Cyber-attacks are on the increase and a connected economy and society that is more vulnerable to cyber threats and attacks requires stronger defences.

In light of the increased cybersecurity challenges faced by the EU, there is a need for a comprehensive set of measures that would build on previous EU action and foster mutually reinforcing objectives.

In light of the increased cybersecurity challenges faced by the EU, the EU is set to enhance its cyber resilience by setting up an EU-wide certification framework for information and communication technology (ICT) products, services and processes; the framework will be implemented by the “Cybersecurity Act”.

The stated goal for the Cyberscurity Act is to build consumer trust while continuing construction of a single EU digital marketplace.  The push for certification also goes hand in hand with the EU’s Network Infrastructure Security Directive (NISD), which came into effect in May 2018 and is designed to protect important sectors such as banking, energy and technology from cyber-attacks. 

The proposed framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. Consumers and businesses will be provided with information which will make the security features of ICT products more transparent and mutually comparable and increase trust in digital services. Participation in EU certification schemes will be voluntary, unless otherwise specified by an individual Member State.

Currently Member States are free to create their own cyber-related certification initiatives, which creates many issues. The new certificates will be valid in all EU countries, making it easier for users to gain confidence in the security of these technologies, and for companies to carry out their business across borders.

The proposal will also upgrade the current European Union Agency for Network and Information Security (ENISA) into a permanent EU agency for cybersecurity. ENISA will not only provide expert advice, but will also perform operational  and crisis management tasks. It will organise regular EU-level cybersecurity exercises, and support and promote EU policy on cybersecurity certification.

However, there is a danger that by labelling products as “certified” this will create a sense that the products are secure and absolutely safe.  While the Cybersecurity Act makes clear that nothing can guarantee 100 per cent security, consumers may be drawn to certified products based on their belief that the information processed through the products is protected. 

Another issue arises when you consider the origin and portability of ICT devices.  Regulatory issues arise when a US manufactured ICT device sends data from the EU to the US The EU General Data Protection Regulation and NISD both regulate such cross-border transfers, but it is unclear at this point how the proposed Cybersecurity Act will incorporate the principles of these regulations.

On Brexit, the UK will need to enter into negotiations to agree its future relationship with ENISA. Negotiations on the proposed regulation will commence at the end of October 2018, and are unlikely to conclude before the UK leaves the EU in 2019.

If you have any questions regarding the regulations please contact one of our expert Commercial lawyers, on 0161 941 4000 or at

Share our latest news update