What is the European Union Cyber Security Act?
The EU Cyber Security Act was approved by the European Parliament on March 12, 2019. It is a part of the cyber security package that was announced by the European Union in 2017. The act includes a plan for a universal security certification of ICT and IoT products across the EU states. This will replace national certifications, except those for national security purposes. The act ensures that the new certifications “should be non-discriminatory and based on European or international standards.” When set in motion, the act will reduce costs of certification.
It does this by creating one uniform system, instead of the current system of individual country certifications. It also strives to reduce inconsistencies and conflicts between national certifications. Another goal is to help cultivate more trust between companies and consumers.
The act includes a product rating scale: ‘basic’, ‘substantial’, or ‘high’. The ratings will be according to the level of risk that the consumer is subject to when using the product. The scale will, in turn, set the rigorous standards the products must conform to. The scale will help inform consumers when making purchases in that market.
Along with informing new customers, the act will be enforced by national cyber security authorities. There also will be penalties set for breaching the plans.
Where Did it Come From?
The Cyber Security package was announced in 2017 at the State of the European Union Address, given by Jean-Claude Juncker. Juncker rated cyber threats as one of the highest priorities for the EU to address, second to fighting climate change. And though this act has been approved by the European Parliament, the Commission still has to approve the act before it would be implemented.
How Could It Impact American Business?
It is unclear whether the act will actually save companies in the ICT industry any money. While the unified certification would make it easier to be certified in the EU instead of individually applying to countries, the certification could be an expensive jump for companies in order to become compliant.
Legally, the act may be beneficial to companies when an incident does occur. If the company has shown due effort to comply with EU certification requirements and ENISA, who will be largely in charge of the regulation of manufacturers, the customer, looking for restitution of losses, could turn to the EU instead of the company. This is because the certification could create a false sense of security for the consumer, thinking that the device is 100% safe from security breaches, when, in reality, that is impossible.
After the company shows its compliance with the law, the law would then be the problem, This would shift the responsibility from the company to the EU.
Until 2023, certifying products are voluntary, at which time the plans will be revisited. It will then be decided whether the certification should be mandatory. In the next year, the Commission will write a plan for businesses in the industry on strategies for future certifications.