login
login
Image header Agence Europe
Europe Daily Bulletin No. 12027
SECTORAL POLICIES / Digital

Member states reach agreement in principle on 'cybersecurity' regulation

National ambassadors to the EU (COREPER) gave their agreement on Friday 25 May to the draft compromise prepared by the Bulgarian Presidency of the Council on the draft regulation on the Act for cybersecurity and the European Cybersecurity Agency.  This stage paves the way for a general approach by European ministers at the Telecoms Council on 8 June. 

The draft legislation, unveiled on 13 September, grants a permanent mandate to the current European Network and Information Security Agency (ENISA). It also establishes a European cybersecurity certification framework for products and services of information and communication technology (ICT) and common rules governing European cybersecurity certification systems (see EUROPE 11865).  

At the Council, the ministers will give their views on their position on 8 June, whereas at the European Parliament, the vote at the industry committee is scheduled for 19 June. 

The compromise on the table

The draft compromise prepared by the Bulgarian Presidency includes the main principles of the regulation, while ensuring not to force member states’ hands (see EUROPE 12008). It notes, for example, that the future European Cybersecurity Agency can support the member states ‘upon their request.’ It also stipulates that the use of European cybersecurity certification and the conformity assessment should remain ‘voluntary’ unless it  is stated otherwise in national or European law. 

The most notable change is on the introduction of a ‘European system of cybersecurity conformity self-assessment’ by manufacturer or provider of ICT products and services (Recital 55).  This system, which should be clearly identifiable by the consumer, would apply to low-complexity products and services (like simple design and manufacturing mechanisms) that are of low risk to the public interest. 

The manufacturer or supplier should send a copy of the EU statement of conformity to the national cybersecurity certification authority and to ENISA and keep the documents for the length of time ‘set out’ in the certification system (rather than the previously envisaged 10 years). 

Otherwise, the text foresees that the level of insurance should be proportionate to the level of risk associated with the planned use of an ICT process, product or service.  It stresses that the technical specifications to be used in the European certification system should be identified in respect of the principles set out in the regulation on European standardisation (1025/2012), apart from in ‘duly justified’ cases that should be made public.  It foresees the creation of a European Cybersecurity Certification Group. 

For Parliament, the report by Angelika Niebler (EPP, Germany), which will be put to a vote on 19 June, has been available since 19 March (see EUROPE 11994).  The position of the internal market committee (intervening as the associated committee) was adopted on 17 May (see EUROPE 12022).  (Original version in French by Sophie Petitjean)

Contents

ECONOMY - FINANCE - BUSINESS
SECTORAL POLICIES
EXTERNAL ACTION
INSTITUTIONAL
NEWS BRIEFS
CALENDAR