Key Takeaways:
- The European Commission has proposed a new cybersecurity package to enhance the EU’s cybersecurity resilience and capabilities.
- The package includes a revised Cybersecurity Act that simplifies compliance with EU cybersecurity rules and introduces a trusted ICT supply chain security framework.
- The revised Cybersecurity Act will enable the EU and Member States to address strategic risks of undue foreign interference and critical dependencies in critical ICT supply chains.
- The package also includes amendments to the NIS2 Directive, which aims to increase legal clarity and ease compliance for companies operating in the EU.
- The European Cybersecurity Certification Framework (ECCF) will be renewed to provide more clarity and simpler procedures for certification schemes.
Introduction to the Cybersecurity Package
The European Commission has proposed a new cybersecurity package to bolster the EU’s cybersecurity resilience and capabilities in the face of growing threats. The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU’s ICT supply chains. This act ensures that products reaching EU citizens are cyber-secure by design through a simpler certification process. It also facilitates compliance with existing EU cybersecurity rules and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats. The package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the Digital Omnibus.
The Revised Cybersecurity Act
The revised Cybersecurity Act will enter into force alongside proposed amendments to the NIS2 Directive, which will also be presented for approval. Once adopted, Member States will have one year to transpose the Directive into national law and notify the Commission of the relevant texts. The act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns. It sets out a trusted ICT supply chain security framework based on a harmonized, proportionate, and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors, considering economic impacts and market supply. The act also introduces Union-level coordinated security risk assessments to identify risks and vulnerabilities in specific ICT supply chains.
ENISA’s Role in Cybersecurity
ENISA will play a crucial role in implementing the revised Cybersecurity Act. The agency will help the EU and its Member States understand common threats and prepare and respond to cyber incidents. ENISA will also support companies and stakeholders operating in the EU by issuing early alerts of cyber threats and incidents. In cooperation with Europol and Computer Security Incident Response Teams, it will support companies in responding to and recovering from ransomware attacks. ENISA will also develop a Union approach to provide better vulnerability management services to stakeholders. Additionally, the agency will operate the single-entry point for incident reporting proposed in the Digital Omnibus. ENISA’s role in cybersecurity standardisation will be strengthened to ensure that European and international standards align with EU values and legal requirements.
The European Cybersecurity Certification Framework
The revised Cybersecurity Act will ensure that products and services reaching EU consumers are tested for security more efficiently. This will be done through a renewed European Cybersecurity Certification Framework (ECCF). The ECCF will bring more clarity and simpler procedures, allowing certification schemes to be developed within 12 months by default. It will also introduce more agile and transparent governance to better involve stakeholders through public information and consultation. The ECCF will introduce three main changes: clarifying and extending the scope of the framework, establishing clear deadlines and deliverables, and making the schemes more practical and voluntary for businesses. Certification schemes, managed by ENISA, will become a practical tool for businesses to demonstrate compliance with EU legislation, reducing the burden and costs.
Conclusion
The European Commission’s proposal for a revised Cybersecurity Act is a significant step towards enhancing the EU’s cybersecurity resilience and capabilities. The act will simplify compliance with EU cybersecurity rules, introduce a trusted ICT supply chain security framework, and strengthen ENISA’s role in cybersecurity standardisation. The revised Cybersecurity Act will also renew the European Cybersecurity Certification Framework, providing more clarity and simpler procedures for certification schemes. With the increasing threat of cyber attacks, the EU’s cybersecurity package is a timely and necessary measure to protect the EU’s critical infrastructures and ensure a high level of security and trust in complex ICT supply chains. As Henna Virkkunen, executive vice-president for tech sovereignty, security, and democracy, stated, "Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life." The EU’s cybersecurity package is a crucial step towards addressing these risks and ensuring a safer and more secure digital environment for all EU citizens and businesses.
