EU Cybersecurity Act makes ENISA mandate permanent

The EU’s Cybersecurity Act, agreed in December 2018, was passed with the aim of better supporting member states tackling cybersecurity threats and attacks. Its implementation will see the harmonisation of cybersecurity certification across the union and make permanent the mandate given to the European Union Agency for Network and Information Security (ENISA).

ENISA’s previously temporary mandate had been due to expire in 2020, but the agreement reached by the European Parliament, European Council and European Commission will now see the directive become permanently secured. Agreed just months after California voted to ban generic passwords in what was seen as a cybersecurity boon, the Act will also provide ENISA with more resources and a stronger basis for a new, EU-wide certification framework.

The new framework for cybersecurity certification will boost the security of online service and consumer devices connected to the Internet of Things. The framework will be the first internal market law of its kind and will enable consumers to ascertain the level of security assurance across their services and devices.

It is claimed that the measure will remove market entry barriers and create “significant cost saving” for small and medium-sized enterprises, who would have had to apply for several licenses to cover them in differing countries otherwise.

Based in Athens and Crete, ENISA previously had one of the EU’s smallest budgets for an official body, receiving just under £9.2 million from the European Communities Subsidy in 2018. In its new permanent capacity, it will broaden its capabilities at EU level, supporting capacity building and acting as an independent centre of expertise with the remit of promoting high levels of awareness regarding cybersecurity. The body will also work with EU institutions and member states to develop and implement cybersecurity policies.

The legislation was drafted specifically with the proliferation of connected personal devices and the emergence of the Internet of Things that has significantly widened the potential attack area of the organisations involved. With the number of connected personal devices predicted to rise to 75 billion worldwide by 2025, the move was made to avoid the reoccurrence of attacks such as the Mirai malware attack that turned devices running Linux into remote bots.

ENISA’s certification will be voluntary and will come in three levels of a traffic light system of security assurance: basic (red), substantial (orange) and high (green). The EU have said that manufacturers and service providers will be able to carry out their own assessments themselves to attain the basic level of certification. The requirements common across all three levels of certifiability are: secure out of the box configuration, signed code, secure update and exploit mitigations and full stack/heap memory protections.

In a statement, European Commissioner for Digital Economy and Society, Mariya Gabriel said that incidents such as the Wannacry ransomware attack that affected organisations such as the NHS and the NotPetya attack on the Ukraine had been “wake-up calls”. She said that she believed the deal improved the EU’s “overall security and supports business competitiveness”.