New Cybersecurity Regulations for the EU Member States

January 05, 2022 | 5 minutes read
New Cybersecurity Regulations for the EU Member States

The EU Cybersecurity Act (Regulation (EU) 2019/881) or the EU Cybersecurity Act for short is a cybersecurity law that was recently enacted in the EU in 2019. The EU Cybersecurity Act was passed a as result of the European Parliament’s efforts to both prevent and reduce cybersecurity-related threats beginning in 2017. To this point, the law established the EU Cybersecurity Agency, formerly known as the European Union Agency for Cybersecurity or ENISA for short, as the permanent regulatory authority for cybersecurity matters within the EU. Moreover, the law also established a cybersecurity certification framework within the EU. As such, the EU’s Cybersecurity Act and the General Data Protection Regulation or GDPR represent the foremost means by which the personal data of citizens residing in EU member states is legally protected.

What are the provisions of the EU Cybersecurity Act?

One of the primary provisions of the EU Cybersecurity Act is the establishment of a cybersecurity certification framework for information and communications technology or ICT. As certification plays an important and integral role in both establishing and maintaining trust in regards to products and services that are offered in the digital world, the creation of a single certification framework that all ICT products that are offered within the EU must adhere to allows for greater continuity and cohesion for all parties involved. Prior to the passing of the EU Cybersecurity Act in 2019, a number of varying security certification schemes were used to regulate ICT products and services within the EU. As such, creating a unified standard that all ICT providers within the EU can follow allows for said entities to more effectively safeguard their products from cybersecurity threats.

As such, the cybersecurity certification framework that was established by the EU Cybersecurity Act provides three levels of assurance for all ICT products and services. These levels of assurance include basic, substantial, and high. These assurance levels are used to convey the potential risk that an ICT product stands to pose to a consumer within the EU, in terms of both the probability and impact of an accident as it relates to data security. As such, each certification scheme that an ICT provider operating within the EU implements under the provisions of the EU Cybersecurity Act should specify the following:

How is the certification process handled under the EU Cybersecurity Act?

Under the EU Cybersecurity Act, each member state within the EU is charged with appointing a “national certification supervisory authority which will be charged with managing certification issuance, conformity, and related penalties for non-compliance.” As of 2022, all cybersecurity certification within the EU is voluntary, unless such certification is mandated by other laws within a particular EU member state. However, the current voluntary nature of the certification process under the EU Cybersecurity Act is expected to change in the future, as the cybersecurity certification framework that was established by the law effectively supersedes all national frameworks that currently exist within EU member states. Generally speaking, ICT providers that offer products considered to be low risk under the certification framework are expected to be able to rely on self-assessment and third-party procedures for the foreseeable future.

However, is it estimated that the EU Cybersecurity Agency will determine if ICT providers who offer substantial or high-risk ICT products and services will need to go through a more rigorous process to achieve compliance with the law by as early as 2023. As such, many ICT providers within the EU will need to conform to the provisions set out in the EU Cybersecurity Act or face the possibility of sanctions and penalties. Much like was done with the establishment of the EU’s GDPR law, ICT providers and other cybersecurity professionals conducting operations within the EU will more than likely be given a grace period under which they can take the measures and steps that are needed to comply with the law. Nevertheless, all providers of ICT products and services within the EU are encouraged to go through the cybersecurity certification process as it currently stands, irrespective of the level of assurance of their particular products.

Does the EU Cybersecurity Act affect American businesses?

Just as American companies and businesses that conduct operations within EU member states must comply with the provisions of the EU’s GDPR law, American ICT providers will also have to comply with the EU Cybersecurity Act. As such, many U.S.-based companies that offer products and services to EU member states will also have to go through the cybersecurity certification to ensure that their operations comply with all provisions established by the law. With this being said, American companies must take it upon themselves to gain a firm and comprehensive understanding of the different facets and particulars of the law, as the current privacy landscape within the U.S. is largely dominated by state laws and regulations, in stark contrast to the wide-reaching and all-encompassing legislation that continues to be passed in the EU.

As more businesses and organizations continue to offer products and services online to consumers around the world, legislation such as the EU Cybersecurity Act will only increase in frequency. As ICT products and services are not tangible, the development of processes and procedures that prospective consumers can use to gauge the risk associated with a particular product or service is paramount to ensuring that transactions can be conducted in the most transparent and efficient manner possible. In this way, the EU continues to lead the way in terms of privacy legislation and data protection around the world.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »