cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
leroux
Community Champion

European Union’s new Cybersecurity Act: All you need to know

On March 12,The EU Parliament  passed into law its new Information and Communication Technology cybersecurity certification, also known as the Cybersecurity Act, which will enable EU nations to monitor the cyber resilience of Network and information systems and telecommunications networks and services sold and operated within their juridictions

The EU Cybersecurity Act, which is already informally agreed with member states, underlines the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems in addition to products, processes and services. By 2023, the Commission shall assess whether any of the new voluntary schemes should be made mandatory.

The Cybersecurity Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA.

For more see http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2019-0151+0+DOC+XML+V0//EN...

 

2 Replies
leroux
Community Champion

Key elements of the new EU cybersecurity certification framework

  • Importantly, the framework creates a mechanism to establish European cybersecurity certification schemes based on existing European or international standards.  The regulation recognizes that the certification schemes “should be non-discriminatory and based on European or international standards.”
  • The schemes will be implemented and supervised by national cybersecurity certification authorities.  Certification schemes operated by industry or other private organizations fall outside of the scope of the regulation, but may be proposed and approved as formal European cybersecurity certification schemes.
  • New schemes will replace existing national certification schemes – with the exception of schemes for national security purposes – and certificates should be recognized throughout the Union.  This is in order to avoid companies, for example, having to certify to multiple national schemes in order to participate in national procurement procedures.  (The regulation recognizes that existing mutual recognition of certificates within the Union have only been partly successful.)  Once a certification scheme is adopted, manufacturers of relevant products, services and processes should be able to submit an application for certification to a conformity assessment body of their choice anywhere in the Union.  Certificates issued under schemes also should be valid and recognized throughout the Union.
  • The schemes and certificates issued under the schemes may specify different assurance levels: ‘basic’, ‘substantial’ or ‘high.’  Assurance levels are intended to be commensurate with the level of risk associated with the intended use of the ICT product, service or process “in terms of the probability and impact of an incident.” Security requirements corresponding to each assurance level are intended to reflect the “rigour and depth of the evaluation” of the ICT product, service or process.
  • In addition to more formal certification, certification schemes may provide for “conformity self-assessment.”  However, conformity self-assessment is only for low complexity ICT products, services or processes that present a low risk to the public and correspond to assurance level ‘basic.’
  • The new certification schemes initially will be voluntary.  That said, the Commission is required to evaluate by 2023 whether specific schemes should become mandatory for certain ICT products, services or processes.
  • EU Member States will establish penalties for infringing European cybersecurity certification schemes.  Penalties must be “effective, proportionate and dissuasive.”
rslade
Influencer II

> leroux (Community Champion) posted a new topic in Industry News on 03-16-2019

> On March 12,The EU Parliament  passed into law its new Information and
> Communication Technology cybersecurity certification, also known as the
> Cybersecurity Act, which will enable EU nations to monitor the cyber resilience
> of Network and information systems and telecommunications networks and services
> sold and operated within their juridictions

Some years back, a group attempted to assess the resilience of networks and
utilities in the US. Apparently, the US has laws which prevent the utilities from
cooperating with such an assessment ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
That ball of shiny blue/Houses everybody anybody ever knew
- `ISS (Is Somebody Singing)' http://is.gd/3cO943
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468