The European Commission has proposed a new cybersecurity package aimed at strengthening the EU’s cyber resilience, including a revised EU Cybersecurity Act designed to secure ICT supply chains and ensure products reaching EU citizens are secure by design through a streamlined certification process.
Revised Cybersecurity Act and ICT supply chain security
The revised Cybersecurity Act establishes an ICT supply chain security framework based on a risk-based approach. This framework will help the EU and Member States identify and mitigate risks across critical sectors while considering economic impacts and market supply.
The Act also introduces mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the existing 5G security toolbox.
European Cybersecurity Certification Framework
Security testing of products will be carried out through the European Cybersecurity Certification Framework (ECCF). The ECCF allows the development of certification schemes within 12 months by default and introduces a more agile and transparent governance process that better involves stakeholders through public information and consultation.
Certification schemes will become a voluntary tool for businesses to demonstrate compliance with EU legislation, reducing the burden and costs of meeting regulatory requirements. Companies and organizations will be able to certify ICT products, services, processes, managed security services, and their cybersecurity posture to meet market needs.
The renewed ECCF will enhance trust and security in complex ICT supply chains for EU citizens, businesses and public authorities.
Simplifying compliance and NIS2 amendments
The new cybersecurity package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. These measures complement the single-entry point for incident reporting introduced by the Digital Omnibus.
Targeted amendments to the NIS2 Directive aim to improve legal clarity by simplifying jurisdictional rules, streamlining the collection of data on ransomware attacks, and facilitating the supervision of cross-border entities. ENISA will play an enhanced coordinating role in supporting these changes.
Strengthening ENISA’s role
The revised Cybersecurity Act strengthens ENISA’s role in helping the EU and its Member States understand common cyber threats and improve preparedness and response to cyber incidents. The agency will continue to issue early warnings on emerging threats and incidents and develop a Union-wide approach to vulnerability management services.
ENISA will operate the single-entry point for incident reporting and, in cooperation with Europol and national Computer Security Incident Response Teams (CSIRTs), support companies in responding to and recovering from ransomware attacks.
ENISA will pilot a Cybersecurity Skills Academy and support the establishment of EU-wide cybersecurity skills attestation schemes to help build a skilled cybersecurity workforce across Europe.