The European Cybersecurity Act has been put to force. The European Union Agency for Network and Information and Security (ENISA) is the key governing body as per the act and will judge products to be assessed for cybersecurity weaknesses. The Act ends ENISA’s temporary role, which was set to end in 2020 after renewal in 2013.
“This means very concretely – if one Member State is a cyberattack victim, it can very quickly use ENISA’s expertise to identify vulnerabilities and resolve it, which has not been possible so far. even when they are not a victim of the cyberattack, ENISA can help them find out very quickly what’s going to make them more cyber-safe, ” Maria Gabriel, Commissioner for Digital Economy and Society, told the Bulgarian National Radio.
According to her, cybersecurity certifications will also be part of the act. “European citizens will be able to know at what level of security are the product they buy, and for European businesses, for the first time, a certificate valid in one of the Member States will be valid for the whole territory of the Union,” she said.
With the newly assigned duties to the ENISA, the key governing body will be instrumental in setting up and maintaining the European cybersecurity certification framework. ENISA will prepare a technical specification for several certifications for both public and private enterprises.
“In order to achieve equivalent standards throughout the Union, to facilitate mutual recognition and to promote the overall acceptance of European cybersecurity certificates and EU statements of conformity, it is necessary to put in place a system of peer review between national cybersecurity certification authorities. Peer review should cover procedures for supervising the compliance of ICT products, ICT services and ICT processes with European cybersecurity certificates, for monitoring the obligations of manufacturers or providers of ICT products, ICT services or ICT processes who carry out the conformity self-assessment, for monitoring conformity assessment bodies, as well as the appropriateness of the expertise of the staff of bodies issuing certificates for assurance level ‘high’. The Commission should be able, by means of implementing acts, to establish at least a five-year plan for peer reviews, as well as lay down criteria and methodologies for the operation of the peer review system,” states the Act.
ENISA has also been mandated to increase cooperation at with member EU states and provide them support while handling cybersecurity incidents, these even include large-scale state-sponsored cyber attacks. With the act in place, ENISA will serve as a secretariat to the Computer Security Incidents Response Teams (CSIRTs) Network.