security rules to protect sensitive non-classified information and EU classified information;
  • does not divulge to third parties confidential information it processes or receives;
  • participates fully in EU measures to combat fraud, corruption and other unlawful activities;
  • processes personal data in accordance with respective EU rules.

The regulation establishes a European cybersecurity certification framework to:

  • improve the functioning of the internal market by increasing the level of cybersecurity in the EU and enabling a harmonised approach at EU level to European cybersecurity certification schemes with a view to creating a digital single market for ICT products, services and processes;
  • set up a mechanism to establish certification schemes that confirm ICT products, services and processes that have been evaluated in accordance with such schemes comply with specified security requirements to protect the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.

Under the framework:

  • The Commission:
    • publishes an EU rolling work programme for European cybersecurity certification identifying strategic priorities and ICT products, services and processes or categories which could benefit from a scheme;
    • may request ENISA to prepare a candidate certification scheme or review an existing one.
  • ENISA:
    • prepares suitable draft schemes, following a request from the Commission or the ECCG;
    • evaluates each adopted certification scheme every 5 years, taking account of the feedback received;
    • maintains a dedicated website providing information on the schemes, certificates and conformity statements.

The voluntary European cybersecurity certification schemes:

  • aim to achieve various security objectives, such as protecting stored, transmitted and processed data;
  • denote the security level of ICT products, services and processes as ‘basic’, ‘substantial’ or ‘high’;
  • allow manufacturers and providers of low-risk (i.e. ‘basic’) ICT products, services and processes to assess these themselves (‘conformity self-assessment’);
  • must include certain features, such as clear descriptions of purpose, subject matter and scope and the evaluation criteria and methods used;
  • replace similar national ones, although those certificates remain valid until their expiry date.

Manufacturers and providers of certified ICT products, services or processes must make publicly available:

  • guidance and recommendations to help end users install, apply and maintain their products or services;
  • the duration they offer security support;
  • their contact details;
  • references to online repositories with information on known cybersecurity issues affecting their products or services.

EU countries appoint one or more national cybersecurity certification authorities with sufficient resources and powers to monitor, supervise and enforce the rules of the European certification schemes.

The Commission:

  • regularly assesses the efficiency and use of the adopted certification schemes and considers whether any scheme should be made compulsory;
  • completes its first detailed assessment by 31 December 2023, with others every 2 years;
  • evaluates ENISA’s impact, effectiveness and efficiency by 28 June 2024 and every 5 years thereafter.

Individuals and legal entities have the right to lodge a complaint with the issuer of a European cybersecurity certificate and to seek effective judicial remedy.

The regulation does not affect EU countries’ responsibilities for public security, defence, national security and criminal law.

The regulation repeals Regulation (EU) No 526/2013 from 27 June 2019.

FROM WHEN DOES THE REGULATION APPLY?

The regulation has applied since 27 June 2019.

Articles on the designation of national cybersecurity authorities, accreditation and notification of conformity assessment bodies, the right to lodge complaints to issuers of European cybersecurity certificates and the right to judicial remedy as well as on penalties, apply from 28 June 2021.

BACKGROUND

ENISA, based in Athens with a branch office in Heraklion, has been contributing to the EU’s network and information security since 2004. For more information, see:

KEY TERMS

Cybersecurity: the activities necessary for the protection of network and information systems, their users and others affected by cyber threats.
Cyber threat: a potential circumstance, event or action that could damage, disrupt or adversely affect network and information systems, their users and others.

MAIN DOCUMENT

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15-69)

RELATED DOCUMENTS

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39-98)

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, pp. 1-30)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)

Successive amendments to Regulation (EU) 2016/679 have been incorporated into the original text. This consolidated version is of documentary value only.

last update 10.03.2020

Top