On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:

  1. the planning, design, development, production, delivery and maintenance of PDEs;
  2. the prevention and handling of cyber vulnerabilities; and
  3. the provision of cybersecurity information to users of PDEs.

The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.

The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.

The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.

Continue Reading EU Publishes Draft Cyber Resilience Act

On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.

Continue Reading The European Union Agency for Cybersecurity Publishes a Draft Certification Scheme for Cloud Services

In order to combat the proliferation of COVID-1, several EU Member States have strongly recommended or required that employees engage in teleworking, rather than attend work as normal. In this context, the European Union Agency for Cybersecurity (“ENISA”), on March 15, 2020, issued its “top tips for cybersecurity when working remotely”. Some data protection Supervisory

Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).

In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices.  Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.

Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes.  The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.

Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below).
Continue Reading European Parliament Approves EU Cybersecurity Act

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August

Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.
Continue Reading Update on the Cybersecurity Directive – over to Luxembourg?

The EU’s ‘cyber security’ agency ENISA has issued a report on data breach notifications in the EU.  The report is in response to the 2009 amendments to the ePrivacy Directive requiring telecom and Internet service providers to issue notifications for personal data breaches, which Member States must transpose into national legislation by May 2011. 

The ENISA report reviews best practices in countries where data breaches already are required or are expected to be notified (e.g., Germany, Spain and Ireland), highlights concerns of providers and regulatory authorities regarding the new EU-wide mandatory notification regime, and identifies areas where further EU level or local guidance is needed. 

Continue Reading ENISA report on data breach notifications in the EU