Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • What Is the EU Cybersecurity Act and What Does It Mean for US-Based Businesses?
  • Critical Vulnerability
  • Data Breach

What Is the EU Cybersecurity Act and What Does It Mean for US-Based Businesses?

5 years ago Anastasios Arampatzis
What Is the EU Cybersecurity Act and What Does It Mean for US-Based Businesses?

During the previous weeks, we provided a thorough overview of the EU NIS Directive, focusing on the Operators of Essential Systems (OES), the Digital Service Providers (DSP) and the compliance frameworks. Our review of the EU cybersecurity policy and strategy would be incomplete without mentioning the EU Cybersecurity Act. On 27 June, the European Cybersecurity Act entered into force, setting the new mandate of ENISA, the EU Agency for Cybersecurity, and establishing the European cybersecurity certification framework.

The Cybersecurity Act in a Glance

The EU Cybersecurity Act (“Act”) provides a permanent mandate for the European Network and Information Systems Agency (ENISA) and changed its name to the EU Agency for Cybersecurity, while giving it substantially more authority and resources.

Many of the Act’s provisions further support or advance provisions of the NIS Directive. Most importantly, however, the Act:

  • Establishes an EU cybersecurity certification framework for information and communication technology (ICT) products, services, and processes.
  • Requires Member States to designate one or more national cybersecurity certification authorities.
  • Establishes assessment bodies to determine conformity with the Act.
  • Requires Member States to determine penalties for certification violations and infringement of European cybersecurity certification schemes.

The Act is intended to advance trust through an EU-wide certification framework consisting of cybersecurity certification schemes that include common cybersecurity requirements and evaluation criteria across national markets and sectors.

The opening clauses of the Act provide a thorough justification of the need to develop such as certification framework. IoT devices and related ICT products and services “are not sufficiently built-in by design, leading to insufficient cybersecurity.” The Act further notes that “the limited use of certification leads to individual, organizational and business users having insufficient information about the cybersecurity features of ICT products, ICT services, and ICT processes, which undermines trust in digital solutions.”

The ENISA Permanent Mandate

The EU Cybersecurity Act grants a permanent mandate to the agency, allocating more resources and new tasks.

ENISA will have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes and informing the public on the certification schemes as well as the issued certificates through a dedicated website.

ENISA is also mandated to increase operational cooperation at EU level, helping EU Member States who would request it to handle cybersecurity incidents and supporting the coordination of the EU in case of large-scale cross borders cyber-attacks and crises.

The EU Cybersecurity Certification Framework

Certification plays a critical role in increasing trust and security in products and services that are crucial for the EU Digital Market. At the moment, there are a number of different security certification schemes for ICT products in the EU, but without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of certificate fragmentation.

Title III of the Act sets out the Cybersecurity Certification Framework with the goal of improving the level of cybersecurity in the EU and establishing a harmonized approach to cybersecurity certification of ICT products, services, and processes. Certification is to be approached through the establishment of an EU rolling work program that identifies strategic priorities for the certification of products, services, and processes.

Certification granted will be based on cybersecurity certification schemes, which are “a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes.”

Under the framework, multiple schemes will be created for different categories of ICT products, processes and services. Each certification scheme will specify:

  • The categories of products to be covered
  • The cybersecurity requirements for each (referencing standards or technical specifications)
  • The type of evaluation required (self-assessment or third-party evaluation)
  • The intended level of assurance (Basic, Substantial, or High).

To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are proportional to the level of the risk associated with the intended use of the product, service or process in terms of the probability and impact of an incident. For example, a high assurance level means that the certified product has passed the highest security tests.

The resulting certificate will be recognized in all EU Member States, making it easier for businesses to trade across borders and for consumers to understand the security features of the product or service.

The governance for the implementation of the certification framework will be guided by two experts’ groups:

  • the European Cybersecurity Certification Group (ECCG) composed of representatives from national cybersecurity certification authorities, and
  • the Stakeholder Cybersecurity Certification Group (SCCG).

The SCCG is composed of selected individuals from all relevant stakeholders. Both groups advise the European Commission on the cybersecurity certification framework, advise ENISA on certification and standardization, and assist the Commission with a rolling work program for certification schemes. After the Act became effective, the European Commission issued a call for applications for the SCCG. Private sector organizations would be well-advised to apply for the SCCG so that they may become more informed and involved to protect their organizations’ interests.

The Commission will also prepare the “Union rolling work program for European Cybersecurity Certification,” which will identify strategic priorities for certification and include a list of ICT products, services and processes or categories that may benefit from being included in the scope of a European Cybersecurity Certification Scheme.

Are US-based Businesses Affected?

Short answer: yes. Any business offering ICT products, services, or processes within the EU, whatever their size, are affected by the Cybersecurity Act and should begin monitoring the ENISA and EU websites for updates on EU cybersecurity certification schemes. For example, ENISA published recently two reports supporting the certification framework. More importantly, the Standards Supporting Certification report focuses on five distinct areas that have frameworks, schemes or standards that can potentially be evolved to EU candidate cybersecurity certification schemes, namely IoT, cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in the healthcare and qualified trust services.

In addition, US-based companies should consider applying for membership in the SCCG and determine whether they want to obtain certification so they can compete evenly in the EU markets. To do so, they should analyze the risks associated with non-compliance with the certification schemes. The Act allows each Member State to determine penalties for non-compliance or violation of certification schemes. Penalties are, however, required to be “effective, proportionate and dissuasive.”

Marie-José van der Heijden, leader of Deloitte Legal Global Sanctions and Export Controls practice based in The Netherlands, commented that “cross-border offerings are increasingly fraught with compliance issues, and the EU Cybersecurity Act and its certification schemes, particularly as it relates to critical infrastructure companies, will surely impact both EU and U.S. businesses. The learning curve for many companies may be steep.”

Europe aims to be the leading cybersecurity certification and standardization area for ICT products, processes and services. The EU Cybersecurity Act is an opportunity to create a harmonized market for cybersecurity, which promotes closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behavior, the adoption of codes of conduct, the use of international standards, and information sharing.

The post ” What Is the EU Cybersecurity Act and What Does It Mean for US-Based Businesses?” appeared first on TripWire

Source:TripWire – Anastasios Arampatzis

Tags: Cloud, Critical Severity, High Severity, TripWire

Continue Reading

Previous Instagram ‘Help Center’ Phishing Scam Pilfers Credentials
Next Emotet Switches to ‘Red Dawn’ Template in Weaponized Word Documents

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

3 days ago [email protected] (The Hacker News)

Recent Posts

  • eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware
  • Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT