EU cybersecurity certification framework on the way

EU cybersecurity certification framework on the way

New EU Regulations have been published recently with the aim of strengthening cybersecurity across the EU, including the creation of a new cybersecurity certification framework.

Regulation (EU) 2019/881 concerning ENISA (European Union Agency for Cybersecurity) and the information and communications technology certification (Cybersecurity Act) was published in the Official Journal on 7 June 2019.

The new legislation has two principal aims.  Firstly to create an EU-wide cybersecurity certification framework for ICT products and services, and secondly to upgrade the current EU Agency for Network and Information Security (ENISA) into a permanent EU Cybersecurity Agency.

The proposed certification framework will be of particular interest for suppliers and purchasers of ICT products and services. The proposal is for a single certification supported by the recognition of certified products by different EU members. The intention is that the certification will offer confirmation and assurance that ICT products and services are cyber-secure.

The objectives of the cybersecurity certification scheme include the following:

  • Protecting data against accidental or unauthorized storage, processing, access, disclosure, destruction, loss, or alternation.
  • Ensuring only authorised persons, programs, and machines can access protected data.
  • Recording transactions related to protected data.
  • Ensuring data transactions can be inspected.
  • Recovering data in case of information security incidents.
  • Requiring ICT products and services to be provided from secure software applications.

Once a relevant scheme has been established, the manufacturers of ICT products or providers of ICT services may then voluntarily apply to the assessment body of their choice to seek certification for their products or services. Whilst certification such as this is voluntary, it seems likely that suppliers of ICT products and services will be looking to point to it as evidence of their commitment to cybersecurity generally and towards complying with their legal obligations in this area, such as those contained in the GDPR.

Further details of the Regulations can be found here.

Search our site