The recently agreed Cyber Resilience Act isn’t the only new EU cybersecurity rule set to be published this December: by the end of the year, the European Commission is expected to adopt its draft regulations to establish a European cybersecurity certification scheme (“ECCS”).

Once finalized, the ECCS will be issued under the European Union’s Cybersecurity Act which allows for voluntary accreditation against the ECCS. Although voluntary, the draft standards will also have consequences for European cybersecurity laws more broadly, including:

  • NIS 2, Europe’s cybersecurity directive for essential infrastructure, which provides that member states may require entities to use products that are certified under the ECCS. For an overview of NIS 2, see our blog here.
  • The recently-agreed Cyber Resilience Act, Europe’s draft regulation on the security of the internet of things, which provides that the European Commission can require manufacturers of certain “highly critical” products to be certified under the ECCS, and creates a presumption that products compliant with an ECCS conform with cybersecurity requirements. For an overview of the Cyber Resilience Act, see our blog here.
  • The EU Cybersecurity Scheme for Cloud Services, which will also be issued under the Cybersecurity Act but cover cloud services instead of IT products. For an overview of this scheme, see our blog here.

The draft ECCS builds on the Common Criteria for Information Technology Security Evaluation (ISO standard 15408) – a welcome albeit incomplete embrace of international standards – and is intended to cover a broad range of IT products with security components such as smartphones, bank cards, and routers. But the draft ECCS also goes well beyond simply setting out technical standards for products – it also:

  • Sets out the process for certification – most notably, providing that self-assessment is not allowed even for lower-risk products.
  • Requires vulnerability disclosure – through a vulnerability disclosure and analysis regime applying to products that have been certified.
  • Sets out high expectations for regulators and certification bodies – including calling for national cybersecurity authorities to proactively sample at least 5% of products certified in the previous year, and for certification bodies to subjected to “peer assessments” to identify shortcomings.
  • Requires entities to take vulnerability management steps – including proactively monitoring vulnerability information about the product and its dependencies and implementing a vulnerability management program aligned to ISO 30111.
  • Allows for mutual recognition of standards – where other countries sign mutual recognition agreements with the EU.
  • Provides for consolidation of member states’ existing (national) certification schemes – with those existing schemes being phased out entirely after a 1-year transition period.

The draft standard will therefore be of interest to those seeking certification for their IT products as well as providing a preview of the process that will apply across other technical standards issued under the Cybersecurity Act.

Cyber Resilience Act continues to roll through the legislative process

Alongside the new ECCS, the Cyber Resilience Act is continuing its journey through the EU legislative process, having been agreed in the last week (see our blog here). Once it comes into force, the Cyber Resilience Act will set out a range of obligations for manufacturers and importers of “products with digital elements” (“PDEs”), including:

  • designing PDEs to meet certain essential cybersecurity requirements through risk assessment and protection against known vulnerabilities;
  • submitting PDEs to conformity assessments;
  • notifying identified vulnerabilities and security incidents to the national cybersecurity authority, ENISA, and users of the PDE; and
  • conducting due diligence on imported PDEs.

As with most recent European technology regulation, the Cyber Resilience Act will come with the threat of high penalties for non-compliance – up to €15 million or 2.5% of global turnover.

What’s happening next?

Following the end of the consultation period on 31 October, the European Commission is currently considering the feedback it received and is expected to publish the final ECCS regulations by the end of 2023. The ECCS will then take effect 12 months from its entry into force.

Meanwhile, the Cyber Resilience Act, which has now been agreed in substance but awaits legislative formalities, will continues to work its way through the legislative process after which that Act would come into force over a phased transition period starting in late 2025.

And it’s not just the Cybersecurity and Cyber Resilience Acts that are moving along: a consultation process for “Tranche 2” of the EU’s DORA technical standards is expected in the coming months, Member States are continuing to work to implement NIS 2 by the October 2024 deadline, and discussions on the EU Cybersecurity Scheme for Cloud Services are ongoing, all of which sets up 2024 to be yet another busy year for cybersecurity regulation in Europe.


Covington’s Privacy and Cybersecurity Practice regularly advises on cybersecurity issues across Europe, including NIS 2 and DORA. If you have any questions about how the raft of new European cyber regulations will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to discuss.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Bart Szewczyk Bart Szewczyk

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, economic sanctions and asset seizure, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well…

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, economic sanctions and asset seizure, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He also teaches grand strategy as an Adjunct Professor at Sciences Po in Paris and is a Nonresident Senior Fellow at the German Marshall Fund.

Bart recently worked as Advisor on Global Affairs at the European Commission’s think-tank, where he covered a wide range of foreign policy issues, including international order, defense, geoeconomics, transatlantic relations, Russia and Eastern Europe, Middle East and North Africa, and China and Asia. Previously, between 2014 and 2017, he served as Member of Secretary John Kerry’s Policy Planning Staff at the U.S. Department of State, where he covered Europe, Eurasia, and global economic affairs. From 2016 to 2017, he also concurrently served as Senior Policy Advisor to the U.S. Ambassador to the United Nations, Samantha Power, where he worked on refugee policy. He joined the U.S. government from teaching at Columbia Law School, as one of two academics selected nationwide for the Council on Foreign Relations International Affairs Fellowship. He has also consulted for the World Bank and Rasmussen Global.

Prior to government, Bart was an Associate Research Scholar and Lecturer-in-Law at Columbia Law School, where he worked on international law and U.S. foreign relations law. Before academia, he taught international law and international organizations at George Washington University Law School, and served as a visiting fellow at the EU Institute for Security Studies. He also clerked at the International Court of Justice for Judges Peter Tomka and Christopher Greenwood and at the U.S. Court of Appeals for the Third Circuit for the late Judge Leonard Garth.

Bart holds a Ph.D. from Cambridge University where he studied as a Gates Scholar, a J.D. from Yale Law School, an M.P.A. from Princeton University, and a B.S. in economics (summa cum laude) from The Wharton School at the University of Pennsylvania. He has published in Foreign Affairs, Foreign Policy, Harvard International Law Journal, Columbia Journal of European Law, American Journal of International Law, George Washington Law Review, Survival, and elsewhere. He is the author of three books: Europe’s Grand Strategy: Navigating a New World Order (Palgrave Macmillan 2021); with David McKean, Partners of First Resort: America, Europe, and the Future of the West (Brookings Institution Press 2021); and European Sovereignty, Legitimacy, and Power (Routledge 2021).

Photo of Elżbieta Bieńkowska Elżbieta Bieńkowska

Elżbieta Bieńkowska is a senior advisor in the firm’s Brussels office. Elżbieta, a non-lawyer, served as European Commissioner for the Internal Market, Industry, Entrepreneurship and SMEs in Jean-Claude Juncker’s team from 2014 to 2019. In that capacity, she was responsible for much of…

Elżbieta Bieńkowska is a senior advisor in the firm’s Brussels office. Elżbieta, a non-lawyer, served as European Commissioner for the Internal Market, Industry, Entrepreneurship and SMEs in Jean-Claude Juncker’s team from 2014 to 2019. In that capacity, she was responsible for much of the European Commission’s regulatory activity that affects the EU’s 450 million citizens, and all companies doing business in the EU. Elżbieta oversaw all product regulation in the EU, setting the rules for goods and services in sectors as diverse as chemicals, cars, electronics, IT infrastructure, machines, medical devices, and hydrogen. She managed the EU’s treatment of IP, led the Commission’s extensive work on standardization, and ran the EU’s industrial policy.

In her time at the Commission, Elżbieta launched the circular economy package, focusing on the regulation of packaging, waste, and batteries. She laid the foundations for the EU’s new industrial strategy, which ultimately resulted in the 2023 proposals for a Net-Zero Industry Act and the Critical Raw Materials Act. She was an early proponent of EU research into AI, and led the Commission’s renewed focus on fostering the space and defense industry in Europe.

Before joining the European Commission, Elżbieta served as Minister for Infrastructure and Development of Poland as well as Deputy Prime Minister. In this role, she was in charge of the allocation of European Union funding and responsible for significant investments in Poland’s transport infrastructure.