EU – New powers for European Cyberagency

On 10 December 2018, the European lawmakers reached a political agreement on the European Cybersecurity Act. The intention of this new EU Regulation is to better protect the European Union against cyber-attacks, including a strengthening of the powers of the European Agency for Network and Information Security (“ENISA”).

The Regulation still needs to be formally approved by the European Parliament and the Council of the EU, likely in March 2019 or soon thereafter. The Regulation will then be published in the EU Official Journal and will simultaneously enter into force.

This Regulation stems from a proposal of 13 September 2017 of the European Commission. The proposal was published on the same day as Jean-Claude Juncker’s State of the Union of 2017, in which he stated that “cyber-attacks can be more dangerous to the stability of a country than guns and tanks.”

Updated ENISA mandate

The Cybersecurity Act will strengthen ENISA (renamed the “EU Agency for Cybersecurity”) by giving it a permanent mandate, as opposed to the current limited one (set to expire in 2020). The EU Agency for Cybersecurity would receive a renewed set of tasks and functions, as well as additional means, to allow it to support Member States, EU institutions and other stakeholders effectively and efficiently in their efforts to achieve a secure cyberspace.

In addition, the Cybersecurity Act will establish an EU cybersecurity certification framework for ICT products and services, as well as accompanying rules to allow certificates meeting certain requirements to be recognised throughout the EU. As security certification appears to be increasingly a requirement in procurement scenarios, it is likely that such a framework will help further increase trust in the certificates issued.

Recent work by ENISA

ENISA has issued many recommendations and tools over the years, notably its data breach severity assessment methodology (2013) and its recommendations on privacy by design in big data (2015).

Among its most recent work, ENISA released in November 2018 guidance on how to identity and assess cybersecurity (inter)dependencies between operators of essential services (OES) and digital service providers (DSPs). This set of best practices is important to sectors related to critical infrastructure, as studies have shown these (inter)dependencies leave these sectors vulnerable to cyber security incidents, often with cascading effect in the broader.

In this guidance, ENISA made a range of recommendations with a view to mitigating some of these risks and creating a culture of security across vital sectors of the economy. For instance, OES and DSPs were advised to (i) conduct empirical investigations to collect data, (ii) promote training & awareness regarding (inter)dependencies and (iii) address (inter)dependencies at operational level, while they were advised together with national competent authorities (NCAs) to (i) develop and integrate methodologies and tools to support (inter)dependency assessment and (ii) invest in reliance by developing response management capabilities and establishing common response and crisis management plans.

At the same time, ENISA released an interactive NIS Directive tool allowing organisations and individuals to see the relevant Member State NIS implementation laws and to find the national competent authority in a given sector (banking, health, transport, …). While it was designed with the easy notification of cyber security breaches in mind, it is important not to forget that other authorities may be competent for personal data breaches under the General Data Protection Regulation (GDPR) and a separate notification might be necessary.

Finally, as the agreement on the Cybersecurity Act was reached, ENISA released other publications, such as a report on the economics of vulnerability disclosure (recommending that most organisations consider implementing a coordinated vulnerability disclosure process) and guidelines for assessing security measures in the context of net neutrality (with evaluation factors for national telecom regulatory authorities to take into account).

ENISA has until now remained known mainly to information security practitioners and researchers, despite the importance of its work. It is likely to gain exposure to a wider audience as a result of the strengthened mandate, and organisations are invited to stay informed of its publications and initiatives.

 

For further information, please contact Patrick Van Eecke (Partner, Brussels) and Peter Craddock (Senior Associate, Brussels)