New Cybersecurity Regulations for the EU Member States
The EU Cybersecurity Act (Regulation (EU) 2019/881) or the EU Cybersecurity Act for short is a cybersecurity law that was recently enacted in the EU in 2019. The EU Cybersecurity Act was passed a as result of the European Parliament’s efforts to both prevent and reduce cybersecurity-related threats beginning in 2017. To this point, the law established the EU Cybersecurity Agency, formerly known as the European Union Agency for Cybersecurity or ENISA for short, as the permanent regulatory authority for cybersecurity matters within the EU. Moreover, the law also established a cybersecurity certification framework within the EU. As such, the EU’s Cybersecurity Act and the General Data Protection Regulation or GDPR represent the foremost means by which the personal data of citizens residing in EU member states is legally protected.
What are the provisions of the EU Cybersecurity Act?
One of the primary provisions of the EU Cybersecurity Act is the establishment of a cybersecurity certification framework for information and communications technology or ICT. As certification plays an important and integral role in both establishing and maintaining trust in regards to products and services that are offered in the digital world, the creation of a single certification framework that all ICT products that are offered within the EU must adhere to allows for greater continuity and cohesion for all parties involved. Prior to the passing of the EU Cybersecurity Act in 2019, a number of varying security certification schemes were used to regulate ICT products and services within the EU. As such, creating a unified standard that all ICT providers within the EU can follow allows for said entities to more effectively safeguard their products from cybersecurity threats.
As such, the cybersecurity certification framework that was established by the EU Cybersecurity Act provides three levels of assurance for all ICT products and services. These levels of assurance include basic, substantial, and high. These assurance levels are used to convey the potential risk that an ICT product stands to pose to a consumer within the EU, in terms of both the probability and impact of an accident as it relates to data security. As such, each certification scheme that an ICT provider operating within the EU implements under the provisions of the EU Cybersecurity Act should specify the following:
- The specific categories of ICT products and services that are covered.
- The cybersecurity requirements that correspond to such ICT products and services, such as any applicable technical standards or specifications, among other pertinent details.
- The type of evaluation that was used to give a particular ICT product or service a given assurance level, whether it be a self-assessment conducted by an ICT provider or an assessment that is conducted by a third party.
- The intended level of assurance for the particular ICT product or service.
How is the certification process handled under the EU Cybersecurity Act?
Under the EU Cybersecurity Act, each member state within the EU is charged with appointing a “national certification supervisory authority which will be charged with managing certification issuance, conformity, and related penalties for non-compliance.” As of 2022, all cybersecurity certification within the EU is voluntary, unless such certification is mandated by other laws within a particular EU member state. However, the current voluntary nature of the certification process under the EU Cybersecurity Act is expected to change in the future, as the cybersecurity certification framework that was established by the law effectively supersedes all national frameworks that currently exist within EU member states. Generally speaking, ICT providers that offer products considered to be low risk under the certification framework are expected to be able to rely on self-assessment and third-party procedures for the foreseeable future.
However, is it estimated that the EU Cybersecurity Agency will determine if ICT providers who offer substantial or high-risk ICT products and services will need to go through a more rigorous process to achieve compliance with the law by as early as 2023. As such, many ICT providers within the EU will need to conform to the provisions set out in the EU Cybersecurity Act or face the possibility of sanctions and penalties. Much like was done with the establishment of the EU’s GDPR law, ICT providers and other cybersecurity professionals conducting operations within the EU will more than likely be given a grace period under which they can take the measures and steps that are needed to comply with the law. Nevertheless, all providers of ICT products and services within the EU are encouraged to go through the cybersecurity certification process as it currently stands, irrespective of the level of assurance of their particular products.
Does the EU Cybersecurity Act affect American businesses?
Just as American companies and businesses that conduct operations within EU member states must comply with the provisions of the EU’s GDPR law, American ICT providers will also have to comply with the EU Cybersecurity Act. As such, many U.S.-based companies that offer products and services to EU member states will also have to go through the cybersecurity certification to ensure that their operations comply with all provisions established by the law. With this being said, American companies must take it upon themselves to gain a firm and comprehensive understanding of the different facets and particulars of the law, as the current privacy landscape within the U.S. is largely dominated by state laws and regulations, in stark contrast to the wide-reaching and all-encompassing legislation that continues to be passed in the EU.
As more businesses and organizations continue to offer products and services online to consumers around the world, legislation such as the EU Cybersecurity Act will only increase in frequency. As ICT products and services are not tangible, the development of processes and procedures that prospective consumers can use to gauge the risk associated with a particular product or service is paramount to ensuring that transactions can be conducted in the most transparent and efficient manner possible. In this way, the EU continues to lead the way in terms of privacy legislation and data protection around the world.