Download checklistGet ready with our self assesment

ENISA Mandate and Regulatory Framework

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for CybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881;) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

The Regulation (EU) 2019/881, commonly known at the time of its adoption as the Cybersecurity Act, serves as the ENISA Mandate and Regulatory Framework. It delineates the structure and key responsibilities of ENISA, the European Union Agency for Cybersecurity, while also establishing a cybersecurity certification framework for ICT products, services, and processes throughout the EU. This regulation is a pivotal component of the EU’s strategy to enhance cybersecurity and create a harmonized digital single market.

Structure and Key Sections

  1. ENISA’s Mandate: The regulation permanently establishes ENISA, enhancing its role in supporting Member States and EU institutions to improve cybersecurity, serve as a hub for expertise, and reduce market fragmentation. ENISA is tasked with assisting in the development and implementation of EU policies, promoting capacity building, supporting operational cooperation, and raising public awareness about cybersecurity risks.
  2. Cybersecurity Certification Framework: A significant part of the regulation is dedicated to creating a European cybersecurity certification framework. This framework aims to establish common certification schemes across the EU to increase trust in ICT products, services, and processes. These schemes are designed to indicate the security assurance levels (basic, substantial, or high) and aim to unify the certification landscape, replacing national schemes with a coherent EU-wide approach.
  3. Administrative Structure: ENISA operates under a Management Board, an Executive Board, and an Advisory Group, ensuring it functions effectively and aligns with its expanded responsibilities. Additionally, a European Cybersecurity Certification Group (ECCG) is established to assist in the development and application of the cybersecurity certification framework.
  4. Review and Evaluation: The regulation includes provisions for regular assessments of ENISA’s impact and the effectiveness of the certification schemes. The first comprehensive review was scheduled for 2024, and subsequent reviews are to occur every five years.
  5. Repeal of Previous Regulation: The regulation repeals the earlier Regulation (EU) No 526/2013, reflecting the EU’s evolving approach to cybersecurity and the growing importance of a robust and unified response to cyber threats.

The CER Directive represents a significant step forward in the EU’s efforts to safeguard critical infrastructure from a wide range of threats. By establishing clear obligations for both member states and critical entities, the directive aims to create a more resilient and secure environment across the Union.

Get NIS 2 Supply Chain RiskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) Checklist

Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersecurity compliance standards effortlessly.