Members of the European Parliament approved the Cybersecurity Act on March 12, 2019, laying down a security certification scheme for products, processes, and services. MEPs also voted to adopt a resolution calling for EU-wide action against security threats brought about by the growth of Chinese technology in Europe.
“This significant success will enable the EU to keep up with security risks in the digital world for years to come. The legislation is a cornerstone for Europe to become a global player in cybersecurity. Consumers, as well as industry, need to be able to trust in IT solutions,” said rapporteur Angelika Niebler following the vote.
Certification for connected devices
The certification scheme was passed by a huge majority of 586 to 44 and will apply to products, processes, and services sold in EU countries. The Cybersecurity Act is intended to offer better protection for consumers, as MEPs voted to broaden the powers of the European Union Agency for Network and Information Security (ENISA).
“Increased digitization and connectivity lead to increased cybersecurity risks, thus making society at large more vulnerable to cyberthreats and exacerbating dangers faced by individuals, including vulnerable persons such as children,” according to a report by Niebler. The EU legislation on cybersecurity goes beyond products, processes, and services, stressing the importance of certification for critical infrastructure such as energy networks and banking systems.
Non-EU suppliers – a potential cyberthreat to Europe
MEPs are concerned that hardware suppliers in non-EU countries could pose a risk to the security of the EU. All companies in some of those countries are legally required to cooperate with the state in the interest of national security, which is very broadly defined. This even applies outside the country itself, especially in the case of China.
“Chinese state security laws have triggered reactions in various countries, ranging from security assessments to outright bans,” MEPs have revealed.
New protocol to respond to major incidents
In parallel with the Cybersecurity Act, the Council of the European Union adopted a new protocol to tackle major global cyberattacks, such as WannaCry. The EU Law Enforcement Emergency Response Protocol is part of a recommendation made in September 2017 to coordinate the response to major cybersecurity incidents and crises.
The measure is designed to “provide an immediate response to major international cyberattacks by carrying out a rapid assessment, sharing critical information quickly and securely, and ensuring effective coordination in international investigations”. Responsibility for implementing the protocol will be assigned to the European Cybercrime Centre (EC3).
The protocol sets out “the procedures, roles, and responsibilities of key players both in the European Union and beyond”, while also maintaining a high level of security for “communication channels and round-the-clock contact points dedicated to the exchange of important information”.