During the previous weeks, we provided a thorough overview of the EU NIS Directive, focusing on the Operators of Essential Systems (OES), the Digital Service Providers (DSP) and the compliance frameworks. Our review of the EU cybersecurity policy and strategy would be incomplete without mentioning the EU Cybersecurity Act. On 27 June, the European Cybersecurity Act entered into force, setting the new mandate of ENISA, the EU Agency for Cybersecurity, and establishing the European cybersecurity certification framework.
The Cybersecurity Act in a Glance
The EU Cybersecurity Act (“Act”) provides a permanent mandate for the European Network and Information Systems Agency (ENISA) and changed its name to the EU Agency for Cybersecurity, while giving it substantially more authority and resources.
Many of the Act’s provisions further support or advance provisions of the NIS Directive. Most importantly, however, the Act:
- Establishes an EU cybersecurity certification framework for information and communication technology (ICT) products, services, and processes.
- Requires Member States to designate one or more national cybersecurity certification authorities.
- Establishes assessment bodies to determine conformity with the Act.
- Requires Member States to determine penalties for certification violations and infringement of European cybersecurity certification schemes.