А political agreement on the Cybersecurity Act, which reinforces the mandate of the European Union Agency for Network and Information and Security (ENISA), has been reached on Monday, the European Commission reports. The act aims to be the legislative tool in help of the Member States in their efforts to protect European citizens from cybersecurity attacks.
The Act was first proposed in 2017 as part of the suggested package of measures towards the increasingly threatening digital realm in Europe. The agreement on it was signed between the European Parliament, the Council and the European Commission.
Commissioner Mariya Gabriel, in charge of Digital Economy and Society, released an official statement, commenting the advancement in her area:
“We need to build on the trust of our citizens and businesses in the digital world, especially at a time when large-scale cyber-attacks are becoming more and more common. I want high cybersecurity standards to become the new competitive advantage of our companies.”
There are several important highlights with regards to the new Cybersecurity Act. First, it will ensure a permanent mandate of ENISA. Otherwise, it would have expired in about a year – in 2020. The agency, based in Athens and Crete, is one of the smallest EU institutions with relatively small budget. So far its main responsibility was to provide training to EU member states in preventative and cybersecurity response methods. Now significantly more resources will be allocated to the agency as it will increase its scope of work. Not only Member States will be trained now, but EU citizens directly too – through a range of educational programmes.
Another crucial part of the Directive is the establishment of a certification framework. Its role will be to assist Member States in effectively responding to cyber-attacks through setting out technical requirements, procedures and standards. These will be used in the process of building a high-level of cybersecurity resilience in products such as IoT devices, smart cards and ICT infrastructure. In practice, this means that all IT products manufactured in or for the EU will need to cover a set of rules, or ‘cybersecurity standards’. The EU Commission expects this to reduce market barriers between states.
However, there are some doubts about the benefits of the proposed certification framework. Ed Williams, cybersecurity specialists at Trustwave, said in a statement for Computer Business Review:
“Assurance will be broken down into different categories, basic, substantial and high; where basic ‘provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service’. I’d prefer all my ICT products to have high levels of assurance, I don’t think that’s too much to ask for?”
Further highlight in the Act is the establishment of European Cybersecurity Research and Competence Centre. It will provide space and opportunities for Member States to work together and device new ideas which will become the new best cybersecurity practices.
Andrus Ansip, Vice-President for the Digital Single Market, said:
“No country can face cybersecurity challenges alone. Our initiatives strengthen cooperation so that EU countries can tackle these challenges together. We also propose new measures to boost investment in innovation and promote cyberhygiene”.
The Commission’s last point in their official statement concerns its willingness to create an effective criminal law response focusing on detection, traceability and the prosecution of cyber criminals. The Act suggests new measures to combat fraud and the counterfeiting of non-cash means of payment. Authorities will tackle this form of crime by expanding the scope of the offences related to information systems to all payment transactions, including transactions through virtual currencies.
The Act has been agreed on but there is one further step before its official implementation by the Member States. This is its formal approval by the European Parliament and the Council of the EU. Once it is approved by these bodies it will officially be enacted.