Evaluation – Finalised: SWD (2017) 502, 13.09.2017
Commission Proposal – Adopted: adopted by the Commission on 13.09.2017, COM (2017) 477
Legal act: Adopted: Regulation (EU) 2019/881, Date of effect – 27.06.2019 (except for Articles 58, 60, 61, 63, 64 and 65) and 28.06.2021 (Articles 58, 60, 61, 63, 64 and 65)
The European Agency for Cybersecurity (ENISA) operates since 2004 (until 2019 under the name of the European Agency for Network and Information Security). In line with regulation (EU) No 526/2013, asof 2013 it had as objective to contribute to a high level of network and information security within the Union.
Article 32 of the above-mentioned regulation required the Commission to carry out evaluation of ENISA by 20 June 2018. However, in 2016, the Commission announced that, taking also into account the reinforced role that the Network and Information Systems Directive attributes to the Agency, it would advance the evaluation and, subject to its results, would present a proposal for a possible new mandate.
The evaluation found that in order to counter new threats, which are horizontal in nature and impact on multiple industrial sectors, there could be a need for an EU Agency organised on a cross-sectoral / horizontal basis with a strong mandate. The evaluation also concluded that there is also a need for cooperation and coordination across different stakeholders.
Based on the evaluation and the subsequent impact assessment, the Commission presented a legislative proposal, which foresaw granting ENISA permanent mandate (until then the mandate was regularly extended for a defined period of time), clarifying its role as the EU agency for cybersecurity and as the reference point in the EU cybersecurity ecosystem. Moreover, the proposal included provisions laying down an EU cybersecurity certification framework for ICT products, services and processes.
The new regulation, known as the ‘Cybersecurity Act’ was adopted in 2019 and except for articles on national cybersecurity certification authorities, conformity assessment bodies, notification, complaints, judicial remedies and penalties in relation to the European cybersecurity certificates and certification schemes, entered into force in June that year, while the remaining articles became binding in June 2021.
The regulation (‘Cybersecurity Act’) enlarges the scope of the mandate of ENISA, in particular introducing new tasks in the field of cybersecurity certification. The potential savings were not estimated, but case studies suggest that the single certification process, as envisaged in future European certification schemes, has the potential of reducing costs and time for vendors and providers of products and services (including small and medium-sized enterprises) as well as for public administration compared to the current national schemes, as the process for receiving a valid European certificate is simplified and the same for all Member States.