The recently agreed Cyber Resilience Act isn’t the only new EU cybersecurity rule set to be published this December: by the end of the year, the European Commission is expected to adopt its draft regulations to establish a European cybersecurity certification scheme (“ECCS”).
Once finalized, the ECCS will be issued under the European Union’s Cybersecurity Act which allows for voluntary accreditation against the ECCS. Although voluntary, the draft standards will also have consequences for European cybersecurity laws more broadly, including:
- NIS 2, Europe’s cybersecurity directive for essential infrastructure, which provides that member states may require entities to use products that are certified under the ECCS. For an overview of NIS 2, see our blog here.
- The recently-agreed Cyber Resilience Act, Europe’s draft regulation on the security of the internet of things, which provides that the European Commission can require manufacturers of certain “highly critical” products to be certified under the ECCS, and creates a presumption that products compliant with an ECCS conform with cybersecurity requirements. For an overview of the Cyber Resilience Act, see our blog here.
- The EU Cybersecurity Scheme for Cloud Services, which will also be issued under the Cybersecurity Act but cover cloud services instead of IT products. For an overview of this scheme, see our blog here.
The draft ECCS builds on the Common Criteria for Information Technology Security Evaluation (ISO standard 15408) – a welcome albeit incomplete embrace of international standards – and is intended to cover a broad range of IT products with security components such as smartphones, bank cards, and routers. But the draft ECCS also goes well beyond simply setting out technical standards for products – it also:
- Sets out the process for certification – most notably, providing that self-assessment is not allowed even for lower-risk products.
- Requires vulnerability disclosure – through a vulnerability disclosure and analysis regime applying to products that have been certified.
- Sets out high expectations for regulators and certification bodies – including calling for national cybersecurity authorities to proactively sample at least 5% of products certified in the previous year, and for certification bodies to subjected to “peer assessments” to identify shortcomings.
- Requires entities to take vulnerability management steps – including proactively monitoring vulnerability information about the product and its dependencies and implementing a vulnerability management program aligned to ISO 30111.
- Allows for mutual recognition of standards – where other countries sign mutual recognition agreements with the EU.
- Provides for consolidation of member states’ existing (national) certification schemes – with those existing schemes being phased out entirely after a 1-year transition period.
The draft standard will therefore be of interest to those seeking certification for their IT products as well as providing a preview of the process that will apply across other technical standards issued under the Cybersecurity Act.
Cyber Resilience Act continues to roll through the legislative process
Alongside the new ECCS, the Cyber Resilience Act is continuing its journey through the EU legislative process, having been agreed in the last week (see our blog here). Once it comes into force, the Cyber Resilience Act will set out a range of obligations for manufacturers and importers of “products with digital elements” (“PDEs”), including:
- designing PDEs to meet certain essential cybersecurity requirements through risk assessment and protection against known vulnerabilities;
- submitting PDEs to conformity assessments;
- notifying identified vulnerabilities and security incidents to the national cybersecurity authority, ENISA, and users of the PDE; and
- conducting due diligence on imported PDEs.
As with most recent European technology regulation, the Cyber Resilience Act will come with the threat of high penalties for non-compliance – up to €15 million or 2.5% of global turnover.
What’s happening next?
Following the end of the consultation period on 31 October, the European Commission is currently considering the feedback it received and is expected to publish the final ECCS regulations by the end of 2023. The ECCS will then take effect 12 months from its entry into force.
Meanwhile, the Cyber Resilience Act, which has now been agreed in substance but awaits legislative formalities, will continues to work its way through the legislative process after which that Act would come into force over a phased transition period starting in late 2025.
And it’s not just the Cybersecurity and Cyber Resilience Acts that are moving along: a consultation process for “Tranche 2” of the EU’s DORA technical standards is expected in the coming months, Member States are continuing to work to implement NIS 2 by the October 2024 deadline, and discussions on the EU Cybersecurity Scheme for Cloud Services are ongoing, all of which sets up 2024 to be yet another busy year for cybersecurity regulation in Europe.
Covington’s Privacy and Cybersecurity Practice regularly advises on cybersecurity issues across Europe, including NIS 2 and DORA. If you have any questions about how the raft of new European cyber regulations will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to discuss.