The European Union is adopting increasingly detailed rules on cybersecurity. After a formal vote in Parliament on the Cyber Security Act the day before, MEPs and Member States' ambassadors are about to adopt, on Wednesday 13 March, their negotiating position on a draft regulation aimed at pooling resources and expertise in the field of cyber security technologies.
Cybersecurity Act
The vote on the Cybersecurity Act on 12 March was more formal than anything else, following the agreement reached on 10 December between Parliament and the Council of the EU (see EUROPE 12157/5). The Regulation, some of whose provisions will only apply in 2 years' time, gives a permanent mandate and enhanced tasks to the European Union Agency for Cybersecurity (ENISA). They also introduce a European cybersecurity certification system to ensure that cybersecurity standards are met by products and services marketed in EU countries.
During a debate in Parliament on 11 March, Angelika Niebler (EPP, Germany), rapporteur on the dossier, welcomed the new provisions, but regretted that the institutions had not been more ambitious with regard to the mandatory certification of critical infrastructure.
Pooling strengths
While the Cybersecurity Act is more or less in place, there is another text still under discussion in Brussels: the draft regulation establishing a European centre of competence and a network of national coordination centres. This text, presented in September 2018, aims to strengthen and complement existing research, technological and industrial capacities at EU and national level. At this stage, neither Parliament nor the Council of the EU has yet adopted their negotiating position. But this will not be long in coming: on Parliament's side, the Industry Committee has already voted on Julia Reda's (Greens/EFA, Germany) report on 19 February (see EUROPE 12197/6) and the whole plenary is due to vote on 13 March, with amendments having been retabled by the Greens/EFA and GUE/NGL, in particular on the interest of not using the Centre's resources to finance the defence sector, including to develop cyber weapons.
On the side of the Member States, co-legislators on this dossier, the Romanian Presidency is expected to submit to the Committee of Permanent Representatives on 13 March a sixth compromise version of the text with a view to reaching a general approach by the Council of the EU. This new version, as seen by EUROPE, is once again moving towards voluntary rather than mandatory financial participation by Member States (see EUROPE 12204/1). The document, dated 8 March, suggests that it is the European budget (Digital Europe and Horizon Europe programmes) that should finance the new European centre responsible for coordinating and defining strategic orientations for cybersecurity research, innovation and deployment. Similarly, it proposes that Member States should be able to make "voluntary financial contributions" for joint actions with the Union.
One of the points of convergence between Parliament and the Council of the EU seems to be the seat of the future centre: whereas the European Commission proposed to locate it in Brussels, both the ITRE Committee's report and the Romanian draft compromise opt for a freer interpretation, to be decided later.
During the debate with MEPs on 12 March, European Commission Vice-President Andrus Ansip stressed that this regulation was a key element in building a secure single digital market. "It is in Europe's strategic interest to make its industry safe", he said, welcoming the fact that the co-legislators are in the process of defining their respective positions. (Original version in French by Sophie Petitjean)