News

Coming into force of the Union’s Cybersecurity Act

With the vital role that both network and information systems and electronic communication networks have come to play, cybersecurity is ever more crucial. Within such a context, the coming into force of the European Union’s Cybersecurity Act (“the Act”) at the end of June, is an even more significant occasion.

As goods, services and processes become ever more intertwined with the deployment of the Internet of Things (IoT), impacting citizen, businesses and governments alike, utilized systems must become evermore resilient. The Cybersecurity Act aims to cater for such realities by firstly establishing an EU-wide cybersecurity certification framework and secondly giving a stronger mandate to ENISA, the EU’s Agency for Cybersecurity.

The Act adds on to the Union’s range of instruments intended to create a solid framework for the protection of electronic communications, along with the Directive on Security of Network and Information Systems (NIS Directive) and the Union’s telecoms rules.

Certification Framework

The Union’s new certification framework covers services, processes and goods. The first-of-their-kind rules encourage manufacturers and providers to take a security by design approach throughout the development and implementation stage of services, processes and goods, thus minimizing both the potential of a cyberattack being successful and potential implications.

The framework, which aims to rely on international standards, thus ensuring that no barrier to trade is created, enables tailored and risk-based EU certification schemes consequently guaranteeing that diverse ICT products, services and process, along with their uses, are catered for under the same certification process.

Three assurance levels are laid out with the certification framework: basic, substantial and high. Evaluation to reach an assurance level, can be either one of self-assessment or involving a third party. Drawing parallels with Malta’s Innovative Technology Arrangements and Services Act, the certification framework is voluntary, with a possibility that in the near future the European Commission rolls out a mandatory certification scheme.

Once a certificate is issued, this is to be recognized across all EU Member States, setting the necessary blocks for the harmonization of cybersecurity. Moreover, citizens, end-users, vendors and providers of products and services and Governments benefit altogether from such certification.

On a national level, “national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services and ICT processes that are covered by a European cybersecurity certification scheme shall cease to produce effects”, and cannot introduce schemes which are already covered by an EU certification scheme.

ENISA’s mandate

The EU Agency for Cybersecurity was given a permanent mandate, guaranteeing that such Agency can support policy, reflecting a general consensus that exists in having a recognized agency responsible for contributing to and implementing the Union’s cybersecurity strategy. To this end, ENISA shall see to the implementation of the Union’s policy, in amongst others: the field of electronic identity and trust services and within the ever-reaching sphere of data protection and privacy. In addition, ENISA will be providing advice to the European Data Protection Board.

ENISA will play a role in the certification framework introduced by the Act, over and above tasks entrusted to the same agency by the NIS Directive. Moreover, the agency will be responsible for market analysis in relation to trends in cybersecurity, effectively being able to support EU policy development in ICT standardization.

Article written by Dr Bernice Saliba.

For more information on Cybersecurity, DLTs, Blockchain and Cryptocurrencies please contact Dr Ian Gauci on igauci@gtgadvocates.com, Dr Terence Cassar on tcassar@gtgadvocates.com and Dr Bernice Saliba on bsaliba@gtgadvocates.com

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.