On 10 December 2018, the European Parliament, the Council of the European Union, and the European Commission reached agreement on the cybersecurity proposal put forward by the Commission.

The aim of the Commission’s proposal is to build strong cybersecurity standards in the EU, allowing the EU to become a global leader in cybersecurity. The proposal will benefit member states, businesses, and consumers by expanding the mandate of the European Union Agency for Network and Information Security (ENISA) to deal with cyberattacks across the EU and establishing an EU-wide certification process for businesses.

Commissioner Mariya Gabriel, who is in charge of Digital Economy and Society, has explained the motivation behind the proposal by stating: “Enhancing Europe’s cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union.”

The proposal

The main proposed changes include:

  • ENISA, the EU cybersecurity agency, should be given a permanent mandate. It currently operates on a limited mandate up until 2020. ENISA has now been provided with increased resources to fulfil its objectives.
  • ENISA should operate as an independent centre of expertise. This means supporting member states in policy development and implementation, as well as promoting awareness of cybersecurity issues among businesses and consumers.
  • ENISA should play a greater role in cooperation and coordination within the EU. It should support member states in preventing and responding to cybersecurity threats and attacks.
  • An EU-wide framework for European cybersecurity certificates seeks to ensure that cybersecurity standards are consistently met across the EU.

The European cybersecurity certification framework is particularly impactful for businesses. An EU-wide framework will remove the need to obtain compliance certificates in multiple countries, thereby saving businesses time and money. In some instances, businesses will be able to certify products themselves. An EU-wide framework also removes a significant barrier to entering markets in different member states.

In turn, consumers will be better informed and their data better protected by the level of compliance of technologies across the EU.

Next steps

The agreement is currently an informal one. The proposal still needs to be formally adopted by both the European Parliament and the Council. Once the proposal is adopted, it will be published in the Official Journal, and will enter into force.