Negotiators from the European Parliament and the EU Council managed to finalise the final details of the Cybersecurity Act to protect Europe from online attacks on the evening of Monday 10 December. Parliament has agreed to abandon the idea of mandatory certification in the short term, contenting itself with a review clause.
According to the European Commission, cyber attacks using ransom have tripled between 2015 and 2017, while the effects of cyber crime on the economy have increased fivefold since 2013.
The new rules therefore grant a permanent mandate and enhanced tasks to the European Network and Information Security Agency (ENISA), whose mandate would otherwise have expired in 2020. They also introduce a European cybersecurity certification system to ensure that cybersecurity standards are met by products and services marketed in EU countries. "This is the first time we have a law in the internal market that addresses the challenge of strengthening the security of connected products," said Commissioner Mariya Gabriel at a press conference.
The last issues are resolved
Several issues remained outstanding at the fourth negotiating meeting on 28 November (see EUROPE 12148). Finally, on the binding or non-binding nature of the certification system for critical infrastructure, the co-legislators chose to opt for a non-binding mechanism, as the Council wanted. However, in response to the European Parliament's requests, they have introduced a review clause which requires the Commission to assess, by 2023, the need for a mandatory mechanism. At the same time, the text provides for the possibility for companies to certify their own products for some of the certificates necessary to guarantee a minimum level of cybersecurity.
At the request of the European Parliament, the co-legislators agreed to the creation of a (consultative) group of certification stakeholders to identify the priorities of the certification work programme. They also gave the European certification group the possibility to submit a candidate system to ENISA without this being provided for in the work programme. They also validated the principle that consumers should be better informed about the level of cybersecurity of certified products and services.
As far as ENISA is concerned, the co-legislators have agreed to double its budget. "ENISA currently has €10 million per year at its disposal. In the future, it will have 23 million per year ," commented Mariya Gabriel, bouncing back on information from the rapporteur, Angelika Niebler (EPP, Germany), that the agency's membership would increase from 80 people today to 160 in the future. It should be noted that the term of office of the Executive Director of the Agency will be limited to 5 years, as requested by the European Parliament. (Original version in French by Sophie Petitjean)