The EU Cybersecurity Act and European standards: an introduction to the role of European standardization

Abstract

Regulation (EU) 2019/881 [1] of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) establishes, for the first time, a voluntary framework for European Union (EU)-wide cybersecurity certification for information and communications technology (ICT) products, services and processes. In doing so, the Cybersecurity Act provides the European Union Agency for Cybersecurity (ENISA) with a new mandate: ENISA will be involved in the development of the European cybersecurity certification framework by coordinating the establishment of specific cybersecurity certification schemes. Following the request of the European Commission, ENISA is currently preparing two schemes: the first one relates to the existing SOG-IS (“Senior Officials Group Information Systems Security”) MRA (Mutual Recognition Agreement) [2]—the second one concerns cloud security [3]. These initiatives take place in a context where the EU cybersecurity landscape remains fragmented due to the lack of cross-European interoperable solutions and the lack of EU mechanisms for certification. It is recognized that certification plays an important role in increasing trust and security in ICT products, services and processes. However, cybersecurity certification exists mainly at national level: a certificate issued by a national certification authority is not in principle recognised in another Member State. Hence, when operating across borders, companies may have to certify in several Member States. The establishment of tailored and risk-based EU cybersecurity certification schemes aims at addressing these issues: by increasing trust in those ICT products, services and processes that have been certified under specific certification schemes, and by avoiding the multiplication of overlapping national cybersecurity certification schemes.