Since the adoption of the Cybersecurity Act in 2019, the geopolitical landscape has changed, with a significant worsening of the cyber threat landscape, affecting critical sectors in the European Union. Technological advancements have given rise to ever more sophisticated cyber threats, with players including state actors developing capabilities to disrupt critical economic sectors and societal functions in Europe.
To address these new concerns, the Commission has proposed to revise the Cybersecurity Act to make the EU’s cybersecurity framework and capabilities more agile and efficient, reinforcing the overall Europe’s preparedness.
The new Cybersecurity Act will strengthen the cybersecurity framework with four key elements:
- Develop a framework for addressing the ICT supply chain security challenges in critical infrastructure.
- Simplify and enhance the European cybersecurity certification framework.
- Introduce simplification measures to reduce unnecessary administrative burden related to the implementation of the NIS2 Directive.
- Strengthened European Union Agency for Cybersecurity (ENISA) to make it fit for purpose.
A shared European approach to cybersecurity is essential for protecting Europe’s overall security. The proposal will enhance the cybersecurity resilience of Europe’s critical infrastructures by setting up a horizontal framework for trusted ICT supply chain security. This will allow the EU and Member States to act together to address strategic risks of undue foreign interference and critical dependencies in critical ICT supply chains with targeted and proportionate measures. It will also ensure that operators of electronic communications networks do not rely on high-risk suppliers for their critical assets.
The revised Cybersecurity Act will reinforce the cybersecurity posture of the EU, benefiting the wider economy, citizens, businesses and public authorities. It will provide streamlined ways for businesses to demonstrate their compliance with Union cybersecurity rules, reducing their administrative costs. The Act will also help businesses recruit and train cybersecurity professionals.
The proposal for the revised Cybersecurity Act is complementary to the upcoming Cloud and AI Development Act (CADA) and the Digital Omnibus. The CADA will ensure highly critical use cases in the public sector are powered by secure EU-base cloud and AI computing services. The Digital Omnibus aims to simplify the implementation of EU cybersecurity rules.
The Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns. It sets a trusted ICT supply chain security framework using a harmonised, proportionate and risk-based approach.
Recent cybersecurity incidents have highlighted the major risks of vulnerabilities in the ICT supply chains, which are essential for critical services and infrastructure. In today’s geopolitical landscape, supply chain security is no longer only a question of the product and service technical security. It is also a question of risks related to a supplier, particularly related to dependencies and foreign interference.
The proposal reinforces ENISA’s role in operational cooperation, shared situational awareness of cyber threats and incidents, standards and certification, as well as support with ransomware attack mitigation measures and the implementation of the Cybersecurity Skills Academy.
The proposal aims to ensure that ENISA has the resources to carry out its tasks by increasing its budget by more than 75%.
Member States would contribute to this increase by designating two liaison officers per Member State, facilitating operational cooperation and the exchange of information between Member States.
Standards and technical specifications play an essential role in facilitating implementation efforts for businesses and public authorities and guarantee uniform application of cybersecurity rules across the internal market, in particular those stemming from the Cyber Resilience Act.
At international level, they shape state-of-the-art cybersecurity practices and the way technologies are designed and maintained. In line with the European Standardisation Regulation, ENISA’s role will be strengthened to be more effectively involved in the making of cybersecurity standards at European and international level in accordance with EU values. It will ensure that standardisation deliverables meet legal needs in the area of cybersecurity, for instance by supporting the Commission in assessing harmonised standards. Where no standards are available to meet legislative needs, ENISA will develop technical specifications, in particular for European cybersecurity schemes.
The new ECCF will introduce three main changes:
- The scope of the frameworks is clarified and extended to ensure legal certainty and meet market needs. Certification is a means of technical cybersecurity assurance that will be complemented by the ICT supply chain security mechanism. Entities will be able to certify their cyber posture, next to ICT products, services, processes and managed security services, this means that entities will be able to use such certificates to demonstrate compliance and get presumption of conformity with NIS2 and other Union legislations.
- Clear deadlines and deliverables, as well as a more efficient and effective governance framework to develop and maintain schemes. ENISA, as scheme manager, will be responsible for the maintenance of the schemes. It defines legal timelines for the development of schemes. Following the Commission request, ENISA shall develop a candidate scheme within one year as a rule.
- Schemes should serve as compliance tools for businesses. Any scheme must be aligned with existing cybersecurity legislation. Consistency and greater harmonisation across schemes will mean less compliance burden for businesses.
In 2024, the EU adopted as a first scheme the EUCC (European cybersecurity certification scheme based on Common Criteria). Currently, there are two schemes under development, respectively for certifying Digital Identity Wallets (EUID) and for managed security services (EUMSS) that could be adopted soon.
Furthermore, the work related to the schemes for cloud services (EUCS) and 5G (EU5G) is expected to resume. Regarding 5G, the new Cybersecurity Act provides for a phase-out of high-risk suppliers from mobile networks meaning that conformity assessment bodies cannot certify products or services from those suppliers. On cloud, the new Cybersecurity Act complemented by the upcoming CADA will fill gaps related to sovereignty aspects and non-technical risks. Anchored in this legislative context, the EUCS will resume and is set up for a successful conclusion.
Finally, following the entry into force of the new Cybersecurity Act, the Commission intends to issue a request for a certification scheme for the cyber posture of entities.
The new Cybersecurity Act package also introduces clarification and simplification measures to facilitate compliance with existing cybersecurity rules and risk-management requirements for companies operating in the EU.
This complements the single-entry point for incident reporting proposed in the Digital Omnibus.
The package also proposes targeted amendments to the NIS 2 Directive:
- To clarify certain aspects regarding the scope and definitions, increasing legal clarity and removing compliance burden for 28,700 companies, including 6,200 micro and small-sized enterprises;
- To introduce a new category of small mid-cap enterprises that will reduce the compliance costs for 22,500 companies;
- To add measures simplifying jurisdictional rules, streamlining the collection of data on ransomware attacks and facilitating the supervision of cross-border entities with ENISA’s reinforced coordinating role.
The targeted amendments to the NIS2 Directive are informed by experience gained during the transposition and the implementation of the Directive, as well as by emerging security threats and new EU policy developments.
For instance, the amendments aim to ensure proportionality in the implementation of the NIS2 Directive in sectors such as electricity or chemicals, where more precise legal drafting is necessary to appropriately define the scope of the Directive. At the same time, they ensure that submarine data cable infrastructure, as an increasingly critical type of infrastructure, is more comprehensively covered by the scope of the Directive. Furthermore, the amendments to the Directive ensure coherence with the recent legislative proposal for a regulation on establishing a framework of measures to facilitate the transport of military equipment, goods and personnel across the Union.
The EU’s agency for Cybersecurity is well-placed to maintain an overview of cross-border cybersecurity risks under the NIS2 Directive. By defining its role in mutual assistance under the NIS2 Directive, the proposal leverages ENISA’s capacities to better support Member States’ competent authorities in the application of the NIS2 Directive rules.