The EU is Taking Cybersecurity More Seriously. Are You?

by Nov 21, 2019

Cybersecurity is an issue that is becoming more important every day. A quick glance at the news is liable to alert you to a new data breach that has put sensitive and personal data at risk. In some cases, millions of individuals are affected by having the information they have entrusted to a third-party compromised, misused or stolen. As society continues its evolution toward more reliance on computer systems and networks, the need to adequately address cybersecurity concerns gains greater importance.

While individual organizations may concentrate more resources on the problem, instituting strong and enforceable cybersecurity regulations has been something that is sorely lacking. But just as they have led the way in enhanced data privacy with the General Data Protection Regulation (GDPR), the European Union (EU) is changing the game regarding cybersecurity standards. The newly enacted EU Cybersecurity Act mandates changes that will impact EU countries and citizens as well as companies that do business with them.

What is the EU Cybersecurity Act?

The EU Cybersecurity Act was adopted on April 17, 2019, and became effective June 27, 2019. Some of its provisions will not be put in place until June 28, 2021.

It is comprised of two parts. The first gives the European Agency for Network and Information Security (ENISA) a permanent role. The agency now has a permanent mandate to perform technical advisory as well as operational activities that revolve around helping EU Member States prevent, detect and react to cyber incidents.

The second part of the Act establishes an EU cybersecurity certification framework focused on information and communication technology (ICT) products, services, and processes. Conformity with the Act and penalties for non-compliance will be handled by bodies formed in the individual EU’s Member States. The purpose of the act is to foster public trust in the digital solutions that impact the privacy and security of an individual’s sensitive and personal data.

The items covered by the Act are broadly defined and essentially encompass all types of hardware and software products.

  • ICT products are any element or group of elements that are part of a network or information system.

  • ICT services are those which involve the transmission, storage, retrieval and processing of information using networks and information systems.

  • ICT processes are any set of activities used to design, develop, provide or maintain ICT products and services.

Those definitions pretty much cover everything that an IT hardware or software company does. The Act will evolve through the adoption of certification schemes that will be introduced to address current laws or policies, the state of emerging cyber threats, and market demand. The European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG) fill an advisory role and will make recommendations regarding the standardization and certification schemes that will be enacted.

A five-step process will be used for the development and adoption of a new certification scheme. The steps are:

  1. A certification scheme is suggested by the ECCG or SCCG;
  2. The European Commission requests that ENISA prepares a draft certification;
  3. ENISA prepares a draft of the scheme;
  4. ENISA consults with industry, stakeholders, and standards groups;
  5. The scheme is adopted by the EU.

Certification schemes can specify a basic, substantial or high assurance level based on the risk of the item being certified. The goal of ENISA is to have a consistent flow of certification standards that go through the multi-step process before implementation. Certifications will be prioritized to address high-risk items that have a wide impact on the IT community.

The Impact of the Act on U.S. Companies

Companies outside of the EU that wish to remain competitive will need to comply with specific standards that affect their product or risk being seen as an inferior solution. Businesses should monitor ENISA and EU websites for updates on new certification schemes. Decisions need to be made concerning the viability of non-compliance and any penalties that may be enforced. They may also have to navigate situations where EU and U.S. standards clash.

Remaining Compliant with Cybersecurity Regulations

The risks of noncompliance with any cybersecurity or privacy regulations can be severe. One of the tasks associated with addressing certifications developed by ENISA is to understand the sensitive data that needs to be protected when providing a given service or product. This implies finding where in your systems this type of information is stored.

IDERA’s SQL Compliance Manager offers a comprehensive platform from which to identify the sensitive data in your databases and create reports to provide compliance evidence. The tool includes settings that address many current compliance standards as well as the ability to create customized audit configurations to deal with new and changing standards. It can help your business prepare for the coming wave of EU cybersecurity standards. SQL Compliance Manager enables you to be serious about the security of your data.