EU negotiators agree on strengthening Europe's cybersecurity

On 10 December 2018, the European Parliament, the Council and the European Commission approved the Cybersecurity Act which reinforces the mandate of the EU Agency for Cybersecurity, (European Union Agency for Network and Information and Security, ENISA) to better support Member States in tackling cybersecurity threats and attacks.

The Act also sets up an EU framework for cybersecurity certification, boosting the cybersecurity of online services and consumer devices.

Commissioner Mariya Gabriel, in charge of Digital Economy and Society: “Enhancing Europe's cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union. Major incidents such as Wannacry and NotPetya have acted as wake-up calls, because they dearly showed the potential consequences of large-scale cyber-attacks. In this perspective, I strongly believe that tonight's deal both improves our Union's overall security and supports business competitiveness”.


From an ENISA perspective, the Cybersecurity Act includes:

Mandate: permanent mandate with more resources has been given to ENISA to enable it to fulfil its goals.

Certification framework: a stronger basis for ENISA in the new cybersecurity certification framework, aiding Member States in effectively responding to cyber-attacks with a greater role in co-operation and coordination at EU level.

Cybersecurity capabilities: help increase cybersecurity capabilities at EU level and support capacity-building and preparedness.

Centre of expertise: ENISA will be an independent centre of expertise help promote high level of awareness of citizens and businesses but also assist EU Institutions and Member States in policy development and implementation.

The Cybersecurity Act also creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. This is a ground-breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates.

Security by design: the creation of such a framework incorporates security features in the early stages of their technical design and development (security by design).

Security assurance: the framework also enables users to check the level of security assurance, and ensures that these security features are independently verified.

Benefits for citizens and businesses: People will be able to choose between products that are cyber-secure, increasing citizen-consumer trust. As a one-stop shop, the certification framework will ensure significant cost savings for businesses while a single certification will remove potential market-entry barriers. It is also an incentive for companies to invest in cyber security and turn it into a competitive edge.