Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The EU Cybersecurity Act is up for periodic review and the European Commission is approaching it as a simplification exercise, but not only.
The 2019 regulation was meant to strengthen the EU's cyber resilience along two pillars. First, it expanded the mandate and resources of the European Union Agency for Cybersecurity, the EU's cybersecurity agency established in 2004. ENISA has been tasked with increasing EU level operational cooperation, providing support to member states for cybersecurity incident management as requested, and supporting EU coordination in case of large-scale cross-border cyberattacks and crises.
More importantly for governance professionals, the Cybersecurity Act set up a cybersecurity certification framework for information and communication technology products, processes and services and across various assurance levels.
The act's material scope is broad: for example, defining ICT products as "an element or a group of elements of a network or information system;" ICT service as "a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;" and ICT processes as a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service. A targeted amendment adopted in January expanded its scope to "managed security services," covering areas such as incident response, penetration testing, security audits and consultancy.
According to the European Commission, each European scheme should specify: the categories of products and services covered; the cybersecurity requirements, for example, by reference to standards or technical specifications; the type of evaluation, such as self-assessment or third-party evaluation; and the intended level of assurance, for example, basic, substantial and/or high.
The act is now entering periodic review, a mechanism often built in European legislative instruments. This expected review, however, coincides with a simplification agenda that European Commission Executive Vice-President Henna Virkkunen, in charge of tech and sovereignty, is spearheading in digital policy.
The Commission is currently seeking stakeholders' views. A consistent drumbeat indicates the European Commission will look to simplify notification and documentation requirements across digital policy instruments, including the EU General Data Protection Regulation and NIS2 Directive, most likely.
So why is the Cybersecurity Act revision of interest to IAPP members?
As the Commission consultation document puts mildly, "there is room for improvement regarding the (certification framework) adoption process, its agility and effectiveness, the clarity and allocation of roles and responsibilities of various actors throughout this process and the maintenance phase of certification schemes."
The certification process has been complex and very politicized on certain topics, namely cloud services. The draft EU Cloud Certification Scheme was first discussed in 2020 and has yet to be finalized five years on, amid a mix of political, technical and trade considerations to untangle. It crystalized different political approaches to sovereignty — most notable in France and Germany. The EU as a whole has yet to come to terms with the implications of the various approaches, in particular on smaller economies that may not have robust cybersecurity ecosystems at the national level.
The Commission also plans to give "further consideration of how to address the challenge of nontechnical risk factors." There is a lot under the hood of that sentence and the bottom-line stakes are primarily the political, competition, trade and security risks potentially associated with using nondomestic technologies. Depending on the direction of travel, changes in the Cybersecurity Act approach could have impact organizations' procurement and third-party vendor management practices.
Finally, the document anticipates the Commission will look to "further simplify cybersecurity relevant requirements across horizontal and sector-specific acts to facilitate effective implementation, reduce the administrative burden and ensure a business-friendly environment." Incident notification requirements could be at the top of the list. The IAPP's Incident Notification and Information Sharing Requirements: EU Digital Laws chart shows how complex these requirements and their intersections can be for practitioners to manage.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
