EU compliance scheme simplifies cybersecurity for small businesses

Single security certificate will be recognized across Europe

The EU’s Cybersecurity Act has come into force, introducing a new framework for certification and strengthening the role of ENISA.

The Cybersecurity Act establishes a framework under which manufacturers and service providers can certify the security of their products, processes, and operations through standards that are recognized across the EU.

A number of schemes will specify the type of products, services, and processes covered, their purpose, the security standards that need to be met, and the methods used for evaluation.

Where products are deemed to be low risk, organizations will be able to self-certify.

A new European Cybersecurity Certification Group, consisting of representatives from member states, will be established, along with a Stakeholder Cybersecurity Certification Group that will advise ENISA and the European Commission.

“Europe’s digital single market can only be a reality if it includes robust cybersecurity commitments,” says vice president for the digital single market, Andrus Ansip.

“This commission has pushed forward in making sure Europe has the necessary capabilities, including by proposing a European certification framework and having financing for cybersecurity research and development under the next long-term EU budget.”

Ansip added: “Work on 5G security is a particular priority, as it has the potential to impact every aspect of our future.”

ENISA’s headquarters in Heraklion, Greece

Single cert for EU-wide recognition

National bodies will be responsible for implementation in their country, with the new certification scheme replacing any program already in place.

The European Commission says the new framework will be particularly helpful for small and medium sized enterprises (SMEs), as they will only need to certify their products once in order to see them approved across the EU.

“Take the example of an SME that develops and sells ICT applications to larger companies that require certain assurances that the applications are appropriately secure, and that they have been developed following best practices when it comes to secure coding,” it says.

“Using a European cybersecurity certificate, that SME can demonstrate both the security of its products as well as its secure development practices, hence meeting the requirements of its clients not only in one member state, as is often the case today, but also across the entire EU.”

ENISA is also charged with increasing international cooperation, along with coordinating responses to large-scale, cross-border cyber-attacks and crises.

It will also help member states deal with cyber-attacks, create incident reports for further analysis, and suggest new protections for the future.

To make this possible, staff will be increased by 50% and ENISA’s budget will be doubled to €23 million ($26 million) over the next five years.

Next steps include a proposal for a Digital Europe Programme and European Cybersecurity Competence Centre, along with a network of National Coordination Centres and a Cybersecurity Competence Community to improve international cooperation.

The UK's National Cyber Security Centre (NCSC), which has been helping businesses to up their cyber fitness, welcomed the new EU legislation.

A government spokesperson told The Daily Swig: “We are supportive of the work of ENISA and the intent of the new cybersecurity certification framework to further strengthen cyber security resilience in the European Union.

“We will look to continue to work closely with the EU on the development of Cyber Security Certification Schemes under the new framework.”

RELATED ENISA granted fresh powers following WannaCry ‘wake-up call’