BETA


Events

2019/06/07
   Final act published in Official Journal
Details

PURPOSE: reform the current European Network and Information Security Agency (ENISA) to provide the EU with an increased cybersecurity capacity and define a framework for the establishment of a European Cybersecurity Certification Scheme.

LEGISLATIVE ACT: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).

CONTENT: with a view to ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union, this Regulation lays down:

- objectives, tasks and organisational matters relating to ENISA (the European Union Agency for Cybersecurity); and

- a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.

European Union Cybersecurity Agency (ENISA)

The Regulation strengthens the current European Union Network and Information Security Agency (ENISA) into a permanent body, the EU Cybersecurity Agency.

ENISA shall carry out its tasks with the aim of achieving a high common level of cybersecurity throughout the Union, including by actively assisting Member States and EU institutions, bodies, offices and agencies to improve cybersecurity. It would serve as a reference point for cybersecurity advice and expertise for EU institutions, bodies, offices and agencies as well as for other relevant EU stakeholders.

ENISA’s tasks shall include:

assist EU institutions, bodies, offices and agencies, as well as Member States, in the development and implementation of EU policies related to cybersecurity and help them to increase the protection of their networks and information systems, improve cyber-resilience and cyber-reaction capacities, and develop skills and competences in the field of cybersecurity; support EU policy on cybersecurity certification, for example by playing a central role in the development of certification systems; promote the use of the new certification system, for example by creating a website providing information on certificates; promote cooperation, including information sharing and coordination at EU level; support Member States' actions to prevent and respond to cyber threats, in particular in the event of cross-border incidents; promote a high level of awareness among citizens, organisations and businesses of cybersecurity issues, including computer hygiene and digital skills; organise regular EU-wide cyber security exercises, including a large-scale global exercise once every two years; produce long-term strategic analyses of cyber threats and incidents to identify emerging trends and help prevent incidents.

The mandate also provides for a network of national liaison officers to facilitate the exchange of information between ENISA and the Member States.

An ENISA Advisory Group composed of recognised experts representing relevant stakeholders, as well as a Stakeholder Group for Cybersecurity Certification shall also be established.

European Cybersecurity Certification Framework

The Regulation creates the first European cybersecurity certification scheme to ensure that products, processes and services sold in EU countries comply with cybersecurity standards.

The Commission shall publish, no later than one year after the entry into force of the Regulation, a rolling work programme of the Union for European Cybersecurity Certification which identifies strategic priorities for future European cybersecurity certification schemes. It shall maintain a dedicated website providing information on European cybersecurity certification schemes, European cybersecurity certificates and EU declarations of conformity.

The cybersecurity certification shall be voluntary, unless otherwise specified by Union law or Member State law.

The Commission shall regularly monitor the impact of certification systems and assess their level of use by manufacturers and service providers.

There will be three different levels of insurance, depending on the level of risk associated with the intended use of the product, namely "basic", "substantial" or "high". At the most basic level, manufacturers or service providers shall be able to carry out the conformity assessment themselves.

In order to ensure equivalence of standards across the Union for European cybersecurity certificates and EU declarations of conformity, national cybersecurity certification authorities shall be subject to peer review.

ENTRY INTO FORCE: 27.6.2019. Certain provisions shall apply from 28.6.2021.

2019/04/30
   EC - Commission response to text adopted in plenary
Documents
2019/04/17
   CSL - Draft final act
Documents
2019/04/17
   CSL - Final act signed
2019/04/17
   EP - End of procedure in Parliament
2019/04/09
   EP/CSL - Act adopted by Council after Parliament's 1st reading
2019/04/09
   CSL - Council Meeting
2019/03/12
   EP - Results of vote in Parliament
2019/03/12
   EP - Decision by Parliament, 1st reading
Details

The European Parliament adopted by 586 votes to 44, with 36 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on ENISA, the European Union Cybersecurity Agency and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').

The position of the European Parliament adopted at first reading under the ordinary legislative procedure has amended the Commission proposal as follows:

Enhanced powers for the EU Cybersecurity Agency (ENISA)

In order to ensure the proper functioning of the internal market while seeking to achieve a high level of cybersecurity, the proposed regulation would set out the objectives, tasks and organisational issues concerning ENISA (the European Union Agency for Cybersecurity).

ENISA would carry out its tasks with the aim of achieving a high common level of cybersecurity throughout the Union, including by actively assisting Member States and EU institutions, bodies, offices and agencies to improve cybersecurity. It would serve as a reference point for cybersecurity advice and expertise for EU institutions, bodies, offices and agencies as well as for other relevant EU stakeholders. To this end, it should develop its own resources, including its technical capacities and skills.

ENISA should, among other things:

- assist Member States and EU institutions, bodies, offices and agencies in (i) building capacity and preparedness to prevent, detect and respond to cyber threats and incidents; (ii) developing and promoting cyber security policies to support the overall availability or integrity of the public core of the open Internet; and (iii) implementing, on a voluntary basis, policies on vulnerability disclosure;

- promote information sharing and coordination at EU level, between Member States, EU institutions, bodies, offices and agencies and relevant public and private sector stakeholders on cybersecurity issues;

- promote the use of European cybersecurity certification to avoid fragmentation of the internal market;

- support Member States in the field of cybersecurity awareness and education by promoting closer coordination and the exchange of good practices between Member States. Such support could include the development of a network of national education contact points and a cybersecurity training platform;

- raise public awareness of the risks associated with cybersecurity and provide guidance to citizens, organisations and businesses on good practices for individual users, including IT hygiene and digital skills;

- facilitate the technical management of incidents with significant or substantial impact, in particular by supporting the voluntary sharing of technical solutions between Member States or by producing combined technical information, such as technical solutions voluntarily shared by Member States;

- promote the concepts of security from the design stage and privacy from the design stage at EU level;

- contribute, where appropriate, to cooperation with organisations such as the OECD, OSCE and NATO, for example through joint exercises in the field of cybersecurity.

ENISA should keep the European Parliament regularly informed of its activities.

National Liaison Officer Network

The Management Board should establish, on a proposal from the Executive Director, a network of national liaison officers composed of representatives of all Member States (national liaison officers). This network would facilitate the exchange of information between ENISA and the Member States and would help ENISA to publicise its activities and disseminate the results of its work and recommendations to relevant stakeholders across the Union.

European Cybersecurity Certification Framework

The amended text creates the first European cybersecurity certification scheme to ensure that products, processes and services sold in EU countries comply with cybersecurity standards.

The Commission should publish, no later than one year after the entry into force of the Regulation, a rolling work programme of the Union for European Cybersecurity Certification which identifies strategic priorities for future European cybersecurity certification schemes. It should maintain a dedicated website providing information on European cybersecurity certification schemes, European cybersecurity certificates and EU declarations of conformity.

In order to ensure equivalence of standards across the Union for European cybersecurity certificates and EU declarations of conformity, national cybersecurity certification authorities would be subject to peer review.

Documents
2019/03/11
   EP - Debate in Parliament
2019/03/11
   EP - FRANZ Romeo (Verts/ALE) appointed as rapporteur in LIBE
2019/01/14
   EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
2018/09/12
   EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2018/09/10
   EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2018/07/30
   EP - Committee report tabled for plenary, 1st reading/single reading
Documents
2018/07/30
   EP - Committee report tabled for plenary, 1st reading
Documents
2018/07/10
   EP - Vote in committee, 1st reading
2018/07/10
   EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2018/05/22
   EP - Committee opinion
Documents
2018/04/30
   EP - Amendments tabled in committee
Documents
2018/04/30
   EP - Amendments tabled in committee
Documents
2018/04/23
   EP - Committee opinion
Documents
2018/03/27
   EP - Committee draft report
Documents
2018/03/16
   EP - Committee opinion
Documents
2018/02/14
   ESC - Economic and Social Committee: opinion, report
Documents
2018/02/04
   CZ_CHAMBER - Contribution
Documents
2018/01/18
   EP - Referral to associated committees announced in Parliament
2017/12/19
   RO_SENATE - Contribution
Documents
2017/12/18
   DE_BUNDESRAT - Contribution
Documents
2017/12/13
   CZ_SENATE - Contribution
Documents
2017/12/06
   PT_PARLIAMENT - Contribution
Documents
2017/11/20
   ES_PARLIAMENT - Contribution
Documents
2017/11/20
   CSL - Resolution/conclusions adopted by Council
2017/11/20
   CSL - Council Meeting
2017/10/27
   EP - NIEBLER Angelika (PPE) appointed as rapporteur in ITRE
2017/10/23
   EP - Committee referral announced in Parliament, 1st reading
2017/09/26
   EP - GEIER Jens (S&D) appointed as rapporteur in BUDG
2017/09/25
   EP - DANTI Nicola (S&D) appointed as rapporteur in IMCO
2017/09/13
   EC - Document attached to the procedure
2017/09/13
   EC - Document attached to the procedure
2017/09/13
   EC - Document attached to the procedure
2017/09/13
   EC - Legislative proposal published
Details

PURPOSE: to enhance the organisational aspects of ENISA, the EU Cybersecurity Agency, with a view to ensuring an adequate level of cybersecurity in the Union and repeal Regulation (EU) 526/2013 on Information and Communication Technology cybersecurity certification (Cybersecurity Act).

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: the European Union has taken a number of actions to increase resilience and enhance its cybersecurity preparedness. Since the first EU Cybersecurity Strategy adopted in 2013, important developments have taken place, including the second mandate for the European Union Agency for Network and Information Security ( ENISA ) and the adoption of the Directive on security of network and information systems ( NIS Directive ), which form the basis for the present proposal.

In 2016 the European Commission adopted a Communication on Strengthening Europe's Cyber Resilience System, in which further measures were announced to increase the EU’s resilience and preparedness.

The Council recalled that the ENISA Regulation is one of the core elements of an EU cyber resilience framework and called upon the Commission to take further steps to address issue of certification at the European level. In 2017, it welcomed the Commission's intention to review the Cybersecurity Strategy in September and to propose further targeted actions before the end of 2017.

IMPACT ASSESSMENT: the impact assessment sought to mitigate problems such as the fragmentation of policies and approaches to cybersecurity across Member States; dispersed resources and fragmentation of approaches to cybersecurity across EU institutions, agencies and bodies; insufficient awareness and information of citizens and companies, coupled with the growing emergence of multiple national and sectoral certification schemes.

The analysis led to the conclusion that a reformed ENISA in combination with an EU general ICT cybersecurity certification framework was the preferred option.

CONTENT: overall, the proposal reviews the current mandate of ENISA and lays down a renewed set of tasks and functions , with a view to effectively and efficiently supporting Member States, EU institutions and other stakeholders' efforts to ensure a secure cyberspace in the European Union.

The new proposed mandate seeks to give the Agency a stronger and more central role , in particular by also supporting Member States in implementing the NIS Directive and to counter particular threats more actively (operational capacity) and by becoming a centre of expertise supporting Member States and the Commission on cybersecurity certification.

Specially, it proposal seeks to establish:

an EU Cybersecurity Agency , building on the European Agency for Network and Information Security (ENISA), which will improve coordination and cooperation across Member States and EU institutions, agencies and bodies; an EU cybersecurity certification framework that will ensure the trustworthiness of the billions of devices (“Internet of Things”) which drive today’s critical infrastructures, such as energy and transport networks, and also new consumer devices, such as connected cars.

An EU Cybersecurity Agency : the Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will improve the EU's preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres . It will help implement the Directive on the Security of Network and Information Systems which contains reporting obligations to national authorities in case of serious incidents.

The Cybersecurity Agency would also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. The proposal also includes the provisions facilitating the combating of fraud , corruption and other unlawful activities as well as staffing and budget provisions.

An EU cybersecurity certification framework : at present, a number of different security certification schemes for ICT products exist in the EU. The Cybersecurity Agency, ENISA, will put in place and implement this certification process. The proposed EU-wide certification framework creates a comprehensive set of rules, technical requirements, standards and procedures to agree each scheme. Each scheme will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service e.g. smart cards.

The proposal establishes the main legal effects of European cybersecurity certification schemes, namely (i) the obligation to implement the scheme at national level and the voluntary nature of certification; (ii) the invalidating effect of European cybersecurity certification schemes on national schemes for the same products or services. It also lays down the procedure for the adoption of European cybersecurity certification schemes and the respective roles of the Commission, ENISA and the European Cybersecurity Certification Group .

BUDGETARY IMPLICATIONS: the total appropriations for ENISA, including administrative expenditure, from 2019 to 2022 is estimated at EUR 86.038 million .

Documents

Activities

Votes

A8-0264/2018 - Angelika Niebler - Am 258 12/03/2019 12:51:32.000 #

2019/03/12 Outcome: +: 586, -: 44, 0: 36
DE IT FR ES PL RO GB BE SE BG NL CZ AT PT FI SK HU HR LT LV SI LU EE IE MT DK CY EL
Total
86
59
65
49
45
27
64
18
19
17
26
19
17
21
13
12
13
11
10
8
8
6
6
9
6
12
5
13
icon: PPE PPE
186

United Kingdom PPE

1

Belgium PPE

3

Luxembourg PPE

3

Estonia PPE

For (1)

1

Denmark PPE

For (1)

1

Greece PPE

1
icon: S&D S&D
169

Netherlands S&D

3
3

Croatia S&D

2

Latvia S&D

1

Slovenia S&D

For (1)

1

Luxembourg S&D

For (1)

1

Estonia S&D

For (1)

1

Ireland S&D

For (1)

1

Malta S&D

3

Cyprus S&D

2
icon: ALDE ALDE
64

Romania ALDE

3

United Kingdom ALDE

1

Austria ALDE

For (1)

1

Portugal ALDE

1

Croatia ALDE

2
2

Latvia ALDE

1

Slovenia ALDE

For (1)

1

Luxembourg ALDE

For (1)

1

Estonia ALDE

3

Ireland ALDE

For (1)

1

Denmark ALDE

2
icon: ECR ECR
68

Romania ECR

For (1)

1

Sweden ECR

2

Bulgaria ECR

2

Netherlands ECR

2

Czechia ECR

2
2

Croatia ECR

For (1)

1

Lithuania ECR

1

Latvia ECR

For (1)

1

Cyprus ECR

1

Greece ECR

Against (1)

1
icon: Verts/ALE Verts/ALE
50

Italy Verts/ALE

For (1)

1

Belgium Verts/ALE

2

Sweden Verts/ALE

3

Netherlands Verts/ALE

2

Austria Verts/ALE

3

Finland Verts/ALE

For (1)

1

Hungary Verts/ALE

For (1)

1

Croatia Verts/ALE

For (1)

1

Lithuania Verts/ALE

For (1)

1

Latvia Verts/ALE

1

Slovenia Verts/ALE

For (1)

1

Luxembourg Verts/ALE

For (1)

1

Estonia Verts/ALE

For (1)

1

Denmark Verts/ALE

For (1)

1
icon: ENF ENF
33

Germany ENF

Against (1)

1

Poland ENF

Against (1)

1

United Kingdom ENF

4

Belgium ENF

For (1)

1

Netherlands ENF

4
icon: GUE/NGL GUE/NGL
43

Italy GUE/NGL

2

United Kingdom GUE/NGL

Abstain (1)

1

Sweden GUE/NGL

Abstain (1)

1

Netherlands GUE/NGL

Abstain (1)

3

Czechia GUE/NGL

2

Portugal GUE/NGL

Abstain (1)

4

Finland GUE/NGL

For (1)

1

Ireland GUE/NGL

3

Denmark GUE/NGL

Abstain (1)

1

Cyprus GUE/NGL

2
icon: NI NI
14

Germany NI

1

Italy NI

For (1)

1

France NI

Abstain (1)

1

Poland NI

Against (1)

2

United Kingdom NI

For (1)

Against (1)

2

Hungary NI

For (1)

Abstain (1)

2

Denmark NI

1
icon: EFDD EFDD
37

Germany EFDD

Abstain (1)

1

Poland EFDD

1

Czechia EFDD

Against (1)

1

Lithuania EFDD

For (1)

1
AmendmentsDossier
1053 2017/0225(COD)
2018/02/09 LIBE 106 amendments...
source: 618.105
2018/03/02 IMCO 394 amendments...
source: 619.102
2018/03/28 BUDG 14 amendments...
source: 620.724
2018/04/30 ITRE 539 amendments...
source: 621.098

History

(these mark the time of scraping, not the official date of the change)

committees/0/associated
Old
True
New
 
committees/1
Old
type
Committee Opinion
body
EP
associated
False
committee_full
Foreign Affairs
committee
AFET
opinion
False
New
type
Committee Opinion
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
rapporteur
name: FRANZ Romeo date: 2019-03-11T00:00:00 group: Greens/European Free Alliance abbr: Verts/ALE
committees/2
Old
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
rapporteur
name: GEIER Jens date: 2017-09-26T00:00:00 group: Progressive Alliance of Socialists and Democrats abbr: S&D
New
type
Committee Opinion
body
EP
associated
False
committee_full
Foreign Affairs
committee
AFET
opinion
False
committees/3
Old
type
Committee Opinion
body
EP
associated
True
committee_full
Internal Market and Consumer Protection
committee
IMCO
rapporteur
name: DANTI Nicola date: 2017-09-25T00:00:00 group: Progressive Alliance of Socialists and Democrats abbr: S&D
New
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
rapporteur
name: GEIER Jens date: 2017-09-26T00:00:00 group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/4
Old
type
Committee Opinion
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
rapporteur
name: FRANZ Romeo date: 2019-03-11T00:00:00 group: Greens/European Free Alliance abbr: Verts/ALE
New
type
Committee Opinion
body
EP
associated
True
committee_full
Internal Market and Consumer Protection
committee
IMCO
rapporteur
name: DANTI Nicola date: 2017-09-25T00:00:00 group: Progressive Alliance of Socialists and Democrats abbr: S&D
docs/2/type
Old
Follow-up document
New
Document attached to the procedure
docs/3
date
2017-12-12T00:00:00
docs
title: PE615.375
type
Reasoned opinion
body
FR_SENATE
docs/10
date
2018-07-30T00:00:00
docs
url: https://www.europarl.europa.eu/doceo/document/A-8-2018-0264_EN.html title: A8-0264/2018
type
Committee report tabled for plenary, 1st reading/single reading
body
EP
docs/11
date
2019-03-05T00:00:00
docs
title: PE636.264
type
Amendments tabled in committee
body
EP
docs/12
date
2019-04-30T00:00:00
docs
title: SP(2019)393
type
Commission response to text adopted in plenary
body
EC
docs/13
date
2019-04-30T00:00:00
docs
title: SP(2019)393
type
Commission response to text adopted in plenary
body
EC
docs/13
date
2017-12-18T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
DE_BUNDESRAT
docs/13/docs/0/url
/oeil/spdoc.do?i=31443&j=0&l=en
docs/14
date
2018-02-04T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
CZ_CHAMBER
docs/14
date
2017-12-19T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
DE_BUNDESRAT
docs/15
date
2017-12-19T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
RO_SENATE
docs/15
date
2018-02-05T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
CZ_CHAMBER
docs/16
date
2017-12-06T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
PT_PARLIAMENT
docs/16
date
2017-12-20T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
RO_SENATE
docs/17
date
2017-11-20T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
ES_PARLIAMENT
docs/17
date
2017-12-07T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
PT_PARLIAMENT
docs/18
date
2017-12-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
CZ_SENATE
docs/18
date
2017-11-21T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
ES_PARLIAMENT
docs/19
date
2017-12-14T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477
type
Contribution
body
CZ_SENATE
events/6/summary
  • The Committee on Industry, Research and Energy adopted the report by Angelika NIEBLER (EPP, DE) on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').
  • The committee recommended that the position of the European Parliament adopted at first reading following the ordinary legislative procedure amend the Commission proposal as follows:
  • Mandate and tasks of the Agency : the EU Cybersecurity Agency shall be reinforced for the purpose of: (i) contributing to achieving a high common level of cybersecurity; (ii) preventing cyber-attacks within the Union; (iii) reducing fragmentation in the internal market and improve its functioning; (iv) ensuring consistency by taking into account the Member States’ cooperation achievements under the Directive on security of network and information systems ( NIS Directive ).
  • The Agency shall respect the competences of Member States regarding cybersecurity, especially those concerning public security, defence, national security and the activities of the state in areas of criminal law.
  • The main tasks of the Agency shall be, inter alia , to:
  • promote cooperation, coordination and information sharing at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, on matters related to cybersecurity; support projects contributing to a high level of awareness, cyber hygiene and cyber literacy among citizens and businesses on issues related to the cybersecurity; contribute towards raising the awareness of the public , including by promoting education, about cybersecurity risks and provide guidance on good practices for individual users aimed at citizens, organisations and businesses; assist Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight;
  • facilitate the establishment and launch of a long-term European IT security project to support the development of an independent IT security industry across the Union; support operational cooperation among Member States, Union institutions, agencies and bodies, with a view to achieving collaboration, by analysing and assessing existing national schemes, by developing and implementing a plan and by using the appropriate instruments to achieve the highest level of cybersecurity certification in the Union and the Member States; contribute to an EU level response in case of large-scale cross-border cybersecurity incidents and crises, mainly by supporting the technical management of incidents or crises with the aid of its independent expertise and its own resources; organise at least once a year , cybersecurity exercises across the Union.
  • Organisation and management : Members suggest that ENISA further strengthens its capabilities and technical expertise to be able to provide adequate support for operational cooperation with Member States. For this purpose the Agency shall progressively reinforce its staff dedicated to this task so as to be able to collect and analyse autonomously different types of a wide range of cybersecurity threats and malware, perform forensic analysis and assist Members States in the response to large scale incidents.
  • ENISA shall increase its know-how and capacities based on existing resources present in the Member States, notably by seconding national experts to the Agency, creating pools of experts, and staff- exchange programmes.
  • The Agency shall set up an ENISA Advisory Group composed of recognised security experts representing the relevant stakeholders, such as the ICT industry – including SMEs, operators of essential services according to the NIS Directive, providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, European Standards Organisations (ESOs), and EU agencies.
  • The ENISA Advisory Group shall set out the objectives in its work programme , which shall be published every six months to ensure transparency.
  • The Agency shall also have a Stakeholders Certification Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, academia and other relevant stakeholders.
  • European cybersecurity certification schemes : Members consider that not only products and services should be covered by the regulation, but also the whole life cycle . Thus, processes have also to be included in the scope of application.
  • The certification scheme shall ensure:
  • the confidentiality, integrity, availability and privacy of services, functions and data; that services, functions and data can be accessed and used only by authorised persons and/or authorised systems and programmes; that a process is in place to identify and document all dependencies and known vulnerabilities in ICT products, processes and services; that ICT products, processes and services are secure by default and by design; that other risks linked to cyber-incidents, such as risks to life, health, the environment and other significant legal interests are minimised.
  • Members suggested greater involvement from Member States and industry in the certification process.
  • The Agency shall maintain a website with all relevant information on European cybersecurity certification schemes, including with regards to withdrawn and expired certificates and national certifications covered, and ensure that they are made public.
  • Lastly, to promote the overall acceptance of certificates and conformity assessment results issued by conformity assessment bodies, Members proposed that national certification supervisory authorities operate a rigorous and transparent peer evaluation system and regularly undergo such evaluation.
events/10/docs
  • url: https://www.europarl.europa.eu/doceo/document/CRE-8-2019-03-11-TOC_EN.html title: Debate in Parliament
committees/0
type
Responsible Committee
body
EP
associated
True
committee_full
Industry, Research and Energy
committee
ITRE
rapporteur
name: NIEBLER Angelika date: 2017-10-27T00:00:00 group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/0
type
Responsible Committee
body
EP
associated
True
committee_full
Industry, Research and Energy
committee
ITRE
rapporteur
name: NIEBLER Angelika date: 2017-10-27T00:00:00 group: European People's Party (Christian Democrats) abbr: PPE
shadows
docs/0/docs/0
url
https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SWD:2017:0500:FIN:EN:PDF
title
EUR-Lex
docs/2/type
Old
Document attached to the procedure
New
Follow-up document
docs/4/docs/0/url
Old
https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:4390)(documentyear:2017)(documentlanguage:EN)
New
https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:4390)(documentyear:2017)(documentlanguage:EN)
docs/5/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE615.394&secondRef=03
New
https://www.europarl.europa.eu/doceo/document/LIBE-AD-615394_EN.html
docs/6/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE619.373
New
https://www.europarl.europa.eu/doceo/document/ITRE-PR-619373_EN.html
docs/7/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE619.094&secondRef=02
New
https://www.europarl.europa.eu/doceo/document/BUDG-AD-619094_EN.html
docs/8/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE621.015
New
https://www.europarl.europa.eu/doceo/document/ITRE-AM-621015_EN.html
docs/9/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE621.098
New
https://www.europarl.europa.eu/doceo/document/ITRE-AM-621098_EN.html
docs/10/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE616.831&secondRef=02
New
https://www.europarl.europa.eu/doceo/document/IMCO-AD-616831_EN.html
events/1/type
Old
Committee referral announced in Parliament, 1st reading/single reading
New
Committee referral announced in Parliament, 1st reading
events/4/type
Old
Vote in committee, 1st reading/single reading
New
Vote in committee, 1st reading
events/6
date
2018-07-30T00:00:00
type
Committee report tabled for plenary, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/A-8-2018-0264_EN.html title: A8-0264/2018
summary
events/6
date
2018-07-30T00:00:00
type
Committee report tabled for plenary, 1st reading/single reading
body
EP
docs
url: http://www.europarl.europa.eu/doceo/document/A-8-2018-0264_EN.html title: A8-0264/2018
summary
events/7
date
2018-09-10T00:00:00
type
Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
body
EP
events/8
date
2019-03-11T00:00:00
type
Debate in Parliament
body
EP
events/8
date
2018-09-12T00:00:00
type
Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
body
EP
events/8/docs
  • url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20190311&type=CRE title: Debate in Parliament
events/10
date
2019-03-11T00:00:00
type
Debate in Parliament
body
EP
events/10
date
2019-03-12T00:00:00
type
Decision by Parliament, 1st reading/single reading
body
EP
docs
url: http://www.europarl.europa.eu/doceo/document/TA-8-2019-0151_EN.html title: T8-0151/2019
summary
events/12
date
2019-03-12T00:00:00
type
Decision by Parliament, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/TA-8-2019-0151_EN.html title: T8-0151/2019
summary
procedure/Modified legal basis
Rules of Procedure EP 159
procedure/Notes
  • 12/09/2018 Decision to enter into interinstitutional negotiations confirmed by plenary (Rule 69c)
procedure/Other legal basis
Rules of Procedure EP 159
committees/0/shadows/6/name
Old
LECHEVALIER Christelle
New
LETARD-LECHEVALIER Christelle
docs/13/body
EC
events/6/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A8-2018-0264&language=EN
New
http://www.europarl.europa.eu/doceo/document/A-8-2018-0264_EN.html
events/10/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P8-TA-2019-0151
New
http://www.europarl.europa.eu/doceo/document/TA-8-2019-0151_EN.html
committees/0
type
Responsible Committee
body
EP
associated
True
committee_full
Industry, Research and Energy
committee
ITRE
rapporteur
name: NIEBLER Angelika date: 2017-10-27T00:00:00 group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/0
type
Responsible Committee
body
EP
associated
True
committee_full
Industry, Research and Energy
committee
ITRE
date
2017-10-27T00:00:00
rapporteur
name: NIEBLER Professor Doktor Angelika group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
rapporteur
name: GEIER Jens date: 2017-09-26T00:00:00 group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
date
2017-09-26T00:00:00
rapporteur
name: GEIER Jens group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/3
type
Committee Opinion
body
EP
associated
True
committee_full
Internal Market and Consumer Protection
committee
IMCO
rapporteur
name: DANTI Nicola date: 2017-09-25T00:00:00 group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/3
type
Committee Opinion
body
EP
associated
True
committee_full
Internal Market and Consumer Protection
committee
IMCO
date
2017-09-25T00:00:00
rapporteur
name: DANTI Nicola group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/4
type
Committee Opinion
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
rapporteur
name: FRANZ Romeo date: 2019-03-11T00:00:00 group: Greens/European Free Alliance abbr: Verts/ALE
committees/4
type
Committee Opinion
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
date
2019-03-11T00:00:00
rapporteur
name: FRANZ Romeo group: Greens/European Free Alliance abbr: Verts/ALE
events/14/summary
  • PURPOSE: reform the current European Network and Information Security Agency (ENISA) to provide the EU with an increased cybersecurity capacity and define a framework for the establishment of a European Cybersecurity Certification Scheme.
  • LEGISLATIVE ACT: Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
  • CONTENT: with a view to ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union, this Regulation lays down:
  • - objectives, tasks and organisational matters relating to ENISA (the European Union Agency for Cybersecurity); and
  • - a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.
  • European Union Cybersecurity Agency (ENISA)
  • The Regulation strengthens the current European Union Network and Information Security Agency (ENISA) into a permanent body, the EU Cybersecurity Agency.
  • ENISA shall carry out its tasks with the aim of achieving a high common level of cybersecurity throughout the Union, including by actively assisting Member States and EU institutions, bodies, offices and agencies to improve cybersecurity. It would serve as a reference point for cybersecurity advice and expertise for EU institutions, bodies, offices and agencies as well as for other relevant EU stakeholders.
  • ENISA’s tasks shall include:
  • assist EU institutions, bodies, offices and agencies, as well as Member States, in the development and implementation of EU policies related to cybersecurity and help them to increase the protection of their networks and information systems, improve cyber-resilience and cyber-reaction capacities, and develop skills and competences in the field of cybersecurity; support EU policy on cybersecurity certification, for example by playing a central role in the development of certification systems; promote the use of the new certification system, for example by creating a website providing information on certificates; promote cooperation, including information sharing and coordination at EU level; support Member States' actions to prevent and respond to cyber threats, in particular in the event of cross-border incidents; promote a high level of awareness among citizens, organisations and businesses of cybersecurity issues, including computer hygiene and digital skills; organise regular EU-wide cyber security exercises, including a large-scale global exercise once every two years; produce long-term strategic analyses of cyber threats and incidents to identify emerging trends and help prevent incidents.
  • The mandate also provides for a network of national liaison officers to facilitate the exchange of information between ENISA and the Member States.
  • An ENISA Advisory Group composed of recognised experts representing relevant stakeholders, as well as a Stakeholder Group for Cybersecurity Certification shall also be established.
  • European Cybersecurity Certification Framework
  • The Regulation creates the first European cybersecurity certification scheme to ensure that products, processes and services sold in EU countries comply with cybersecurity standards.
  • The Commission shall publish, no later than one year after the entry into force of the Regulation, a rolling work programme of the Union for European Cybersecurity Certification which identifies strategic priorities for future European cybersecurity certification schemes. It shall maintain a dedicated website providing information on European cybersecurity certification schemes, European cybersecurity certificates and EU declarations of conformity.
  • The cybersecurity certification shall be voluntary, unless otherwise specified by Union law or Member State law.
  • The Commission shall regularly monitor the impact of certification systems and assess their level of use by manufacturers and service providers.
  • There will be three different levels of insurance, depending on the level of risk associated with the intended use of the product, namely "basic", "substantial" or "high". At the most basic level, manufacturers or service providers shall be able to carry out the conformity assessment themselves.
  • In order to ensure equivalence of standards across the Union for European cybersecurity certificates and EU declarations of conformity, national cybersecurity certification authorities shall be subject to peer review.
  • ENTRY INTO FORCE: 27.6.2019. Certain provisions shall apply from 28.6.2021.
docs/13/docs/0/url
/oeil/spdoc.do?i=31443&j=0&l=en
activities
  • date: 2017-09-13T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0477/COM_COM(2017)0477_EN.pdf title: COM(2017)0477 type: Legislative proposal published celexid: CELEX:52017PC0477:EN body: EC commission: DG: url: http://ec.europa.eu/digital-single-market/dg-connect title: Communications Networks, Content and Technology Commissioner: KING Julian type: Legislative proposal published
  • date: 2017-10-23T00:00:00 body: EP type: Committee referral announced in Parliament, 1st reading/single reading committees: body: EP responsible: False committee: BUDG date: 2017-09-26T00:00:00 committee_full: Budgets rapporteur: group: S&D name: GEIER Jens body: EP responsible: False committee: IMCO date: 2017-09-25T00:00:00 committee_full: Internal Market and Consumer Protection rapporteur: group: S&D name: DANTI Nicola body: EP shadows: group: S&D name: KOUROUMBASHEV Peter group: ECR name: TOŠENOVSKÝ Evžen group: ALDE name: TELIČKA Pavel group: Verts/ALE name: DALUNDE Jakop group: EFD name: BORRELLI David group: ENF name: LECHEVALIER Christelle responsible: True committee: ITRE date: 2017-10-27T00:00:00 committee_full: Industry, Research and Energy rapporteur: group: EPP name: NIEBLER Angelika body: EP responsible: False committee_full: Civil Liberties, Justice and Home Affairs committee: LIBE
  • date: 2017-11-20T00:00:00 body: CSL type: Council Meeting council: General Affairs meeting_id: 3578
commission
  • body: EC dg: Communications Networks, Content and Technology commissioner: KING Julian
committees/0
type
Responsible Committee
body
EP
associated
True
committee_full
Industry, Research and Energy
committee
ITRE
date
2017-10-27T00:00:00
rapporteur
name: NIEBLER Professor Doktor Angelika group: European People's Party (Christian Democrats) abbr: PPE
shadows
committees/0
body
EP
responsible
False
committee
BUDG
date
2017-09-26T00:00:00
committee_full
Budgets
rapporteur
group: S&D name: GEIER Jens
committees/1
type
Committee Opinion
body
EP
associated
False
committee_full
Foreign Affairs
committee
AFET
opinion
False
committees/1
body
EP
responsible
False
committee
IMCO
date
2017-09-25T00:00:00
committee_full
Internal Market and Consumer Protection
rapporteur
group: S&D name: DANTI Nicola
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
date
2017-09-26T00:00:00
rapporteur
name: GEIER Jens group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/2
body
EP
shadows
responsible
True
committee
ITRE
date
2017-10-27T00:00:00
committee_full
Industry, Research and Energy
rapporteur
group: EPP name: NIEBLER Angelika
committees/3
type
Committee Opinion
body
EP
associated
True
committee_full
Internal Market and Consumer Protection
committee
IMCO
date
2017-09-25T00:00:00
rapporteur
name: DANTI Nicola group: Progressive Alliance of Socialists and Democrats abbr: S&D
committees/3
body
EP
responsible
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
committees/4
type
Committee Opinion
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
date
2019-03-11T00:00:00
rapporteur
name: FRANZ Romeo group: Greens/European Free Alliance abbr: Verts/ALE
council
  • body: CSL type: Council Meeting council: General Affairs meeting_id: 3685 url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3685*&MEET_DATE=09/04/2019 date: 2019-04-09T00:00:00
  • body: CSL type: Council Meeting council: General Affairs meeting_id: 3578 url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3578*&MEET_DATE=20/11/2017 date: 2017-11-20T00:00:00
docs
  • date: 2017-09-13T00:00:00 docs: title: SWD(2017)0500 type: Document attached to the procedure body: EC
  • date: 2017-09-13T00:00:00 docs: url: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SWD:2017:0501:FIN:EN:PDF title: EUR-Lex title: SWD(2017)0501 type: Document attached to the procedure body: EC
  • date: 2017-09-13T00:00:00 docs: url: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SWD:2017:0502:FIN:EN:PDF title: EUR-Lex title: SWD(2017)0502 type: Document attached to the procedure body: EC
  • date: 2017-12-12T00:00:00 docs: title: PE615.375 type: Reasoned opinion body: FR_SENATE
  • date: 2018-02-14T00:00:00 docs: url: https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:4390)(documentyear:2017)(documentlanguage:EN) title: CES4390/2017 type: Economic and Social Committee: opinion, report body: ESC
  • date: 2018-03-16T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE615.394&secondRef=03 title: PE615.394 committee: LIBE type: Committee opinion body: EP
  • date: 2018-03-27T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE619.373 title: PE619.373 type: Committee draft report body: EP
  • date: 2018-04-23T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE619.094&secondRef=02 title: PE619.094 committee: BUDG type: Committee opinion body: EP
  • date: 2018-04-30T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE621.015 title: PE621.015 type: Amendments tabled in committee body: EP
  • date: 2018-04-30T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE621.098 title: PE621.098 type: Amendments tabled in committee body: EP
  • date: 2018-05-22T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE616.831&secondRef=02 title: PE616.831 committee: IMCO type: Committee opinion body: EP
  • date: 2019-03-05T00:00:00 docs: title: PE636.264 type: Amendments tabled in committee body: EP
  • date: 2019-04-17T00:00:00 docs: url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=ADV&RESULTSET=1&DOC_ID=[%n4]%2F19&DOC_LANCD=EN&ROWSPP=25&NRROWS=500&ORDERBY=DOC_DATE+DESC title: 00086/2018/LEX type: Draft final act body: CSL
  • date: 2019-04-30T00:00:00 docs: title: SP(2019)393 type: Commission response to text adopted in plenary
  • date: 2017-12-19T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477 type: Contribution body: DE_BUNDESRAT
  • date: 2018-02-05T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477 type: Contribution body: CZ_CHAMBER
  • date: 2017-12-20T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477 type: Contribution body: RO_SENATE
  • date: 2017-12-07T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477 type: Contribution body: PT_PARLIAMENT
  • date: 2017-11-21T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477 type: Contribution body: ES_PARLIAMENT
  • date: 2017-12-14T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0477 title: COM(2017)0477 type: Contribution body: CZ_SENATE
events
  • date: 2017-09-13T00:00:00 type: Legislative proposal published body: EC docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0477/COM_COM(2017)0477_EN.pdf title: COM(2017)0477 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=FR&type_doc=COMfinal&an_doc=2017&nu_doc=0477 title: EUR-Lex summary: PURPOSE: to enhance the organisational aspects of ENISA, the EU Cybersecurity Agency, with a view to ensuring an adequate level of cybersecurity in the Union and repeal Regulation (EU) 526/2013 on Information and Communication Technology cybersecurity certification (Cybersecurity Act). PROPOSED ACT: Regulation of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: the European Union has taken a number of actions to increase resilience and enhance its cybersecurity preparedness. Since the first EU Cybersecurity Strategy adopted in 2013, important developments have taken place, including the second mandate for the European Union Agency for Network and Information Security ( ENISA ) and the adoption of the Directive on security of network and information systems ( NIS Directive ), which form the basis for the present proposal. In 2016 the European Commission adopted a Communication on Strengthening Europe's Cyber Resilience System, in which further measures were announced to increase the EU’s resilience and preparedness. The Council recalled that the ENISA Regulation is one of the core elements of an EU cyber resilience framework and called upon the Commission to take further steps to address issue of certification at the European level. In 2017, it welcomed the Commission's intention to review the Cybersecurity Strategy in September and to propose further targeted actions before the end of 2017. IMPACT ASSESSMENT: the impact assessment sought to mitigate problems such as the fragmentation of policies and approaches to cybersecurity across Member States; dispersed resources and fragmentation of approaches to cybersecurity across EU institutions, agencies and bodies; insufficient awareness and information of citizens and companies, coupled with the growing emergence of multiple national and sectoral certification schemes. The analysis led to the conclusion that a reformed ENISA in combination with an EU general ICT cybersecurity certification framework was the preferred option. CONTENT: overall, the proposal reviews the current mandate of ENISA and lays down a renewed set of tasks and functions , with a view to effectively and efficiently supporting Member States, EU institutions and other stakeholders' efforts to ensure a secure cyberspace in the European Union. The new proposed mandate seeks to give the Agency a stronger and more central role , in particular by also supporting Member States in implementing the NIS Directive and to counter particular threats more actively (operational capacity) and by becoming a centre of expertise supporting Member States and the Commission on cybersecurity certification. Specially, it proposal seeks to establish: an EU Cybersecurity Agency , building on the European Agency for Network and Information Security (ENISA), which will improve coordination and cooperation across Member States and EU institutions, agencies and bodies; an EU cybersecurity certification framework that will ensure the trustworthiness of the billions of devices (“Internet of Things”) which drive today’s critical infrastructures, such as energy and transport networks, and also new consumer devices, such as connected cars. An EU Cybersecurity Agency : the Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will improve the EU's preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres . It will help implement the Directive on the Security of Network and Information Systems which contains reporting obligations to national authorities in case of serious incidents. The Cybersecurity Agency would also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. The proposal also includes the provisions facilitating the combating of fraud , corruption and other unlawful activities as well as staffing and budget provisions. An EU cybersecurity certification framework : at present, a number of different security certification schemes for ICT products exist in the EU. The Cybersecurity Agency, ENISA, will put in place and implement this certification process. The proposed EU-wide certification framework creates a comprehensive set of rules, technical requirements, standards and procedures to agree each scheme. Each scheme will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service e.g. smart cards. The proposal establishes the main legal effects of European cybersecurity certification schemes, namely (i) the obligation to implement the scheme at national level and the voluntary nature of certification; (ii) the invalidating effect of European cybersecurity certification schemes on national schemes for the same products or services. It also lays down the procedure for the adoption of European cybersecurity certification schemes and the respective roles of the Commission, ENISA and the European Cybersecurity Certification Group . BUDGETARY IMPLICATIONS: the total appropriations for ENISA, including administrative expenditure, from 2019 to 2022 is estimated at EUR 86.038 million .
  • date: 2017-10-23T00:00:00 type: Committee referral announced in Parliament, 1st reading/single reading body: EP
  • date: 2017-11-20T00:00:00 type: Resolution/conclusions adopted by Council body: CSL
  • date: 2018-01-18T00:00:00 type: Referral to associated committees announced in Parliament body: EP
  • date: 2018-07-10T00:00:00 type: Vote in committee, 1st reading/single reading body: EP
  • date: 2018-07-10T00:00:00 type: Committee decision to open interinstitutional negotiations with report adopted in committee body: EP
  • date: 2018-07-30T00:00:00 type: Committee report tabled for plenary, 1st reading/single reading body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A8-2018-0264&language=EN title: A8-0264/2018 summary: The Committee on Industry, Research and Energy adopted the report by Angelika NIEBLER (EPP, DE) on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act''). The committee recommended that the position of the European Parliament adopted at first reading following the ordinary legislative procedure amend the Commission proposal as follows: Mandate and tasks of the Agency : the EU Cybersecurity Agency shall be reinforced for the purpose of: (i) contributing to achieving a high common level of cybersecurity; (ii) preventing cyber-attacks within the Union; (iii) reducing fragmentation in the internal market and improve its functioning; (iv) ensuring consistency by taking into account the Member States’ cooperation achievements under the Directive on security of network and information systems ( NIS Directive ). The Agency shall respect the competences of Member States regarding cybersecurity, especially those concerning public security, defence, national security and the activities of the state in areas of criminal law. The main tasks of the Agency shall be, inter alia , to: promote cooperation, coordination and information sharing at Union level among Member States, Union institutions, agencies and bodies, and relevant stakeholders, on matters related to cybersecurity; support projects contributing to a high level of awareness, cyber hygiene and cyber literacy among citizens and businesses on issues related to the cybersecurity; contribute towards raising the awareness of the public , including by promoting education, about cybersecurity risks and provide guidance on good practices for individual users aimed at citizens, organisations and businesses; assist Members States and Union institutions in establishing and implementing coordinated vulnerability disclosure policies and government vulnerability disclosure review processes, whose practices and determinations should be transparent and subject to independent oversight; facilitate the establishment and launch of a long-term European IT security project to support the development of an independent IT security industry across the Union; support operational cooperation among Member States, Union institutions, agencies and bodies, with a view to achieving collaboration, by analysing and assessing existing national schemes, by developing and implementing a plan and by using the appropriate instruments to achieve the highest level of cybersecurity certification in the Union and the Member States; contribute to an EU level response in case of large-scale cross-border cybersecurity incidents and crises, mainly by supporting the technical management of incidents or crises with the aid of its independent expertise and its own resources; organise at least once a year , cybersecurity exercises across the Union. Organisation and management : Members suggest that ENISA further strengthens its capabilities and technical expertise to be able to provide adequate support for operational cooperation with Member States. For this purpose the Agency shall progressively reinforce its staff dedicated to this task so as to be able to collect and analyse autonomously different types of a wide range of cybersecurity threats and malware, perform forensic analysis and assist Members States in the response to large scale incidents. ENISA shall increase its know-how and capacities based on existing resources present in the Member States, notably by seconding national experts to the Agency, creating pools of experts, and staff- exchange programmes. The Agency shall set up an ENISA Advisory Group composed of recognised security experts representing the relevant stakeholders, such as the ICT industry – including SMEs, operators of essential services according to the NIS Directive, providers of electronic communications networks or services available to the public, consumer groups, academic experts in the cybersecurity, European Standards Organisations (ESOs), and EU agencies. The ENISA Advisory Group shall set out the objectives in its work programme , which shall be published every six months to ensure transparency. The Agency shall also have a Stakeholders Certification Group as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, academia and other relevant stakeholders. European cybersecurity certification schemes : Members consider that not only products and services should be covered by the regulation, but also the whole life cycle . Thus, processes have also to be included in the scope of application. The certification scheme shall ensure: the confidentiality, integrity, availability and privacy of services, functions and data; that services, functions and data can be accessed and used only by authorised persons and/or authorised systems and programmes; that a process is in place to identify and document all dependencies and known vulnerabilities in ICT products, processes and services; that ICT products, processes and services are secure by default and by design; that other risks linked to cyber-incidents, such as risks to life, health, the environment and other significant legal interests are minimised. Members suggested greater involvement from Member States and industry in the certification process. The Agency shall maintain a website with all relevant information on European cybersecurity certification schemes, including with regards to withdrawn and expired certificates and national certifications covered, and ensure that they are made public. Lastly, to promote the overall acceptance of certificates and conformity assessment results issued by conformity assessment bodies, Members proposed that national certification supervisory authorities operate a rigorous and transparent peer evaluation system and regularly undergo such evaluation.
  • date: 2019-01-14T00:00:00 type: Approval in committee of the text agreed at 1st reading interinstitutional negotiations body: EP
  • date: 2019-03-11T00:00:00 type: Debate in Parliament body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20190311&type=CRE title: Debate in Parliament
  • date: 2019-03-12T00:00:00 type: Results of vote in Parliament body: EP docs: url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=31443&l=en title: Results of vote in Parliament
  • date: 2019-03-12T00:00:00 type: Decision by Parliament, 1st reading/single reading body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P8-TA-2019-0151 title: T8-0151/2019 summary: The European Parliament adopted by 586 votes to 44, with 36 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on ENISA, the European Union Cybersecurity Agency and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act''). The position of the European Parliament adopted at first reading under the ordinary legislative procedure has amended the Commission proposal as follows: Enhanced powers for the EU Cybersecurity Agency (ENISA) In order to ensure the proper functioning of the internal market while seeking to achieve a high level of cybersecurity, the proposed regulation would set out the objectives, tasks and organisational issues concerning ENISA (the European Union Agency for Cybersecurity). ENISA would carry out its tasks with the aim of achieving a high common level of cybersecurity throughout the Union, including by actively assisting Member States and EU institutions, bodies, offices and agencies to improve cybersecurity. It would serve as a reference point for cybersecurity advice and expertise for EU institutions, bodies, offices and agencies as well as for other relevant EU stakeholders. To this end, it should develop its own resources, including its technical capacities and skills. ENISA should, among other things: - assist Member States and EU institutions, bodies, offices and agencies in (i) building capacity and preparedness to prevent, detect and respond to cyber threats and incidents; (ii) developing and promoting cyber security policies to support the overall availability or integrity of the public core of the open Internet; and (iii) implementing, on a voluntary basis, policies on vulnerability disclosure; - promote information sharing and coordination at EU level, between Member States, EU institutions, bodies, offices and agencies and relevant public and private sector stakeholders on cybersecurity issues; - promote the use of European cybersecurity certification to avoid fragmentation of the internal market; - support Member States in the field of cybersecurity awareness and education by promoting closer coordination and the exchange of good practices between Member States. Such support could include the development of a network of national education contact points and a cybersecurity training platform; - raise public awareness of the risks associated with cybersecurity and provide guidance to citizens, organisations and businesses on good practices for individual users, including IT hygiene and digital skills; - facilitate the technical management of incidents with significant or substantial impact, in particular by supporting the voluntary sharing of technical solutions between Member States or by producing combined technical information, such as technical solutions voluntarily shared by Member States; - promote the concepts of security from the design stage and privacy from the design stage at EU level; - contribute, where appropriate, to cooperation with organisations such as the OECD, OSCE and NATO, for example through joint exercises in the field of cybersecurity. ENISA should keep the European Parliament regularly informed of its activities. National Liaison Officer Network The Management Board should establish, on a proposal from the Executive Director, a network of national liaison officers composed of representatives of all Member States (national liaison officers). This network would facilitate the exchange of information between ENISA and the Member States and would help ENISA to publicise its activities and disseminate the results of its work and recommendations to relevant stakeholders across the Union. European Cybersecurity Certification Framework The amended text creates the first European cybersecurity certification scheme to ensure that products, processes and services sold in EU countries comply with cybersecurity standards. The Commission should publish, no later than one year after the entry into force of the Regulation, a rolling work programme of the Union for European Cybersecurity Certification which identifies strategic priorities for future European cybersecurity certification schemes. It should maintain a dedicated website providing information on European cybersecurity certification schemes, European cybersecurity certificates and EU declarations of conformity. In order to ensure equivalence of standards across the Union for European cybersecurity certificates and EU declarations of conformity, national cybersecurity certification authorities would be subject to peer review.
  • date: 2019-04-09T00:00:00 type: Act adopted by Council after Parliament's 1st reading body: EP/CSL
  • date: 2019-04-17T00:00:00 type: Final act signed body: CSL
  • date: 2019-04-17T00:00:00 type: End of procedure in Parliament body: EP
  • date: 2019-06-07T00:00:00 type: Final act published in Official Journal docs: title: Regulation 2019/881 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32019R0881 title: OJ L 151 07.06.2019, p. 0015 url: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2019:151:TOC
links/Research document
title
Briefing
url
http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2017)614643
other
  • body: EC dg: url: http://ec.europa.eu/digital-single-market/dg-connect title: Communications Networks, Content and Technology commissioner: KING Julian
otherinst
  • name: European Economic and Social Committee
  • name: European Committee of the Regions
procedure/Mandatory consultation of other institutions
European Economic and Social Committee European Committee of the Regions
procedure/Modified legal basis
Rules of Procedure EP 159
procedure/Notes
  • 12/09/2018 Decision to enter into interinstitutional negotiations confirmed by plenary (Rule 69c)
procedure/dossier_of_the_committee
Old
ITRE/8/11042
New
  • ITRE/8/11042
procedure/final
title
Regulation 2019/881
url
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32019R0881
procedure/instrument
Old
Regulation
New
  • Regulation
  • Repealing Regulation (EU) 526/2013 2010/0275(COD)
procedure/other_consulted_institutions
European Economic and Social Committee European Committee of the Regions
procedure/stage_reached
Old
Awaiting committee decision
New
Procedure completed
procedure/subject
Old
  • 3.30.06 Information and communication technologies
  • 3.30.07 Cybersecurity, cyberspace policy
  • 3.30.25 International information networks and society, internet
  • 8.40.08 Agencies and bodies of the EU
New
3.30.06
Information and communication technologies, digital technologies
3.30.07
Cybersecurity, cyberspace policy
3.30.25
International information networks and society, internet
8.40.08
Agencies and bodies of the EU
procedure/summary
  • Repealing Regulation (EU) 526/2013
activities/2
date
2017-11-20T00:00:00
body
CSL
type
Council Meeting
council
General Affairs
meeting_id
3578
activities/1/committees/2/shadows/3
group
Verts/ALE
name
DALUNDE Jakop
committees/2/shadows/3
group
Verts/ALE
name
DALUNDE Jakop
activities/1/committees/2/shadows/1
group
ECR
name
TOŠENOVSKÝ Evžen
committees/2/shadows/1
group
ECR
name
TOŠENOVSKÝ Evžen
activities/1/committees/2/date
2017-10-27T00:00:00
activities/1/committees/2/rapporteur
  • group: EPP name: NIEBLER Angelika
activities/1/committees/2/shadows/2
group
EFD
name
BORRELLI David
committees/2/date
2017-10-27T00:00:00
committees/2/rapporteur
  • group: EPP name: NIEBLER Angelika
committees/2/shadows/2
group
EFD
name
BORRELLI David
activities/1/committees/2/shadows/1
group
ALDE
name
TELIČKA Pavel
committees/2/shadows/1
group
ALDE
name
TELIČKA Pavel
activities/1
date
2017-10-23T00:00:00
body
EP
type
Committee referral announced in Parliament, 1st reading/single reading
committees
committees/2/shadows
  • group: S&D name: KOUROUMBASHEV Peter
  • group: ENF name: LECHEVALIER Christelle
procedure/Mandatory consultation of other institutions
European Economic and Social Committee European Committee of the Regions
procedure/dossier_of_the_committee
ITRE/8/11042
procedure/stage_reached
Old
Preparatory phase in Parliament
New
Awaiting committee decision
activities/0/docs/0/text
  • PURPOSE: to enhance the organisational aspects of ENISA, the EU Cybersecurity Agency, with a view to ensuring an adequate level of cybersecurity in the Union and repeal Regulation (EU) 526/2013 on Information and Communication Technology cybersecurity certification (Cybersecurity Act).

    PROPOSED ACT: Regulation of the European Parliament and of the Council.

    ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

    BACKGROUND: the European Union has taken a number of actions to increase resilience and enhance its cybersecurity preparedness. Since the first EU Cybersecurity Strategy adopted in 2013, important developments have taken place, including the second mandate for the European Union Agency for Network and Information Security (ENISA) and the adoption of the Directive on security of network and information systems (NIS Directive), which form the basis for the present proposal. 

    In 2016 the European Commission adopted a Communication on Strengthening Europe's Cyber Resilience System, in which further measures were announced to increase the EU’s resilience and preparedness.

    The Council recalled that the ENISA Regulation is one of the core elements of an EU cyber resilience framework and called upon the Commission to take further steps to address issue of certification at the European level. In 2017, it welcomed the Commission's intention to review the Cybersecurity Strategy in September and to propose further targeted actions before the end of 2017.

    IMPACT ASSESSMENT: the impact assessment sought to mitigate problems such as the fragmentation of policies and approaches to cybersecurity across Member States; dispersed resources and fragmentation of approaches to cybersecurity across EU institutions, agencies and bodies; insufficient awareness and information of citizens and companies, coupled with the growing emergence of multiple national and sectoral certification schemes.

    The analysis led to the conclusion that a reformed ENISA in combination with an EU general ICT cybersecurity certification framework was the preferred option. 

    CONTENT: overall, the proposal reviews the current mandate of ENISA and lays down a renewed set of tasks and functions, with a view to effectively and efficiently supporting Member States, EU institutions and other stakeholders' efforts to ensure a secure cyberspace in the European Union.

    The new proposed mandate seeks to give the Agency a stronger and more central role, in particular by also supporting Member States in implementing the NIS Directive and to counter particular threats more actively (operational capacity) and by becoming a centre of expertise supporting Member States and the Commission on cybersecurity certification.

    Specially, it proposal seeks to establish:

    • an EU Cybersecurity Agency, building on the European Agency for Network and Information Security (ENISA), which will improve coordination and cooperation across Member States and EU institutions, agencies and bodies;
    • an EU cybersecurity certification framework that will ensure the trustworthiness of the billions of devices (“Internet of Things”) which drive today’s critical infrastructures, such as energy and transport networks, and also new consumer devices, such as connected cars.

    An EU Cybersecurity Agency: the Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will improve the EU's preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres. It will help implement the Directive on the Security of Network and Information Systems which contains reporting obligations to national authorities in case of serious incidents.

    The Cybersecurity Agency would also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. The proposal also includes the provisions facilitating the combating of fraud, corruption and other unlawful activities as well as staffing and budget provisions.

    An EU cybersecurity certification framework: at present, a number of different security certification schemes for ICT products exist in the EU. The Cybersecurity Agency, ENISA, will put in place and implement this certification process. The proposed EU-wide certification framework creates a comprehensive set of rules, technical requirements, standards and procedures to agree each scheme. Each scheme will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service e.g. smart cards.

    The proposal establishes the main legal effects of European cybersecurity certification schemes, namely (i) the obligation to implement the scheme at national level and the voluntary nature of certification; (ii) the invalidating effect of European cybersecurity certification schemes on national schemes for the same products or services. It also lays down the procedure for the adoption of European cybersecurity certification schemes and the respective roles of the Commission, ENISA and the European Cybersecurity Certification Group.

    BUDGETARY IMPLICATIONS: the total appropriations for ENISA, including administrative expenditure, from 2019 to 2022 is estimated at EUR 86.038 million.

committees/1/date
2017-09-25T00:00:00
committees/1/rapporteur
  • group: S&D name: DANTI Nicola
committees/0/date
2017-09-26T00:00:00
committees/0/rapporteur
  • group: S&D name: GEIER Jens
activities/0/commission/0
DG
Commissioner
KING Julian
other/0
body
EC
dg
commissioner
KING Julian
activities
  • date: 2017-09-13T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0477/COM_COM(2017)0477_EN.pdf celexid: CELEX:52017PC0477:EN type: Legislative proposal published title: COM(2017)0477 body: EC commission: type: Legislative proposal published
committees
  • body: EP responsible: False committee_full: Budgets committee: BUDG
  • body: EP responsible: False committee_full: Internal Market and Consumer Protection committee: IMCO
  • body: EP responsible: True committee_full: Industry, Research and Energy committee: ITRE
  • body: EP responsible: False committee_full: Civil Liberties, Justice and Home Affairs committee: LIBE
links
other
    procedure
    reference
    2017/0225(COD)
    instrument
    Regulation
    legal_basis
    Treaty on the Functioning of the EU TFEU 114
    stage_reached
    Preparatory phase in Parliament
    summary
    Repealing Regulation (EU) 526/2013
    subtype
    Legislation
    title
    EU Cybersecurity Agency (ENISA) and information and communication technology cybersecurity certification (Cybersecurity Act)
    type
    COD - Ordinary legislative procedure (ex-codecision procedure)
    subject