Key Takeaways
- The EU Commission has launched a new cybersecurity package, including a proposal to amend the current Cybersecurity Act (CSA)
- The proposed Cybersecurity Act 2.0 aims to address the main problems of the current regulation, including misalignment with stakeholders’ needs, stalled implementation of certification schemes, and increasing ICT supply chain security risks
- The new regulation proposes a trusted ICT supply chain security framework, streamlined certification schemes, and a greater role for the EU Agency for Cybersecurity (ENISA)
- ENISA will have more power, resources, and responsibilities, including leading or supporting major cyber incidents, maintaining a repository of cybersecurity exercises, and publicly sharing non-sensitive cyber threat intelligence
- The Cybersecurity Act 2.0 will be applicable immediately after approval by the European Parliament and the Council of the EU, with a one-year implementation timeline for EU member states
Introduction to the Cybersecurity Act
The European Union (EU) Commission has launched a new cybersecurity package, which includes a formal proposal for an amendment of the current Cybersecurity Act (CSA). The CSA was adopted by the EU Parliament and Council in March 2019 to strengthen cybersecurity across the bloc. The regulation had two main goals: to establish a permanent EU-wide cybersecurity certification framework for information and communication technology (ICT) products, services, and processes, and to strengthen the mandate of the EU Agency for Cybersecurity (ENISA). However, the regulation received criticisms, especially due to its voluntary nature, which led to many companies, especially small and medium businesses (SMBs), avoiding certification due to costs. Additionally, the slow rollout of certification schemes and the Act’s design before the democratization of AI threats and heightened geopolitical tensions across the world necessitated an update.
Addressing the Main Problems of the Current Regulation
The Commission’s final proposal, published on January 20 as part of a new cybersecurity package, identified four main problems that it aims to tackle. These problems include the misalignment between the Union’s cybersecurity policy framework and stakeholders’ needs, the stalled implementation of the European cybersecurity certification framework (ECCF), the complexity and diversity of cybersecurity-related policies impacting the Union’s cyber posture, and increasing ICT supply chain security risks. To address these problems, the Commission proposed to articulate the revised regulation around five main objectives, including creating new mechanisms to support the needs of EU-based businesses while helping them achieve compliance, as well as streamlining and simplifying current cybersecurity certification schemes, especially the ECCF.
Key Changes in Cybersecurity Act 2.0
The proposed Cybersecurity Act 2.0 introduces several key changes, including a new trusted ICT supply chain security framework to identify and mitigate risks across the EU’s 18 critical sectors, considering also economic impacts and market supply. The proposal also includes the development of certification schemes within 12 months by default, and the use of certification schemes for presumption of conformity with EU legislation. Additionally, the proposal includes the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox. These changes aim to strengthen the EU’s cybersecurity posture and better protect its critical ICT supply chains.
Enhanced Role of ENISA
The proposed Cybersecurity Act 2.0 confers a much greater role to ENISA, which would get more power, resources, and responsibilities to act as the EU’s central hub for cybersecurity. ENISA’s new roles would include leading or supporting major cyber incidents with the support of the CSIRTs network and with the approval of the concerned member state, maintaining a repository of cybersecurity exercises with the support of the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), and publicly sharing non-sensitive cyber threat intelligence. ENISA would also be responsible for helping vet suppliers of critical tech, such as 5G equipment and cloud services, and being an assessor of harmonized standards. Furthermore, ENISA would pilot a European attestation scheme for cybersecurity skills, which would provide a license for cybersecurity professionals, and explore a quality label for skills recognition.
Implementation and Timeline
The Cybersecurity Act 2.0 will be applicable immediately after approval by the European Parliament and the Council of the EU. However, the Commission has not yet specified a concrete timeline for adoption. Once adopted, EU member states will have one year to implement the directive into national law and communicate the relevant texts to the EU Commission. The EU Commission’s executive VP for tech sovereignty, security, and democracy, Henna Virkkunen, emphasized that cyber threats are not just technical challenges, but also "strategic risks to our democracy, economy, and way of life." She added that the new cybersecurity package will provide the means to better protect the EU’s critical ICT supply chains and combat cyber-attacks decisively, which is an important step in securing European technological sovereignty and ensuring greater safety for all.
Conclusion
In conclusion, the proposed Cybersecurity Act 2.0 aims to address the main problems of the current regulation and strengthen the EU’s cybersecurity posture. The new regulation proposes a trusted ICT supply chain security framework, streamlined certification schemes, and a greater role for ENISA. The implementation of the Cybersecurity Act 2.0 will be a crucial step in securing European technological sovereignty and ensuring greater safety for all. The EU Commission’s efforts to update the Cybersecurity Act demonstrate its commitment to protecting the EU’s critical ICT supply chains and combating cyber threats. As the EU continues to face evolving cyber threats, the implementation of the Cybersecurity Act 2.0 will be essential in ensuring the security and resilience of the EU’s digital economy.
