With Europe facing daily cyber attacks carried out by sophisticated state and criminal groups, the European Commission has proposed a new cybersecurity package to strengthen the EU’s cybersecurity resilience.
The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU’s Information and Communication Technologies (ICT) supply chains. It ensures that products reaching EU citizens are cyber-secure by design through a simpler certification process. It also facilitates compliance with existing EU cybersecurity rules and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats.
The new Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns. It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors.
The Cybersecurity Act will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox.
The revised Cybersecurity Act will ensure that products and services reaching EU consumers are tested for security in a more efficient way. This will be done through a renewed European Cybersecurity Certification Framework (ECCF). This will allow certification schemes to be developed within 12 months by default.
Certification schemes, managed by ENISA, will allow businesses to demonstrate compliance with EU legislation, reducing the burden and costs. Beyond ICT products, services, processes and managed security services, companies and organisations will be able to certify their cyber posture to meet market needs.
The package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the Digital Omnibus. Targeted amendments to the NIS2 Directive aim to increase legal clarity. They will ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises. They will also introduce a new category of small mid-cap enterprises to lower compliance costs for 22,500 companies.
The ENISA agency will issue early alerts of cyber threats and incidents. In cooperation with Europol and Computer Security Incident Response Teams, it will support companies in responding to and recovering from ransomware attacks. ENISA will also operate a single-entry point for incident reporting.
The Cybersecurity Act will be applicable immediately after approval by the European Parliament and the Council of the EU.
