Recent developments on the European Union’s legislative scene have led to an agreement to start the process of formally approving the EU Cybersecurity Act (the “Act”) as early as March 2019. In an age of technological reliance, cybersecurity is high on the political agenda and this European regulation will be directly implemented into Member State’s law.
The EU’s rationale is that cybersecurity is insufficiently built into products, services and processes when they are manufactured. The two main features of the Act are the implementation of a new cybersecurity framework and the provision of a permanent mandate and additional resources to the European Union Agency for Network and Information Security (“ENISA”).
The first main change, introducing a new standardised cybersecurity framework, will provide an EU wide certification system identifying resilience to cyberattacks. Information and communications technology products, services and processes will be rated on a scale of either basic, substantial or high protection.
The second change, awarding ENISA a permanent mandate and additional resources, will aim to increase the cybersecurity capabilities of the EU. ENISA endeavour to promote the awareness of cybersecurity to both businesses and individuals. They are also tasked with assisting the various EU institutions and Member States with implementing the Act.
Vice President of the European Commission and head of the Digital Single Market, Andrus Ansip believes the only way for people to take advantage of the EU’s digital economy is if they feel secure, and the new cybersecurity rating system will look to achieve this. The rationale is that the safer businesses and individuals feel, the more likely they are to utilise the digital economy.
The General Data Protection Regulations (“GDPR”) originally introduced the concept of privacy by design, which the Act’s new standardised ratings system looks to further.
The Act will also assist Member States with the first ever piece of EU-wide cybersecurity legislation, the Directive of Network and Information Systems (NIS Directive). The NIS Directive aimed to increase preparedness against cybercrime by introducing Computer Security Incident Response Teams. The introduction of the new rating system will assist these Response Teams in more effective and efficient diagnosis of cybersecurity issues.
The Act (by increasing cybersecurity), GDPR (by focusing on managing risk) and NIS Directive (by increasing preparedness and co-operation) will all work together to build a culture of cybersecurity.
On a commercial level, the ultimate winner is the consumer. The new rating system will provide an additional element for manufacturers to consider when introducing new products, services and processes to market.
With the added pressure to achieve a high cybersecurity certification, more funds are likely to be spent on security, breeding healthy competition, resulting in better security for the end user. This will allow businesses and individuals to utilise their digital products with more confidence, promoting the growth of the digital economy in this heavily digital era.