On Tuesday, 12 March, the European Parliament adopted the EU Cybersecurity Act. Product manufacturers across Europe are now called upon to take appropriate measures to protect their systems against attacks. The regulation is to give the work of the European cybersecurity agency ENISA a permanent mandate, and a European certification framework is to be defined for measuring the quality of security in IT products and services.
Important cornerstones of the regulation include:
The first articles enshrine the mandate and the independence of ENISA and the stipulations for the operative collaboration of the Member States. To be viewed positively is the fact that great value has been placed on taking advantage of synergies, so that duplication of work in the area of IT security can be reduced. The fact that ENISA is to make a contribution to the general availability or integrity of the public core of the open Internet (Art. 5.3) is also an aspect which can be viewed in a particularly positive light. The competency of ENISA now also expressly includes the development of area-specific regulations for individual economic or industry sectors (Art. 4.2).
The ENISA Advisory Group measure elaborated on in Article 21 entails a further expansion to the Commission’s proposal. The additional inclusion of SMEs and standardization organizations makes a meaningful contribution to the debate on IT security, and creates a framework for broad acceptance.
The work program stipulated in Article 47 for a cybersecurity certification scheme will enable a dynamic approach to IT security. However, it remains questionable whether the work program can indeed provide a meaningful contribution to the systematic improvement of IT security, or whether ultimately it will remain a patchwork of individual regulatory provisions that continue to essentially reflect politicians’ regulatory wishes. To what extent the consultation and preparation processes – described as open – are in fact transparent is yet to be seen (Art. 48 and 49). The stipulations defined for minimum requirements for a certification scheme outlined in Article 51 carry the risk of a bureaucratic and formalized checklist-style processing of points. The assurance levels defined in Article 52 are to be viewed critically, given that they provide a false picture of the security measures actually taken, and thus create the wrong incentives. What can be highlighted as positive is the clarification in Article 57 of the problematic interplay between national and European IT security certifications.