The Official Journal of the European Union has published the new Regulation 2019/881, which deals with key aspects related to cybersecurity. Its entry into force will take place next June 27 and aims to make a substantial leap in terms of improving protection against cyber vulnerabilities. Here is a breakdown of its most important aspects.
The Digital Transformation that the processes and services of companies are undergoing at an almost vertiginous pace means that the laws and regulations referring to it have to be drafted or modified with a certain frequency to adapt to the current situation.
Cybersecurity has become a key aspect in this regard. More and more cyber-attacks are occurring that can create major problems for companies, public bodies and individuals.
According to a report by F5 Labs, which shows the results of cyberattacks received in Europe from December 2018 to March 2019, the Old Continent receives more cyberattacks than other areas of the planet. It is noteworthy that the majority of cyberattacks received by the EU come from within its borders, with the Netherlands ranking as its main source of origin.
In addition, the increasingly necessary interconnection and integration of different technologies and devices opens the door to new vulnerabilities.
Previously, cybersecurity legislation was the responsibility of each country, but the fact that these threats did not understand borders made it necessary to develop a legal framework that would provide a framework for cybersecurity management at the European level.
In this environment, the European Regulation 2019/881 has been developed, which deals with such a current and transcendent aspect as cybersecurity at all levels within the countries of the European Union.
This new law on cybersecurity, which repeals Regulation 526/2013, has two main axes on which it is developed. On the one hand, it lays the foundations for the structure and operation of the European Agency for Cybersecurity (ENISA) and, on the other, it defines the standards that will make it possible to certify ICT cybersecurity within the Europe of 28.
The European Agency for Cybersecurity (ENISA)
The European Network and Information Security Agency was founded in 2004 with the aim of establishing IT security measures for the well-being of citizens.
Based in Greece, this European Union agency works with both governments and private entities. Its main activities are focused on the study and development of activities and policies related to cybersecurity in all its fields, being able to highlight:
- Development of cybersecurity capabilities.
- Improve cooperation between governments, institutions and agencies of the European Union.
- Design and implementation of cybersecurity exercises.
- Drafting of reports on the current European cybersecurity situation.
- Cybersecurity standardization and certification.
- Awareness and outreach activities.
With the new European Regulation 2019/881 it is intended that ENISA will be responsible for bringing together all member countries, becoming the reference body on cybersecurity issues, reducing the existing fragmentation.
To achieve this objective, its activities, organizational chart, work teams and the budget allocated to the agency have been redefined.
The European framework for cybersecurity certification
As mentioned above, one of the objectives of this law was to unify criteria for the standardization of cybersecurity measures, a further step towards the creation of a single European digital market.
In order for technological products and services to enjoy full security guarantees, it will be necessary to define schemes that certify their cybersecurity. These schemes must be properly defined (objectives, elements, application levels, adoption processes, evaluation, review, etc.).
In addition, lists of products, services and processes that have been evaluated according to the cybersecurity conditions required in such schemes will be published. All this information, including the schemes, will be published on ENISA’s website.
Manufacturers wishing to take advantage of these measures must comply with certain requirements, among which we can highlight the following:
- Provide users with recommendations regarding the installation, configuration, operation and maintenance of your product or service.
- Have your updates available.
- Send the user information about potential cybersecurity issues.
- Provide access to records showing the vulnerabilities of the product or service.
This cybersecurity certification will, with few exceptions, be voluntary and will serve as a method for the company’s self-assessment in terms of IT security.
In an increasingly digital society, protecting the availability, authenticity, integrity and confidentiality of data that is stored, processed and/or circulated has become one of the main workhorses of national and international authorities.
As a result of this desire to improve cybersecurity, the new European Union law on cybersecurity has arisen, which reforms the structures and working mechanisms involved in this aspect.
We will continue working to achieve the digital security of signature processes in companies. Advances such as the one made now by the European Union are great steps forward for all individuals and legal entities in our Community. We will keep you informed!