New cyber rules which come into force today introduce, for the first time, EU-wide rules for cyber certification of products, processes and services and encourage 'security by design'. They also give ENISA, the EU’s main cyber agency, a new name (the EU Agency for Cybersecurity), a permanent mandate and increased resources.
An EU-wide certification framework is certainly a welcome development for those organisations struggling to know if the cyber products/services they buy (or show that the products/services they sell) have been designed with sufficient security protections in place.
While its impact on any UK schemes, given Brexit, may be limited, the new law does reference conditions for the mutual recognition of schemes with third countries.
For more information on the EU's new Cyber Security Act, see our briefing “Cyber Security By Design – new UK guidance and EU certification schemes” and the European Commission’s recent FAQs and Fact Sheet/Infographic.
Certification plays a critical role in increasing trust and security in products and services that are crucial for the Digital Single Market. At the moment, a number of different security certification schemes for ICT products exist in the EU. Without a common framework for EU-wide valid cybersecurity certificate schemes, there is an increasing risk of fragmentation and barriers in the single market.