The regulation strengthens the role of ENISA and sets up a European certification scheme.

Background: The European Commission proposed a Regulation on cybersecurity in September 2017, with the view to strengthen the mandate of the European Network and Information Security Agency (ENISA) and to foster a common approach to cybersecurity across EU countries. The regulation was approved by the EU Parliament on 12 March 2019, and shortly after by the Council. Today, the Regulation, known as Cybersecurity Act, comes officially into force.

ENISA turns into a permanent agency: The agency, based in Athens, is no longer subject to a fixed-term mandate, as provided by the previous regulatory framework. It is now a permanent agency, with more staff and budget: it will employ a total of 125 people, compared to the current 84, and will more than double its funding in four years (from the current €11m to €23m). It will have tasks across five areas (policy development and implementation; operational cooperation; knowledge and information; capacity building; and market-related tasks within the new Cybersecurity Certification Framework).

How will the new certification framework work? ENISA, will prepare the technical ground for the certification schemes that will then be adopted by the EC. The EU-wide certification framework creates a comprehensive set of rules, technical requirements, standards and procedures. The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service. The use of certification schemes will remain voluntary.