The negotiation session between the Parliament and the EU Council on the Cybersecurity Act, scheduled for 28 November, was billed as conclusive. Problem: the co-legislators have only one hour and a number of questions are still on the table. This is the case, for example, in the matter of the European Certification Group's room for manoeuvre. As a result, a fifth trialogue is beginning to be considered for 10 December.
As evidenced by the table known as the '4 columns’ dated 23 November representing the positions of the co-legislators, an agreement would be reached to rename the European Network and Information Security Agency (ENISA) as the 'Cybersecurity Agency' and to strengthen its tasks. They also reached a compromise on the main lines of the European Cybersecurity Certification Framework (see EUROPE 11865).
However, they are counting on their fourth negotiation meeting on 28 November to finalise the text. A technical meeting was held on November 26 and a final one could be added on November 27.
Open issues regarding ENISA
As regards the part relating to the Agency, the co-legislators have not yet reached a compromise on the frequency of cybersecurity exercises (Article 6), with Parliament and the Commission advocating annual exercises and the Council proposing regular exercises. Nor did they reach agreement on the room for manoeuvre of the Executive Board, which assists ENISA's Management Board in emergencies (Article 18), or on the mandate of the Agency's Executive Director (Article 33), which Parliament would like to limit to 5 years and the Council to 4. The other open questions concern vulnerability disclosure policies (Article 5) and the Agency's technical capacity (Article 7), two provisions requested by the European Parliament.
Open issues regarding certification
As regards the second part of the proposal, on the certification framework, Parliament and the Council are still seeking a compromise on the mandatory nature of the system. As a reminder, the European Parliament would in fact like to provide a provision to this effect for "operators of essential services", which the Council rejects (Article 48a). After having surveyed the Member States on 3 options, the Council could be ready to consider a mandatory system on the basis of an assessment by the Commission. The compromise envisaged requires the European Commission to take into account in its study, the situation for non-certified products/services, the cost/benefit impact of the measures on manufacturers and users, the legislation in force, the results of a public consultation and the development of an implementation deadline and a transitional period.
The other open issues concern the European Cybersecurity Certification Group (Article 43b) and the Stakeholders' Certification Group (SCG) (Article 20a). For the former, the Council wants the European certification group to be able to submit a candidate scheme to ENISA without this being provided for in its work programme, whereas Parliament considers that this task should be the sole responsibility of the Commission (given ENISA's limited resources). As to the latter, it is a request from the European Parliament that was not included in the Council's mandate. The document of 23 November states that the Presidency could nevertheless set up such a group provided that it is set up as a Commission expert group.
Other outstanding issues include cybersecurity information for certified products (Article 47a) or peer review (Article 50a of the Parliament).
See “4 columns” table: http://bit.ly/2DOUs7h (Original version in French by Sophie Petitjean)