A political agreement was reached between the European Parliament, the Council of the European Union (EU) and the European Commission on the EU Cybersecurity Act (Act) and announced on December 10, 2018. The pace of the adoption of the Act (with less than three months of discussions among the EU institutions) confirms that cybersecurity is high on the EU political agenda.

Background: What is the Purpose of the EU Cybersecurity Act?

The EU institutions considered that security and resilience are not sufficiently built into products, services or processes and want to advance the cybersecurity of online services and consumer devices within the EU. Proposed in 2017 as part of a wide-ranging set of measures to deal with cyberattacks and to promote enhanced cybersecurity in the European Union (along with the Network and Information Security "NIS" Directive and a reinforced focus on security measures in the General Data Protection Regulation), the Act should, according to the EU institutions, play an important role in addressing such concerns. It will lead to setting EU cybersecurity certification schemes for ICT products (i.e., hardware and software elements of network and information systems); services (i.e., services involved in transmitting, storing, retrieving or processing information via network and information systems); and processes (i.e., sets of activities performed to design, develop, deliver and maintain ICT products or services). The European Union Agency for Network (ENISA or the Agency) and Information Security will be tasked to prepare candidate schemes (for specific groups of ICT products, processes and services) for adoption by the European Commission.

Each of the schemes would have its own scope and may include specific conditions for recognition with third countries. Any certification schemes may specify three sets of assurance level on aspects such as, among others, resilience to accidental or malicious data loss or alteration: basic, substantial or high. The assurance level will be an indication of the requirements and evaluations to which the products, services or processes are subject. The schemes will be based on a comprehensive set of rules, technical requirements, standards and procedures and cover the full life cycle of products, services or processes.

The certificates issued under the schemes would be valid in all EU Member States. Depending on the assurance level (and risks involved), the certification may entail self-assessment by the manufacturer or provider of ICT products and services themselves or involve either a national cybersecurity certification authority or a conformity assessment body. The absence of fragmentation in the standards should, according to the EU institutions, increase users' confidence in the security of these technologies. 

The Act also provides the ENISA with a permanent mandate and new tasks to support member states, EU institutions and other stakeholders on cyber issues. The Agency will have more resources to assist member states in responding to cyberattacks and play a greater role in cooperation and coordination at the EU level.

What's Next?

The adoption of the Act was one of the goals of the Austrian presidency, which managed to (almost) get it through completion before its end-of-year term. The Act now needs to be formally approved by the European Parliament (a first reading vote in the EU Parliament is scheduled for March 2019) and the Council of the EU. It will then be published in the Official Journal of the European Union and will officially enter into force. The Act is an EU regulation, a legal instrument directly applicable in all EU Member States.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.