CSA (Cybersecurity Act)

On 7 June 2019, the EU Cybersecurity Act was published in the Official Journal of the EU and entered into force on 28 June 2019 (although some provisions have only applied since 28 June 2021).

The Act strengthens the EU Agency for Cybersecurity (ENISA) by granting it a permanent mandate and more resources to face the increasing cybersecurity risks and challenges in the EU. It also establishes a new EU-wide cybersecurity certification framework for ICT products, services, and processes, replacing national-level certification schemes. The aim of the certification is to ensure that users receive sufficient information about the relevant cybersecurity features.

On 18 April 2023, the Commission proposed an amendment to the EU Cybersecurity Act. The proposed amendment aims to enable the adoption of European cybersecurity certification schemes for "managed security services" (including incident response, penetration testing, security audits and consultancy), in addition to the certification currently foreseen by the Cybersecurity Act for ICT products, services, and processes.

What are the main elements of CSA

The Cybersecurity Act includes rules to:

• enhance the role of ENISA by providing for a permanent mandate, more resources, and new tasks;
• lay down the organisational structure and governance of ENISA;
• increase operational cooperation on cybersecurity at the EU level, for example, by giving ENISA a coordinating role in handling large-scale, cross-border cyberattacks; and
• establish an EU-wide cybersecurity certification framework for ICT products, services, and processes that will in principle be voluntary and allow businesses to benefit from EU-wide recognition of certificates.

Actions to consider

Manufacturers and providers of ICT products, services, and processes should evaluate the potential benefits which might come from certification.