Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).

In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices.  Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.

Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes.  The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.

Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below).

The Commission is tasked with preparing, with the support of stakeholder groups, “a Union rolling work programme” for European cybersecurity certification schemes.  This will be published in order to allow industry, national authorities and standardization bodies to prepare for future European cybersecurity certification schemes.

The regulation (at nearly 175 pages) and the framework is quite detailed.  We set out key elements below.

Key elements of the new EU cybersecurity certification framework

  • Importantly, the framework creates a mechanism to establish European cybersecurity certification schemes based on existing European or international standards.  The regulation recognizes that the certification schemes “should be non-discriminatory and based on European or international standards.”
  • The schemes will be implemented and supervised by national cybersecurity certification authorities.  Certification schemes operated by industry or other private organizations fall outside of the scope of the regulation, but may be proposed and approved as formal European cybersecurity certification schemes.
  • New schemes will replace existing national certification schemes – with the exception of schemes for national security purposes – and certificates should be recognized throughout the Union.  This is in order to avoid companies, for example, having to certify to multiple national schemes in order to participate in national procurement procedures.  (The regulation recognizes that existing mutual recognition of certificates within the Union have only been partly successful.)  Once a certification scheme is adopted, manufacturers of relevant products, services and processes should be able to submit an application for certification to a conformity assessment body of their choice anywhere in the Union.  Certificates issued under schemes also should be valid and recognized throughout the Union.
  • The schemes and certificates issued under the schemes may specify different assurance levels: ‘basic’, ‘substantial’ or ‘high.’  Assurance levels are intended to be commensurate with the level of risk associated with the intended use of the ICT product, service or process “in terms of the probability and impact of an incident.” Security requirements corresponding to each assurance level are intended to reflect the “rigour and depth of the evaluation” of the ICT product, service or process.
  • In addition to more formal certification, certification schemes may provide for “conformity self-assessment.”  However, conformity self-assessment is only for low complexity ICT products, services or processes that present a low risk to the public and correspond to assurance level ‘basic.’
  • The new certification schemes initially will be voluntary.  That said, the Commission is required to evaluate by 2023 whether specific schemes should become mandatory for certain ICT products, services or processes.
  • EU Member States will establish penalties for infringing European cybersecurity certification schemes.  Penalties must be “effective, proportionate and dissuasive.”

ENISA’s role and involvement of stakeholders

As part of its role to prepare new European cybersecurity certification schemes, ENISA will maintain a website that provides information on and publicizes the schemes, consultations, and national cybersecurity certification schemes that have been replaced.

ENISA is also tasked under the regulation with disseminating information regarding the level of the cybersecurity of ICT products, services and processes, and also with issuing warnings targeting manufacturers or providers of ICT services or processes and requiring them to improve security.

ENISA will be required to regularly consult standardization organizations, in particular European standardization organizations, when preparing candidate schemes.  ENISA also will establish an ENISA Advisory Group as an advisory body to ensure regular dialogue with the private sector, consumers’ organizations and other relevant stakeholders.  The regulation also establishes a “Stakeholder Cybersecurity Certification Group,” composed of experts from relevant stakeholders, that is charged with advising ENISA and the Commission on cybersecurity certification and related matters.

Next steps

The Cybersecurity Act now needs to be approved by the Council and will come into force 20 days after being published. It is expected that the first Union rolling work programme for European Cybersecurity Certification, identifying strategic priorities for Cybersecurity Certification schemes, will be published within a year of the regulations coming into force.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.