Agreement on The New EU Cybersecurity Act
According to a Bitkom study from September 2018, German industry has incurred a total loss of 43 billion euros as a result of cyberattacks over the past two years. Seven out of ten industrial companies have been victims of such attacks during this period. At EU level, there has recently been a growing discussion on how to face this mounting danger.
On December 10, 2018, the European Parliament, the European Council and the European Commission reached a political agreement on a cybersecurity act. The Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (“Cybersecurity Act") is essentially based on two ideas:
II. Essential content of the Regulation
1. Conformity assessment (EU certification framework)The regulation initially provides for a so-called ”conformity assessment“, i.e. an EU-wide European certification framework for the cybersecurity of products, services and procedures, similar to ISO/IEC 17000: 2004. EU citizens are already familiar with this procedure of defined minimum standards and their verification in the areas of general product security. The Regulation also aims to harmonize security standards with the envisaged conformity assessment at its core. In this respect, the objective is the verifiability of compliance with established cybersecurity features with regard to products, services and procedures by the competent authority.
2. Minimum security standards and guidance of ENISA
ENISA now has an important role to play in establishing guidelines to secure a minimum standard for imports and exports of IT products across the European border. In this guidance, ENISA resembles the Federal Office for Information Security (BSI) (Sec. 8 para. 1 Act on the Federal Office for Information Security (BSIG)) with the essential difference that the addressees are not only federal authorities but also companies. The aim is to strengthen the trust of EU citizens in IT products of these companies with a series of measures. For example, the manufacturers of these IT products must make written declarations to the effect that
Inseparable from this set of minimum standards by ENISA is the constant implementation of security aspects when creating software (Security by Design) and the related data protection (Privacy by Design). Not least for this reason, all the IT security requirements of the now European certification system are to be implemented by the involved parties during the various phases from the market launch of an IT product up to its removal from the market (so-called product or service life cycle). It should be noted that the Regulation is the first internal market regulation that will increase the security of networked products using such certificates.
The correct handling of backdoors in ICT products is also important. A backdoor refers to the part of a software that allows users to gain access to the computer or an otherwise protected function of a computer program, bypassing the normal access protection. To prevent these circumventions, ENISA is to work with national certification authorities due to its enhanced capabilities and develop cyber-hygiene practices along its five core principles (i.e. Lowest Privilege, Micro-Segmentation, Encryption, Multi-Factor Authentication and Patching) in order to close possible vulnerabilities.
3. Different IT security levels for ICT products
Driven by the desire to remove the diverging requirements of international and national IT security certifications, ENISA is to create homogeneous levels of security for ICT products and services. For each cybersecurity certification, the individual ICT product or service is assigned to one of these security levels. This implies the possible regrouping or renaming of previous levels. In the future, three security levels are to be used:
Finally, ENISA will maintain checklists and make them publicly available to pre-assess the cyber risk of each ICT product and service.
4. Priority List: In the future, ICT products and services will be prioritized by ENISA
Due to its increasingly central role, ENISA will have the task of prioritizing cybersecurity certification for ICT products and services in the form of a list to be continuously updated (Priority List). This list should make clear which product or service is at the top of a scale of necessity. ENISA will cooperate with the permanent stakeholder dialogue group and the European Cybersecurity Certification Group (which, in turn, consists of the national certification authorities) and other bodies.
5. Joining forces: In future, ENISA will incorporate data protection (EU GDPR)
To date, cybersecurity and data protection have mostly been considered separately. To counter this practice, ENISA’s mandate will initially be extended to the development and implementation of European data protection. The objective is for ENISA to advise the European Data Protection Authority on its development of guidelines, especially in the technical field. These guidelines regulate the necessary use of personal data for IT security purposes and thus a core area that needs to be better coordinated in the light of a common objective. Therefore, in addition to data on cybersecurity attacks, ENISA intends to bundle data on data breaches and make recommendations on both matters in the future. Since security incidents in IT not only result from machine-to-machine communication (M2M), but can also originate from a data protection breach according to the GDPR, major data breaches will also be logged on a separate European portal of ENISA in the future.
The new EU Cybersecurity Act, i.e. the Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (“Cybersecurity Act") is an appropriate step towards effectively defending against cyberattacks. In particular, manufacturers of IT products will have to address the matter, as certain areas will be subject to certification in the future. In this respect, the new certification framework offers advantages, especially for small and medium-sized enterprises (SMEs), because in the future obtaining national individual certificates will become obsolete, and there will then be an EU-wide certification system.
For EU citizens, the Regulation will help them trust the devices they use on a daily basis, as there will be a range of products in the future that would be EU-certified for cybersecurity.
Companies wishing to increase their own IT security in the workplace prior to the EU Cybersecurity Act entering into force could consider the following measures:
We would like to thank Mr. RA Sebastian B. Jürgensen for his collaboration on this article. He is the in-house lawyer of a medium-sized group of companies in Hamburg.
- IRS Issues 2020 Limits for Retirement Plans
- Banking Regulation in Chile: Overview
- IRS Issues New Guidance on Cryptocurrency: Hard Forks and Other Utensils Are Taxable
- Illinois Secure Choice Registration Is Underway for Employers with at least 25 Employees
- Two new additions for Heuking Kühn Lüer Wojtek
- Expedeon Sells Immunology and Proteomics Businesses to Abcam
- Swiss Hotelplan Group Acquires Tour Operator vtours
WSG Member: Please login to add your comment.