On 13 September 2017, the President of the European Commission, Jean Claude Juncker, announced during his State of the Union address the intention to propose new legislative measures that will boost the cybersecurity resilience within the EU. Following the President’s speech, the European Commission published the following initiatives:
- a proposal for a Cybersecurity Act Regulation and Annex establishing an “EU Cybersecurity Agency”;
- an implementation toolkit for the Network and Information Security Directive; and
- a report to ensure effective response in case of cyber-attacks in Member States.
Overall, these initiatives seek to remedy the current fragmentation of Member States’ policies and cybersecurity approaches by increasing the capabilities, preparedness and available resources for Member States and businesses.
The proposed Cybersecurity Act Regulation is divided into two pillars:
- the first pillar focuses on the powers and organizational evaluation of the EU Agency for Network and Information Security (“ENISA”);
- the second pillar proposes a framework of European Cybersecurity Certification Schemes (“ECCS”) for Information and Communications Technology (“ICT”) products and services.
The proposed Regulation expands ENISA’s mandate to an independent cybersecurity center, which would assist the EU Institutions, EU bodies and Member States in developing and implementing cybersecurity policies. Moreover, ENISA will have additional obligations related to, among other things, capacity building, operational cooperation, cybersecurity certification and international cooperation. The European Commission will be evaluating ENISA’s performance every five years following the entry into force of the draft Regulation.
The Framework establishing the ECCS has been proposed to ensure transparency of ICT products and services, which include connected devices (such as hardware, software and connected cars), and to create a voluntary pan-European certification scheme per industry sector (such as the transport, energy and health sector). ICT products and services should comply with specified requirements to ensure availability, authenticity, integrity and confidentiality of stored, transmitted or processed data. A European Cybersecurity Certification Body shall be created to assist the European Commission with this Framework and to monitor the ECCS’ functioning in cooperation with ENISA.
The two co-legislators, the European Parliament and Council, will now deliberate on these initiatives.
The Commission will present its proposal on Cybersecurity on Tuesday 19 September 2017.