EU Cybersecurity Agency and the cybersecurity Act

In “Industry, Research and Energy - ITRE”

PDF version

For a brief overview of the key points of the adopted text and its significance for the citizen, please see the corresponding summary note.

On 13 September 2017, as announced in Juncker's State of the Union speech, the Commission adopted a cybersecurity package (see related carriage in this train). The package builds upon existing instruments and presents new initiatives to further improve EU cyber resilience, deterrence and response. Within it, the Commission has put forward a legislative proposal which foresees a permanent mandate for the European Union Agency for Network and Information Security (ENISA) and the creation of an EU certification framework for ICT security products ('the cybersecurity act'). The current mandate of ENISA, based in Greece, will expire in June 2020. In light of the significant changes that have occurred in the cybersecurity landscape in the last years and the increasing risks coming from a connected world expected to reach about 30 billion connected devices by 2020, the Commission decided to reinforce the EU's resilience, deterrence and response to cyber-attacks. This builds on the review of the 2013 EU cybersecurity strategy and on the mid-term review of the Digital Single Market strategy, which has identified cybersecurity as one of the three key areas for EU action during the strategy's second half.

In addition the Directive on the Security of Network and Information Systems (NIS directive, see the related wagon in arrivals) has formally created a network of Member State Computer Security Incident Response Teams (CSIRTs) and the secretariat for this network needs to be provided by ENISA. In order to assist Member States in implementing the NIS Directive, the Commission proposes to reform ENISA into a stronger EU Cybersecurity Agency with a permanent mandate and bigger amount of resources. Until now ENISA's role was mainly to provide expertise rather than dealing operationally with cybersecurity, thus it will require more resources in the near future as NIS is being applied in the Member States as of May 2018.

The Commission is also proposing the creation of a European cybersecurity certification framework which is expected to deliver numerous individual European cybersecurity certification schemes, i.e. clear descriptions of security requirements to be met by covered products, systems or services. Though the use of this European cybersecurity certification scheme will be on a voluntary basis as it is non-mandatory.

On 19-20 October 2017, the European Council asked for the adoption of a common approach to EU cyber security following the cybersecurity package proposal. On 20 November 2017, the Council adopted conclusions to set up an action plan for the reform of EU cyber security.

Within the European Parliament the file has been assigned to the Industry committee (ITRE) rapporteur Angelika Niebler (EPP, Germany). The Internal Market and Consumer Protection (IMCO), Budgets (BUDG) and Civil Liberties (LIBE) committees have been asked to provide opinions, whereas IMCO also acts as an associated committee.

On 16 March 2018, LIBE published its draft Opinion. Both BUDG and IMCO have already adopted their Opinions (on 16 May and 17 May 2018 respectively).

On 27 November 2017, the ITRE committee held a public hearing on the issue, and on 27 February 2018, the rapporteur had a meeting with experts and the European Commission. On 24 March 2018, there was an exchange of views on the proposal at the ITRE committee. On 27 March 2018, the committee draft report was published and on 23 April 2018 there was the consideration of the draft report at the ITRE committee. On 30 April 2018, the amendments tabled in committee were published.

On 14 February 2018, the European Economic and Social Committee adopted its opinion on the proposal, where it supports it and asks the European Commission to consider a number of additional recommendations.

The Industry, Research and Energy (ITRE) Committee adopted its report on 10 July 2018, with 56 votes in favour, 5 against and with 1 abstention. It also adopted its mandate to enter into inter-institutional negotiations, which was also adopted by Parliament during the September plenary session.

The report supports the proposed enhanced permanent mandate for ENISA and the creation of a voluntary EU cybersecurity framework scheme for ICT products, services and processes, which might become mandatory in some cases. It requests that the certification schemes include not only ICT 'products' and 'services' but also 'processes', to consider their whole life-cycle. The report proposes to give ENISA additional tasks, broadening its role even further to improve the coordination and exchange of best practices among Member States on cybersecurity education, to increase awareness of cyber-hygiene for citizens, educators and business. The Committee wishes to see the agency increase its reporting activities in regular state of cybersecurity reports, independent periodic ex-post checks on the compliance of certified ICT products and services with European cybersecurity certification schemes, and regular IT security audits of critical cross-border infrastructures. The report also highlights that ENISA would draft candidate EU certification schemes for specific products, processes and services, at the request of the European Commission, which would be empowered to adopt the schemes by means of delegated acts (rather than implementing acts as stated in the proposal). The report reinforces stakeholder consultation and the role of industry in the schemes' development and redefines the three risk-based assurance levels. It also suggests the closure of ENISA's Heraklion office and its relocation to Athens.

On 8 June 2018, the Council agreed on its position. In its 'general approach' it supports to upgrade ENISA into a permanent EU agency for cybersecurity and to create a voluntary EU-wide certification framework for ICT products and services. 

The first trilogue took place on 13 September 2018, the second on 1 October, the third on 5 November, the fourth on 22 November and the fifth on 10 December 2018. During the last trilogue, an agreement was reached. The deal was approved in the ITRE meeting on 14 January 2019 and adopted by Parliament during the 12 March 2019 plenary with 586 votes to 44 and 36 abstentions.  

It was signed by the President of the European Parliament and of the Council on 17 April 2019. The regulation was published on the official jounal of 7 June 2019 and entered into force on 27 June 2019.

References:

Further reading:

Author: Maria del Mar Negreiro Achiaga, Members' Research Service, legislative-train@europarl.europa.eu

As of 20/11/2019.