Cybersecurity Act : What’s going to change?

Cybersecurity Act

After being approved by the European Parliament on March 12, 2019, the Cybersecurity Act was finally adopted after its publication in the Official Journal of the European Union on June 7, 2019. The Cybersecurity Act strengthens the European Union Agency for Cybersecurity (ENISA) and establishes a European framework for the certification of cybersecurity products and services.

A permanent mandate and more resources for ENISA

With the Cybersecurity Act, ENISA, the European Union Agency for Cybersecurity, created in 2004, receives a permanent mandate. Its previous mandate was limited in time and would have expired in 2020. Additional resources will also be allocated to the agency to carry out all its tasks in order to achieve a high common level of cybersecurity in the EU. ENISA will therefore be the “reference point for cybersecurity advice and expertise for EU institutions, organizations and agencies as well as for other relevant EU stakeholders.” [01]

In its press release on the final adoption of the Cybersecurity Act [02], ANSSI is pleased by this progress for European strategic autonomy and highlights the areas in which ENISA’s missions are reinforced: development and support for the implementation of European policies, expertise, support for state capacity building, support for operational cooperation between member states and awareness raising.

This evolution of ENISA shows a real awareness among European authorities of the importance of cybersecurity issues, whose financial impact is more and more important since, between 2017 and 2018, according to a study conducted by Accenture Security and the Ponemon Institute [03], the average cost of a cyber-attack increased by 18% and 23% in Germany and France to reach 11.6 million and 8.6 million euros respectively.

Through the Cybersecurity Act, ENISA, whose purpose is to provide its expertise and facilitate the cooperation between Member States, is therefore positioning itself as a promoter of inter-European cooperation in the field of cybersecurity.

A European framework for the certification of cybersecurity products and services

The other major aspect of the Cybersecurity Act is the standardization of the certification processes for cybersecurity products and services and their recognition in all EU countries. Until now, each country, through its cybersecurity reference organization (ANSSI in France or BSI in Germany), has issued certifications which, for a number of them (including CSPN certifications issued by the ANSSI), were only recognized in the country where the product/service was certified; today, only Common Criteria certifications were recognized internationally, and only by the countries who signed the CCRA (Common Criteria Recognition Arrangement). Tomorrow, the ANSSI or BSI certification obtained according to the process set up by the Cybersecurity Act will allow the certified products or services to be also certified in all the EU countries.

This framework is therefore beneficial for users of cybersecurity solutions (companies or public organizations) since it will lead to more options for certified products and therefore to more confidence. For cybersecurity publishers, a product certified in their country, in accordance with the terms of the Cybersecurity Act, will also be certified in all EU countries and will therefore not have to be certified in each country where the publisher deems the product’s certification necessary.

For Systancia, this is a very concrete achievement because IPdiva Secure, now Systancia Gate, received the ANSSI CSPN certification and was then qualified by the ANSSI [04], becoming the only solution recommended by the French National Cybersecurity Agency for identification, authentication and access control to the information system. This certification has a strong impact on the national market since the solution is trusted and recommended by the French government. However, abroad, it must be mentioned that a national certification has little impact. Clients prefer products certified by organizations of their own countries.

The Cybersecurity Act will therefore change all the situation, since a product certified in one country, under the terms of the Cybersecurity Act, will be recognized in the country in which the certification was issued as well as in the other EU countries. For this reason, it is necessary to have a European framework for the homogenization of certification requirements in order to avoid that a European or non-European actor is certified in a country where the rules are less rigorous, thus allowing it to infiltrate the EU market. As a result, the Commission has agreed to have a standardized approach for certification between the different national supervisory authorities. A system of peer review between European national certification authorities has therefore been introduced, including procedures for delivering cybersecurity certificates.

Discover Systancia Gate

References

[01] Official text of the Cybersecurity Act

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0881&from=EN

[02] Final adoption of the Cybersecurity Act: a success for European strategic autonomy

https://www.ssi.gouv.fr/uploads/2019/06/anssi-communique_presse-cybersecurity_act.pdf

[03] The cost of cybercrime

https://www.accenture.com/_acnmedia/accenture/redesign-assets/dotcom/documents/local/1/accenture-2019-cost-cybercrime-study.pdf%22%20/l%20%22zoom=50

[04] Feedback on ANSSI’s qualification of the solution IPdiva Secure 8