The European Commission set to take the next step towards cyber regulation
By Sarah Pearce and Ashley Webber
The Cybersecurity Act (the “Act”) will come into effect in Europe on 27 June 2019. The threat of cybercrime and the risks relating to cybersecurity are undoubtedly on the rise. One of the key drivers behind the Act was said to be to help individuals build trust in the devices they use every day, with the idea being that cybersecurity becomes simply another factor consumers take into account when choosing their device - alongside the usual considerations such as price, durability and appearance. This mirrors one of the key drivers behind the GDPR: individuals being given more control over how their personal data is processed.
So what does the Act actually do? There are 2 key limbs:
The objectives, tasks and organisation of the European Union Agency for Cybersecurity (“ENISA”); and
The cybersecurity certification framework (the “Framework”).
With regards to ENISA, the Act lays out a number of objectives the agency must seek to achieve and the tasks its must carry out in order to do so. For example, ENISA is intended to be a centre of expertise on cybersecurity and is expected to promote a high level of cybersecurity awareness. ENISA is clearly seen as pivotal in the task of reducing cybercrime and developing and increasing cyberdefence in Europe.
The tasks imposed to achieve the objectives are lengthy and dominate a large proportion of the legislative text. ENISA must, for example, perform analyses of emerging technologies and cyber threats/incidents in order to identify emerging trends and help prevent incidents from occurring but also to raise public awareness of cybersecurity risks. The obligations imposed on ENISA are broad and appear to attempt to tackle cybercrime from several angles: looking to legislation, detection and prevention, analysis, and engagement with the public. The Act should be praised for its noble intention to cover such a broad remit.
The second limb, the Framework, is to be established “in order to improve conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union...with a view to creating a digital single market for ICT products, ICT services and ICT processes”. It provides a mechanism for the establishment of cybersecurity certification schemes (the “Schemes”) that evaluate certain ICT products, service and/or processes to attest their compliance with specified security.
The Act also sets out the minimum security objectives the Schemes are designed to achieve when certifying such products, services and/or processes. Certain Schemes may opt to include assurance levels commensurate with the level of risk associated with the products, services and/or processes. This will likely be useful for individuals as it is easy to understand and compare.
It is important to note that cyber certification under the Act is voluntary (unless Member State law requires otherwise). Therefore, only time will tell how organisations react and whether we will see any trends forming. We may, for example, see the big industry players all seeking certification in a bid to better each other as competitors, or we may see no big players making the move meaning the certifications don’t gain the traction with individuals that the legislation intends.
In a stark difference to the GDPR which is heavily led by individuals and includes rights that individuals can exercise directly through the GDPR, the Act is significantly less accessible by individuals and in fact only provides the right to lodge a complaint “with the issuer of a European cybersecurity certificate”. It appears rather limited in its direct applicability to individuals despite its objectives.
So how will it achieve its goal? Whilst the benefits to individuals are not immediately clear, the Act does seem to have been prepared to lay the foundations for the task ahead. Unlike the GDPR which required immediate action by organisations processing personal data on its effective date, the Act is focusing on the growth of ENISA which will then in turn look to establish the Framework and Schemes. If this is successful, the foundations will be strong and the ultimate goal can be pursued. Of course, only time will tell whether ENISA, the Framework and Schemes are good enough to achieve the end goal but the Cybersecurity Act has been useful at setting the benchmark for what needs to happen in the future.