How the EU is Ensuring that Companies take Cyber-Security Seriously

The Official Journal of the European Union published the new Regulation 2019/881, which addresses key aspects related to cybersecurity.

It entered into force on June 27 and aims to make a substantial leap in terms of improving protection against cyber vulnerabilities. We break down its highlights with the help of Virtual Armour who helped us in analyzing the regulations.

The Digital Transformation that the processes and services of the companies are experiencing at an almost dizzying pace means that the laws and regulations related to it have to be drafted or modified with some frequency to adapt to the current situation.

Cybersecurity has become a key aspect in this regard. There are more and more cyber attacks that can create big problems for companies, public organizations, and individuals.

According to a report by F5 Labs, which shows the results of cyberattacks received in Europe from December 2018 to March 2019, the Old Continent receives more cyberattacks than other areas of the planet.

It is noteworthy that the majority of the IT attacks the EU receives come from within its borders, with the Netherlands as its main source of origin.

In addition, the increasingly necessary interconnection and integration of different technologies and devices open the door to new vulnerabilities.

Previously, legislation related to cybersecurity was the responsibility of each country, but the fact that these threats did not understand borders made it necessary to develop a legal framework that would regulate cybersecurity management at the European level.

In this environment, the European Regulation 2019/881 has been developed, which deals with an aspect as current and transcendent as that of cybersecurity at all levels within the countries of the European Union.

This new law on cybersecurity, which repeals Regulation 526/2013, consists of two main axes on which it is developed. On the one hand, it lays the foundations of the structure and operation of the European Agency for Cybersecurity (ENISA) and, on the other, it defines the standards that will allow certifying the cybersecurity of ICTs within the Europe of the 28.

The European Agency for Cybersecurity (ENISA)

The European Network and Information Security Agency were founded in 2004 with the aim of establishing computer security measures for the well-being of citizens.

Based in Greece, this European Union agency works with both governments and private entities. Its main activities focus on the study and development of activities and policies related to cybersecurity in all its areas, including:

• Development of cybersecurity capabilities.
• Improve cooperation between governments, institutions, and organizations of the European Union.
• Design and implementation of cybersecurity exercises.
• Writing reports on the current European situation in cybersecurity.
• Standardization and certification of cybersecurity.
• Activities for awareness and dissemination.

With the new European Regulation 2019/881, it is intended that ENISA is responsible for bringing together all member countries by becoming the reference body on cybersecurity issues, reducing existing fragmentation.

In order to achieve this objective, its activities, organization chart, work teams and budget items for the agency have been redefined.

The European cybersecurity certification framework

As we have commented, this law was considered as one of its objectives to unify the criteria for the normalization of cybersecurity measures, another step in the creation of a single European digital market.

In order for technological products and services to enjoy all security guarantees, it will be necessary to define schemes that certify their cybersecurity. These schemes must be properly defined (objectives, elements, levels of application, adoption processes, evaluation, review, etc.).

In addition, lists of products, services, and processes that have been evaluated according to the cybersecurity conditions required in these schemes will be published. All this information, including the schemes, will be published on the ENISA website.

Manufacturers wishing to benefit from these measures must meet certain requirements, among which we can highlight:

• Provide users with recommendations regarding the installation, configuration, operation, and maintenance of their product or service.
• Have your updates available.
• Send the user information about possible cybersecurity problems.
• Give access to records where the vulnerabilities of the product or service are reflected.

This cybersecurity certification will, with exceptions, be voluntary and will serve as a method for the company’s self-assessment in terms of computer security.

In an increasingly digital society, protecting the availability, authenticity, integrity, and confidentiality of the data that is stored, processed and/or circulated has become one of the main workhorses of national and international authorities.

As a result of this desire for improvement in cybersecurity, the new Cyber ​​Security law of the European Union has emerged, which reforms the structures and work mechanisms involved in this aspect.

We will continue working to achieve the digital security of the signature processes in the companies. Advances like the one the European Union is now making are great steps for all-natural and legal persons in our Community. We will keep you informed!

The General Data Protection Regulation (GDPR) applied on 25 May 2018, this new law applies to all companies that collect and process data belonging to the European Union (EU) citizens.