The EU Cybersecurity Act

 

SUMMARY OF:

Regulation (EU) 2019/881 on the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification (Cybersecurity Act)

WHAT IS THE AIM OF THE REGULATION?

It aims to achieve a high level of cybersecurity, cyber resilience and trust in the European Union (EU) by setting:

• objectives, tasks and organisational matters for a strengthened and renamed European Union Agency for Cybersecurity (ENISA), with a new permanent mandate;
• a framework for voluntary European cybersecurity certification schemes for information and communications technology (ICT) products, services and processes.

KEY POINTS

ENISA’s mandate is to:

• achieve a high common level of cybersecurity across the EU;
• support national authorities and EU institutions, bodies, offices and agencies in improving cybersecurity;
• serve as a reference point for scientific and technical advice and expertise on cybersecurity for EU institutions, bodies, offices and agencies, and for other relevant stakeholders;
• contribute to reducing the fragmentation of the internal market;
• act independently, avoid duplicating national activities and take account of national expertise;
• develop its own technical, human and skill resources.

ENISA’s tasks are to:

• help develop and implement EU policy and law;
• promote capacity building, for instance through improved prevention, detection and analysis of, and response to, cyber threats* and by assisting the development of national computer security incident response teams (CSIRTs) or through the organisation of cybersecurity exercises at the EU level;
• support EU operational cooperation among all stakeholders involved, including the EU’s Cybersecurity Service for the Union Institutions, Bodies, Offices and Agencies (CERT-EU), by means of, notably, the exchange of know-how and best practices, the supply of relevant guidelines and the servicing of the EU and national CSIRTs network;
• support and promote the development and implementation of EU cybersecurity certification of ICT products, services and processes, as part of its role in preparing schemes under the new European cybersecurity certification framework;
• collect and analyse knowledge and information on cybersecurity, notably on emerging technologies, cyber threats and incidents, to provide information and advice to national authorities, relevant stakeholders and, through a dedicated portal, the public (citizens, organisations and businesses);
• raise public awareness of cybersecurity risks, provide guidance on good practices for individual users and promote cybersecurity awareness and education in general;
• advise on research needs and priorities and contribute to the EU’s strategic cybersecurity research and innovation agenda;
• contribute to the EU’s efforts to cooperate on cybersecurity with its international partners and organisations.

ENISA has the following administrative and management structure:

• a Management Board, with one representative from each EU Member State and two members appointed by the European Commission, establishes the general direction of the agency’s activities and ensures that the agency carries out its tasks under conditions which enable it to serve in accordance with the founding regulation;
• an Executive Board of five members, which prepares decisions to be adopted by the Management Board;
• an independent executive director, accountable to the Management Board and reporting to the European Parliament and the Council of the European Union when asked to do so, is responsible for managing the agency;
• an ENISA Advisory Group of recognised experts from relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services, small and medium-sized enterprises, consumers, academics and operators of essential services, along with representatives of competent authorities notified under the European Electronic Communications Code, standardisation organisations, law enforcement and data protection supervisory authorities, focuses on issues relevant to stakeholders and brings them to the attention of ENISA;
• a National Liaison Officers Network, composed of representatives of all Member States, facilitates the exchange of information between ENISA and the Member States and supports ENISA in making its activities, findings and recommendations widely known.

The regulation creates the following:

• a Stakeholder Cybersecurity Certification Group of recognised experts to, for instance, advise the Commission on strategic issues regarding the EU cybersecurity certification framework and, upon request, ENISA on general and strategic issues concerning the agency’s relevant tasks;
• a European Cybersecurity Certification Group (ECCG) composed of national representatives to advise and assist the Commission in its work to ensure the consistent implementation and application of the act, and ENISA in relation to the preparation of candidate cybersecurity certification schemes.

ENISA:

• is established for an indefinite period as from 27 June 2019;
• operates according to a single programming document containing its annual and multiannual programming;
• follows the Commission’s security rules to protect sensitive non-classified information and EU classified information;
• does not divulge to third parties confidential information it processes or receives;
• participates fully in EU measures to combat fraud, corruption and other unlawful activities;
• processes personal data in accordance with respective EU rules.

The regulation establishes a European cybersecurity certification framework to:

• improve the functioning of the internal market by increasing the level of cybersecurity in the EU and enabling a harmonised approach at the EU level to European cybersecurity certification schemes with a view to creating a digital single market for ICT products, services and processes;
• set up a mechanism to establish certification schemes that confirm ICT products, services and processes that have been evaluated in accordance with such schemes comply with specified security requirements to protect the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.

Under the framework:

• the Commission:
  • publishes an EU rolling work programme for European cybersecurity certification identifying strategic priorities and ICT products, services and processes or categories which could benefit from a scheme,
  • may request that ENISA to prepare a candidate certification scheme or review an existing one;
• ENISA:
  • prepares suitable draft schemes, following a request from the Commission or the European Cybersecurity Certification Group,
  • evaluates each adopted certification scheme every 5 years, taking account of the feedback received,
  • maintains a dedicated website that provides information on the schemes, certificates and conformity statements.

The voluntary European cybersecurity certification schemes:

• aim to achieve various security objectives, such as protecting stored, transmitted and processed data;
• denote the security level of ICT products, services and processes as basic, substantial or high;
• allow manufacturers and providers of low-risk (i.e. basic) ICT products, services and processes to assess these themselves (conformity self-assessment);
• must include certain features, such as clear descriptions of the purpose, subject matter and scope, and the evaluation criteria and methods used;
• replace similar national ones, although those certificates remain valid until their expiry date.

Manufacturers and providers of certified ICT products, services or processes must make publicly available:

• guidance and recommendations to help end users install, apply and maintain their products or services;
• information about the duration for which they offer security support;
• their contact details;
• references to online repositories with information on known cybersecurity issues affecting their products or services.

Member States appoint one or more national cybersecurity certification authorities with sufficient resources and powers to monitor, supervise and enforce the rules of the European cybersecurity certification schemes.

The Commission:

• regularly assesses the efficiency and use of the adopted certification schemes and considers whether any scheme should be made compulsory;
• had to complete its first detailed assessment by 31 December 2023, with others every 2 years thereafter;
• had to evaluate ENISA’s impact, effectiveness and efficiency by 28 June 2024, and every 5 years thereafter.

Individuals and legal entities have the right to lodge a complaint with the issuer of a European cybersecurity certificate and to seek effective judicial remedy.

Implementing act

In January 2024, the Commission adopted Implementing Regulation (EU) 2024/482 (see summary). This act lays down rules for the application of Regulation (EU) 2019/881 as regards the adoption of the voluntary European common criteria-based cybersecurity certification scheme (EUCC). This is the first scheme at the EU level and concerns certificates at the ‘substantial’ or ‘high’ assurance levels for ICT products such as hardware and software including components such as chips and smart cards. The regulation includes detailed rules on aspects including:

• standards and requirements for the evaluation of and the issuance, renewal and withdrawal of EUCC certificates for products and protection profiles;
• conformity assessment bodies accredited to issue certificates or perform evaluation activities;
• compliance monitoring, non-conformity and non-compliance;
• vulnerability management and disclosure procedures;
• retention of records, disclosure and protection of information;
• mutual recognition agreements with non-EU countries;
• peer assessment of certification bodies;
• maintenance of the scheme; and
• national cybersecurity certification schemes covered by the EUCC.

The EUCC Implementing Regulation will apply as of 27 February 2025.

Regulation (EU) 2019/881 and its related implementing regulation does not affect Member States’ responsibilities for public security, defence, national security and criminal law.

The regulation repeals Regulation (EU) No 526/2013 as from 27 June 2019.

FROM WHEN DOES THE REGULATION APPLY?

The regulation has applied since 27 June 2019.

Articles on the designation of national cybersecurity authorities, accreditation and notification of conformity assessment bodies, on the right to lodge complaints to issuers of European cybersecurity certificates, on the right to judicial remedy and on penalties apply from 28 June 2021.

BACKGROUND

ENISA, based in Athens with a branch office in Heraklion, has been contributing to the EU’s network and information security since 2004. For more information, see:

• About ENISA – The European Union Agency for Cybersecurity (ENISA)
• EU cybersecurity certification (ENISA)
• Cybersecurity policies (European Commission).

KEY TERMS

MAIN DOCUMENT

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15–69).

RELATED DOCUMENTS

Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024).

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, pp. 1–30).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).

Successive corrections to Regulation (EU) 2016/679 have been incorporated into the original text. This consolidated version is of documentary value only.

last update 18.06.2024