EU Cybersecurity Agency and cybersecurity certification

Briefing 20-12-2017

This note seeks to provide an initial analysis of the strengths and weaknesses of the European Commission's impact assessment (IA) accompanying the above proposal, which is the main part of the 'Cybersecurity package', submitted on 13 September 2017 and referred to Parliament's Committee on Industry, Research and Energy (ITRE). As announced in the State of the Union Address 2017 and the Commission's communication on Europe's Cyber Resilience System and Cybersecurity Industry, the initiative aims to reform the European Union Agency for Network and Information Security (ENISA or 'Agency') in order to enhance its supporting functions for Member States in achieving cybersecurity resilience and to acknowledge the Agency's responsibilities under the new directive on security of network and information systems (NIS Directive). In addition, the proposal establishes a voluntary European cybersecurity certification framework to promote such certification schemes for specific information and communication technology (ICT) products and services, and to allow for mutual recognition of certificates so as to avoid further market fragmentation.