Start of main content

Boosting cybersecurity in Europe: the new EU Regulation 2019/881

| News | Ciberseguridad / Corporate Law and M&A

Vicente Moret, Of counsel of Andersen Tax & Legal. Attorney at Law of the Cortes Generales

Cybersecurity has become a serious problem, perhaps the only one, that overshadows the bright prospects that digital life, in which we are immersed, offers us to improve societies, the economy, and our lives in general. On 27 June, the new EU Cybersecurity Regulation entered into force. This is a fundamental rule that will have important repercussions over the next few years for companies in the ICT sector and for citizens. The EU has adopted this regulation which marks a turning point in the regulatory framework for cybersecurity in Europe. This rule, together with the General Data Protection Regulation and the NIS Directive, are fundamental pillars of the legal model of cybersecurity governance that the EU adopts as its own in contrast to other legal-political models of cyberspace regulation. On the one hand, it reinforces the role that ENISA (European Union Agency for Cybersecurity) is going to play in the coming years as the central body in the European cybersecurity scheme.

On the other hand, a new regulatory framework has been established regarding a central issue such as the creation of a complete certification scheme for ICT products, services and processes. The objective is twofold: to achieve an adequate level of cybersecurity at EU level, while at the same time advancing towards the creation of a true digital single market. Cybersecurity certification plays an irreplaceable role in increasing user confidence especially in areas such as the data economy and the Internet of Things (IoT). Stand-alone vehicles, 5G deployment, industrial automation, connected medical devices, among others, are huge advances in improving people's lives and production processes that will only be possible if confidence in networked devices is built.

The relevance of this new rule lies in the fact that it will profoundly affect the national cybersecurity schemes previously implemented in most Member States, since the EU's aim is to harmonise these national regulations on the basis of a uniform general European scheme, thus avoiding the fragmentation of the internal market. This fragmentation affects the IoT in particular, as the regulation itself says. It is estimated that in 2020 there will be more than 20,000 million devices of all types and functionality connected to the Internet, which means a huge area of attack. In short, it would be a question of creating a new common cybersecurity "passport" with enough flexibility to try to cover, on a common basis, all present and future cybersecurity needs and specifications.

On the other hand, three levels of cybersecurity are established: basic, substantial and high, depending on the need to increase the level of protection. The assessment will be carried out by independent third parties, other than the manufacturer, the provider or the supplier of the product or service, which, depending on the level required according to the risk, may be public or private bodies. It is also foreseen that self-evaluation of the product, service or process can be carried out if these present a low level of risk for the public. In principle, the Regulation establishes that submission to the certification process will be voluntary; however, it points out that the States have the capacity to make this certification mandatory and then points out the scope of public procurement, thus inviting the mandatory application of the European certification scheme in Public Administration tenders. In addition, Member States are obliged to designate one or more national certification authorities which will be responsible for supervising compliance with the obligations arising from the Regulation.

As for the full implementation of this European certification framework, the Regulation itself is aware of the complexity of its application, and for this reason the European Commission will publish before June 2020 an evolving work programme that will set out the strategic priorities in this area. It is clear from the text of the Regulation that the EU will probably start by developing the certification scheme for products and services included in the IoT, and especially those related to the sectors of activity identified as priorities in the NIS Directive: energy, transport, water, health, banking and digital infrastructures. It is also very likely that progress in the deployment of 5G networks, essential for the full functionality of connected devices, will lead the EU to identify small cells as one of the products on which the first certification procedures will focus.

Ultimately, the adoption of this Regulation marks the beginning of a new phase in which the dispersed national cybersecurity accreditation systems now in force are to be harmonised. This is an initial but very relevant stage, because each State will try to bring the future European scheme as close as possible to its national schemes. It should not be forgotten that companies that first achieve this European certification will obtain a notable competitive advantage in the current context, in which the concern for cybersecurity is a constant. It also opens a new way of providing ICT and legal services by making it possible to create public or private assessment bodies that will be able to carry out their functions once they have been accredited by the corresponding national certification authority. Finally, and from a purely legal point of view, European certification can be a powerful legal defence mechanism for companies in the face of the possible demand for responsibilities of all kinds arising from serious cyber-incidents.

Read the full article in Expansion

End of main content