What You Should Know About the EU Cybersecurity Act

April 6, 2022 • Devin Partida


What is the EU Cybersecurity Act? It seems like it was just yesterday that the General Data Protection Regulation (GDPR) became law for EU states. Why is there seemingly a new suite of digital security measures signed into law each week?

In a word, it’s because of hackers. The digital age makes cybersecurity a concern for any citizen, company, or even nonprofit that relies on the internet.

Governments in public hands can be a bulwark for their citizens if they have the right priorities and resources. Concerned lawmakers, watchdog groups and businesses across the globe find themselves busy warding off hackers. It’s taking some hidebound governments a while to catch up with the scope of the threat.

That threat is a seemingly never-ending list of major cybersecurity incidents. One list from the Center for Strategic & International Studies, dating back to 2006, is impressive in its own right. But it only represents major digital crimes against governments, defense installations, infrastructure and major companies. Many disconcerting events occur daily against lower-profile targets, such as small businesses.

No matter how small an entity might be, it probably has data that would be valuable in the right hands. Client lists, banking service logins and a host of other sensitive details sell daily on the Dark Web. Some of these go for $25 each. Others – like PayPal account access – are worth $340 or more.

Experts expect cybercrime to carry an annual global price tag of $10.5 trillion by the end of 2025. It sounds like a number too large to comprehend or affect an individual citizen. That is until you realize that anybody can be a target, no matter how small or large.

What Is the EU Cybersecurity Act?

In order to understand what the EU Cybersecurity Act is, you need to know about ENISA.

ENISA is the European Union Agency for Cybersecurity. The initials “ENISA” are a holdover from the organization’s original name. ENISA was formed in 2004 and has two headquarters in Athens, Greece.

The EU Cybersecurity Act was passed in June 2019 to give ENISA more resources and a more fully fleshed-out (and permanent) mandate within the European Union.

This is the stated mission of ENISA and the EU Cybersecurity Act:

  • Protect citizen and business cybersecurity through stronger EU cyber policies and improved information-sharing between public and private entities.
  • Design and enforce common cybersecurity standards for products and services across EU member states.
  • Provide a productive and mutually beneficial interface between policymakers (representing the public) and the private sector (representing capital).

ENISA commits to information-pooling and resource-sharing between businesses, the public and watchdog groups. Cybersecurity experts warn that the risk of cyber attacks on companies and critical infrastructure – from threats foreign and domestic – remains high.

For instance, during the global COVID-19 pandemic, trends concerning ransomware, digital fraud, hacking attacks and other cyber crimes increased. This is likely a result of greater numbers of people performing their jobs over the internet or carrying out coursework through digital channels.

ENISA is one of many public-private organizations growing in concern and scope amid a period of intense public health crises and geopolitical strife – both of which coincide with upticks in instances of aggressive digital crimes. The equivalent of ENISA in the United States is CISA – the Cybersecurity and Infrastructure Security Agency.

The EU Responds to Cybercrime

What’s in the EU Cybersecurity Act?

Now that we understand ENISA’s mandate a bit better, we can understand how the EU Cybersecurity Act – known in official channels as EU Regulation 2019/881 – relates to it and prepares the Agency to protect EU citizens in an increasingly dangerous digital landscape.

First and most importantly, according to the European Commission, 2019’s EU Cybersecurity Act makes ENISA a permanent government regulatory body. It also changed its name, officially, to the EU Agency for Cybersecurity, although most references still mention “ENISA.”

This change in identity and permanence will manifest in the following responsibilities and oversight areas:

  • The EU Agency for Cybersecurity (ENISA) will actively work to develop cybersecurity certifications. These certifications would cover information and computer technology (ICT) products, electronic devices, digital services and other commercial-grade and consumer-level products.
  • ENISA will communicate with business owners and the public about the existence of these certification processes and the benefits of obtaining them through direct communication, the ENISA website and various digital resources.
  • ENISA will require member states in the European Union to create their own authoritative bodies responsible for cybersecurity certification adoption. One of their responsibilities will be to come up with penalties for non-compliance with the Act.
  • ENISA will create in-house assessment processes and leadership roles to ensure member states and participating organizations maintain and update their compliance measures as necessary.

The ultimate goal of the EU Cybersecurity Act is to – in the name of more robust cybersecurity for all – establish a united front across the entire European Union and its member states. This doesn’t just include a common set of “product and service certifications” – it’s bigger than that. It’s about creating a shared conversation about how to judge those products and services in the first place.

For example: what metrics determine whether a consumer-level smartwatch or an industrial-grade material sortation system or internet-connected medical-grade instruments are safe to use? With thousands of companies scrambling to make their mark on the digital future, both the consumer and industrial economies have many products of questionable quality, provenance and security measures.

The European Union has adopted a philosophy to answer this patchwork, piecemeal and oftentimes dangerous approach to cybersecurity. It has decided to expand the conversation even beyond the national level. The purpose of the EU Cybersecurity Act is to make the philosophy of transparency, strong regulation and information-sharing between public and private entities a permanent one and to raise the bar for every participating nation and each participating company within.

Will Cybersecurity Certification Become Mandatory in Europe?

For now, the cybersecurity certification schemes being worked on at ENISA are intended to be voluntary. It’s likely that won’t always be the case, however. The EU Agency for Cybersecurity will decide by 2023 whether the certifications will become mandatory for businesses doing business within the EU.

The Benefits of Standardized Cybersecurity Certifications

Whether voluntary or mandatory, holding companies that do business within EU borders to higher security standards is good for everybody. There are clear benefits both for consumers and the companies providing them with goods and services.

Cybersecurity governance creates open channels of communication with which entities can share information of concern with the public. It establishes precedents by which companies work proactively to avoid cybersecurity incidents, works swiftly to ameliorate them and remain conscientious about informing the affected stakeholders as soon as the problem arises.

Strong regulatory efforts like this one, with strong and vocal member participation, are also an excellent way to encourage innovation through shared and open-source industrial standards. Cybersecurity benefits from shared digital libraries, databases and tools vetted by a committed IT and cybersecurity community that users can audit and patch regularly.

Additionally, new products and services don’t need to be built from the ground up with all-new code. This can be a recipe for disaster in the form of unpatched exploits and vulnerabilities. Instead, innovators and entrepreneurs can use digital tools and components that are already functional and known to be safe.

Altogether, the EU Cybersecurity Act is a productive and encouraging step forward for the European Union. Participating nations have a lot to gain by shifting to a collaborative mindset for cybersecurity and so do the companies and citizens living and doing business there.