LLMpediaThe first transparent, open encyclopedia generated by LLMs

Cybersecurity Act (EU)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: European Union Agency for Cybersecurity Hop 5
Expansion Funnel Raw 78 → Dedup 10 → NER 9 → Enqueued 6
1. Extracted78
2. After dedup10 (None)
3. After NER9 (None)
Rejected: 1 (not NE: 1)
4. Enqueued6 (None)
Similarity rejected: 3
Cybersecurity Act (EU)
TitleCybersecurity Act
Enacted byEuropean Parliament
Introduced byEuropean Commission
Date enacted2019
Statusin force

Cybersecurity Act (EU) The Cybersecurity Act is a regulation of the European Parliament and the Council of the European Union establishing an EU-wide cybersecurity certification framework and strengthening the mandate of the European Union Agency for Cybersecurity (ENISA). It aims to harmonize certification schemes for information and communications technology (ICT) products and services across the European Single Market and to improve resilience following incidents involving entities like Equinix, Maersk, and Telefónica. The Act was adopted amid debates involving stakeholders such as the European Commission, European Council, European Central Bank, and national authorities including the Bundesamt für Sicherheit in der Informationstechnik and ANSSI.

Background and Legislative Context

The Act was proposed by the Juncker Commission and negotiated during the tenure of the European Parliament 2014–2019 legislative term alongside initiatives like the NIS Directive and proposals influenced by incidents such as the WannaCry attack and the NotPetya attack. Discussions involved institutions including the Council of the European Union, the European Court of Auditors, and agencies like Europol and CERT-EU. Member State positions reflected inputs from national authorities such as National Cybersecurity Centre (NCSC) in the United Kingdom (pre-Brexit), the Agence nationale de la sécurité des systèmes d'information (ANSSI) in France, and the Finnish Transport and Communications Agency (Traficom).

Key Provisions

Key provisions establish binding elements for ENISA's mandate expansion, create a voluntary EU cybersecurity certification framework, and set out rules for a permanent EU cybersecurity certification board. The regulation introduced requirements for scheme development referencing standards from bodies such as European Telecommunications Standards Institute (ETSI), International Organization for Standardization (ISO), and International Electrotechnical Commission (IEC; e.g., ISO/IEC 27001). Provisions interact with directives and regulations like the General Data Protection Regulation (GDPR), the Digital Services Act, and the NIS2 Directive, and were discussed by committees including the Committee on Industry, Research and Energy and the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament.

European Cybersecurity Certification Framework

The Act created a structured certification framework to develop EU-wide schemes for ICT products, services, and processes, with levels of assurance comparable to the Common Criteria and referencing schemes like the Federal Information Processing Standards (FIPS). Certification aims to aid market actors including Siemens, Vodafone, SAP SE, and Schneider Electric. Schemes are developed through collaboration between ENISA, the European Standardisation Organisations such as CEN, CENELEC, and ETSI, and national certification bodies like Germany’s BSI and the ENISA National Liaison Officers. The framework contemplates voluntary schemes that may become de facto requirements through procurement policies by entities like the European Investment Bank and sectoral authorities such as the European Banking Authority (EBA).

Governance and ENISA's Role

The Act significantly reinforced ENISA’s mandate by granting a permanent mandate, increased budgetary resources, and governance roles including chairing the European Cybersecurity Certification Group and supporting the European Commission in drafting certification schemes. ENISA coordinates with bodies such as Europol, CERT-EU, European Defence Agency, and national CSIRTs like CERT-FR. The governance model involves the European Commission, national authorities, and stakeholder consultations with private firms including Microsoft, Amazon Web Services, and Google.

Implementation and Member State Responsibilities

Member States are required to designate national authorities to cooperate with ENISA, align national certification structures, and facilitate scheme development through participation in the European Cybersecurity Certification Group. National authorities such as ENISA National Liaison Officers and agencies like ANSSI and BSI must cooperate on mutual recognition and conformity assessment procedures. Implementation interacts with procurement rules of the European Commission and financial oversight from institutions like the European Court of Auditors and the European Investment Bank.

Impact and Criticism

Supporters including industry associations like DigitalEurope and cybersecurity firms pointed to benefits for the European Single Market, supply chain security for firms such as Airbus and Thales Group, and alignment with international standards such as ISO/IEC 15408. Critics — including some national authorities, non-governmental organisations, and commentators in outlets connected to Statewatch and Access Now — argued the voluntary nature limits effectiveness, raised concerns about certification cost burdens for SMEs like those in the Horizon 2020 ecosystem, and debated overlaps with GDPR and NIS Directive responsibilities. Academic analyses from institutions such as Oxford Internet Institute and Centre for European Policy Studies flagged challenges in mutual recognition and scheme uptake.

Following adoption, developments included ENISA-led scheme rollouts, interaction with the NIS2 Directive and the Digital Markets Act, and sectoral coordination with the European Banking Authority and European Securities and Markets Authority for financial sector resilience. Further policy work engaged the European Commission’s cybersecurity strategy, programmes under the Digital Europe Programme, and research funded by Horizon Europe and centres like the European Cybersecurity Competence Centre. International cooperation involved dialogues with partners such as the NATO Cooperative Cyber Defence Centre of Excellence and the United Nations Office on Drugs and Crime.

Category:European Union law Category:Cybersecurity