Discussions on the cyber Security act are taking shape. With the European Parliament committee responsible announcing a vote next June, the Council is continuing with its examination of the text, in a working party format. According to the document dated at the beginning of February, it is planning to introduce a, "European cyber security self-assessment system”.
The draft regulation presented in September 2017 as part of a cyber security package strengthens the mandate of the European Network Information Security Agency
(ENISA) and is proposing to establish a European certification framework (see EUROPE 11865). The European Parliament has appointed Angelika Niebler (EPP, Germany) as rapporteur on this dossier on behalf of the industry committee (ITRE). The budget, internal market and civil liberties committees will also give their opinions.
At the Council, it is the horizontal working party on cyber security issues that will be dealing with this reform. It last met up on 8 February and is expected to meet up again on 22 February.
First tangible results of working party
At this stage, the experts are seeking to introduce two new articles to complete the framework for cyber security certification (section III). They are proposing new provisions on maintaining and the maintenance of a European certification system for cyber security by way of a five-year revision of the system (article 44 b) and the introduction of a European cyber security self-assessment system (article 47 b). A “European cybersecurity self-assessment scheme shall be established in order to enable the vendor of ICT products and services to self-attest the results of a conformity assessment carried out in accordance with the specific security requirements laid down in that scheme”.
For the remainder, the working paper as seen by EUROPE, supports the introduction of a network of national liaison agents to facilitate exchanges between ENISA and the EM (article 20a). It is, however, against ENISA being involved in ex post technical investigations in missions connected to European operational cooperation or a deadline that is overly strict with regard to European level cyber security exercises. Sweden has already said that it will not support the Presidency's proposals on ex post technical investigations. (Original version in French by Sophie Petitjean)