Key Takeaways
- The European Commission has proposed a new cybersecurity package to strengthen the EU’s cyber resilience
- The revised EU Cybersecurity Act aims to secure ICT supply chains and ensure products are secure by design
- The European Cybersecurity Certification Framework (ECCF) will introduce a more agile and transparent governance process for security testing and certification
- The new package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements
- ENISA will play an enhanced role in supporting the EU and its Member States in understanding common cyber threats and improving preparedness and response to cyber incidents
Introduction to the European Commission’s Cybersecurity Package
The European Commission has proposed a new cybersecurity package aimed at strengthening the EU’s cyber resilience. This package includes a revised EU Cybersecurity Act, which is designed to secure ICT supply chains and ensure that products reaching EU citizens are secure by design. The Act introduces a risk-based approach to identifying and mitigating risks across critical sectors, while also considering economic impacts and market supply. This approach will help the EU and its Member States to better understand and address potential cyber threats, and to develop strategies for mitigating these risks.
Revised Cybersecurity Act and ICT Supply Chain Security
The revised Cybersecurity Act establishes an ICT supply chain security framework based on a risk-based approach. This framework will help the EU and Member States to identify and mitigate risks across critical sectors, while considering economic impacts and market supply. The Act also introduces mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the existing 5G security toolbox. This will help to ensure that EU citizens and businesses are protected from potential cyber threats, and that the EU’s critical infrastructure is secure. The revised Act also introduces new measures to improve the security of ICT supply chains, including the development of certification schemes and the introduction of a more agile and transparent governance process.
European Cybersecurity Certification Framework
The European Cybersecurity Certification Framework (ECCF) will play a key role in the implementation of the revised Cybersecurity Act. The ECCF allows for the development of certification schemes within 12 months by default, and introduces a more agile and transparent governance process that better involves stakeholders through public information and consultation. Certification schemes will become a voluntary tool for businesses to demonstrate compliance with EU legislation, reducing the burden and costs of meeting regulatory requirements. Companies and organizations will be able to certify ICT products, services, processes, managed security services, and their cybersecurity posture to meet market needs. The renewed ECCF will enhance trust and security in complex ICT supply chains for EU citizens, businesses, and public authorities.
Simplifying Compliance and NIS2 Amendments
The new cybersecurity package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. These measures complement the single-entry point for incident reporting introduced by the Digital Omnibus. Targeted amendments to the NIS2 Directive aim to improve legal clarity by simplifying jurisdictional rules, streamlining the collection of data on ransomware attacks, and facilitating the supervision of cross-border entities. ENISA will play an enhanced coordinating role in supporting these changes, and will work with companies and organizations to ensure that they are able to comply with the new requirements. The simplified compliance regime will help to reduce the burden on companies, and will make it easier for them to demonstrate compliance with EU cybersecurity rules.
Strengthening ENISA’s Role
The revised Cybersecurity Act strengthens ENISA’s role in helping the EU and its Member States understand common cyber threats and improve preparedness and response to cyber incidents. The agency will continue to issue early warnings on emerging threats and incidents, and will develop a Union-wide approach to vulnerability management services. ENISA will operate the single-entry point for incident reporting, and will work with Europol and national Computer Security Incident Response Teams (CSIRTs) to support companies in responding to and recovering from ransomware attacks. ENISA will also pilot a Cybersecurity Skills Academy, and will support the establishment of EU-wide cybersecurity skills attestation schemes to help build a skilled cybersecurity workforce across Europe. The enhanced role of ENISA will help to improve the EU’s cyber resilience, and will provide companies and organizations with the support they need to address potential cyber threats.
Conclusion
In conclusion, the European Commission’s new cybersecurity package is an important step towards strengthening the EU’s cyber resilience. The revised Cybersecurity Act, the European Cybersecurity Certification Framework, and the simplified compliance regime will all help to improve the security of ICT supply chains, and will make it easier for companies to demonstrate compliance with EU cybersecurity rules. The enhanced role of ENISA will provide companies and organizations with the support they need to address potential cyber threats, and will help to build a skilled cybersecurity workforce across Europe. Overall, the new cybersecurity package is a positive development for the EU, and will help to protect EU citizens and businesses from potential cyber threats.
