The revision of the Cybersecurity Act will revise the mandate of ENISA and include cybersecurity certification schemes.
ADVERTISEMENT
The European Commission on Friday started gathering input to help revise the bloc’s cyber rules, which date back to 2019, in line with efforts to simplify existing rules.
The review of the Cybersecurity Act (CSA) will focus on the mandate of the EU’s cyber agency ENISA, as well as the European Cybersecurity Certification Framework, and addressing ICT supply chain security challenges, the Commission’s statement said.
Euronews reported last year that the Commission already began seeking feedback from industry and national governments on the functioning and scope of work of ENISA, in a bid to potentially modify the agency’s mandate and financial support.
The CSA gave ENISA – which has some 100 staff members – a mandate to oversee the implementation of EU-wide cybersecurity rules. But one of its tasks, drafting a voluntary cybersecurity certification for cloud services (EUCS), has not advanced significantly since 2019.
The EUCS is intended to be used by companies to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market, but it turned into a political battle over sovereignty requirements. There have been calls to make the system mandatory under the new CSA.
Henna Virkkunen, the EU Commissioner for technology, said that she will carry out a so-called Digital Fitness Check this year which will assess whether all existing tech rules are burdensome to companies, and identify areas for simplification.
The consultation comes weeks after Virkkunen said that she wants member states to adopt 5G security rules to protect networks from cyber threats and risks. In 2020, member states agreed to apply restrictions for suppliers considered to be high risk – such as China’s Huawei and ZTE – including necessary exclusions, following security concerns, but only a limited number of countries have taken concrete steps to ban the companies.
Interested parties, including member state competent authorities, cybersecurity authorities, industry and trade associations can give feedback to the consultation until 20 June.
