European Union’s new Cybersecurity Act: All you need to know
On March 12,The EU Parliament passed into law its new Information and Communication Technology cybersecurity certification, also known as the Cybersecurity Act, which will enable EU nations to monitor the cyber resilience of Network and information systems and telecommunications networks and services sold and operated within their juridictions
The EU Cybersecurity Act, which is already informally agreed with member states, underlines the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems in addition to products, processes and services. By 2023, the Commission shall assess whether any of the new voluntary schemes should be made mandatory.
The Cybersecurity Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA.
Re: European Union’s new Cybersecurity Act: All you need to know
Key elements of the new EU cybersecurity certification framework
Importantly, the framework creates a mechanism to establish European cybersecurity certification schemes based on existing European or international standards. The regulation recognizes that the certification schemes “should be non-discriminatory and based on European or international standards.”
The schemes will be implemented and supervised by national cybersecurity certification authorities. Certification schemes operated by industry or other private organizations fall outside of the scope of the regulation, but may be proposed and approved as formal European cybersecurity certification schemes.
New schemes will replace existing national certification schemes – with the exception of schemes for national security purposes – and certificates should be recognizedthroughout the Union. This is in order to avoid companies, for example, having to certify to multiple national schemes in order to participate in national procurement procedures. (The regulation recognizes that existing mutual recognition of certificates within the Union have only been partly successful.) Once a certification scheme is adopted, manufacturers of relevant products, services and processes should be able to submit an application for certification to a conformity assessment body of their choice anywhere in the Union. Certificates issued under schemes also should be valid and recognized throughout the Union.
The schemes and certificates issued under the schemes may specify different assurance levels: ‘basic’, ‘substantial’ or ‘high.’ Assurance levels are intended to be commensurate with the level of risk associated with the intended use of the ICT product, service or process “in terms of the probability and impact of an incident.” Security requirements corresponding to each assurance level are intended to reflect the “rigour and depth of the evaluation” of the ICT product, service or process.
In addition to more formal certification, certification schemes may provide for “conformity self-assessment.” However, conformity self-assessment is only for low complexity ICT products, services or processes that present a low risk to the public and correspond to assurance level ‘basic.’
The new certification schemes initially will be voluntary. That said, the Commission is required to evaluate by 2023 whether specific schemes should become mandatory for certain ICT products, services or processes.
EU Member States will establish penalties for infringingEuropean cybersecurity certification schemes. Penalties must be “effective, proportionate and dissuasive.”
Re: European Union's new Cybersecurity Act: All you need to know
> leroux (Community Champion) posted a new topic in Industry News on 03-16-2019
> On March 12,The EU Parliament passed into law its new Information and > Communication Technology cybersecurity certification, also known as the > Cybersecurity Act, which will enable EU nations to monitor the cyber resilience > of Network and information systems and telecommunications networks and services > sold and operated within their juridictions
Some years back, a group attempted to assess the resilience of networks and utilities in the US. Apparently, the US has laws which prevent the utilities from cooperating with such an assessment ...