ENISA Mandate and Regulatory Framework
The Regulation (EU) 2019/881, commonly known at the time of its adoption as the Cybersecurity Act, serves as the ENISA Mandate and Regulatory Framework. It delineates the structure and key responsibilities of ENISA, the European Union Agency for Cybersecurity, while also establishing a cybersecurity certification framework for ICT products, services, and processes throughout the EU. This regulation is a pivotal component of the EU’s strategy to enhance cybersecurity and create a harmonized digital single market.
Structure and Key Sections
- ENISA’s Mandate: The regulation permanently establishes ENISA, enhancing its role in supporting Member States and EU institutions to improve cybersecurity, serve as a hub for expertise, and reduce market fragmentation. ENISA is tasked with assisting in the development and implementation of EU policies, promoting capacity building, supporting operational cooperation, and raising public awareness about cybersecurity risks.
- Cybersecurity Certification Framework: A significant part of the regulation is dedicated to creating a European cybersecurity certification framework. This framework aims to establish common certification schemes across the EU to increase trust in ICT products, services, and processes. These schemes are designed to indicate the security assurance levels (basic, substantial, or high) and aim to unify the certification landscape, replacing national schemes with a coherent EU-wide approach.
- Administrative Structure: ENISA operates under a Management Board, an Executive Board, and an Advisory Group, ensuring it functions effectively and aligns with its expanded responsibilities. Additionally, a European Cybersecurity Certification Group (ECCG) is established to assist in the development and application of the cybersecurity certification framework.
- Review and Evaluation: The regulation includes provisions for regular assessments of ENISA’s impact and the effectiveness of the certification schemes. The first comprehensive review was scheduled for 2024, and subsequent reviews are to occur every five years.
- Repeal of Previous Regulation: The regulation repeals the earlier Regulation (EU) No 526/2013, reflecting the EU’s evolving approach to cybersecurity and the growing importance of a robust and unified response to cyber threats.
The CER Directive represents a significant step forward in the EU’s efforts to safeguard critical infrastructure from a wide range of threats. By establishing clear obligations for both member states and critical entities, the directive aims to create a more resilient and secure environment across the Union.