The new Cybersecurity Law of the European Union

The Official Journal of the European Union has published the new Regulation 2019/881, which deals with key aspects related to cybersecurity. Its entry into force will take place on June 27 and aims to make a substantial jump in terms of improving protection against cyber vulnerabilities. We break down its most remarkable aspects.

The Digital Transformation that processes and services of companies are experiencing at an almost vertiginous pace means that the laws and regulations referred to it must be written or modified with certain frequency to adapt to the current situation.

Cybersecurity has become a key aspect in this regard. More and more cyber attacks are occurring that can create big problems for companies, public organizations and individuals.

According to a report by F5 Labs, which shows the results of cyber attacks received in Europe from December 2018 to March 2019, the Old Continent receives more cyber attacks than other areas of the planet. It is noteworthy that the majority of computer attacks received by the EU come from within its borders, with the Netherlands as its main source of origin.

In addition, the increasingly necessary interconnection and integration of different technologies and devices opens the door to new vulnerabilities.

Previously, the legislation regarding cybersecurity was the responsibility of each country, but the fact that these threats did not understand borders made it necessary to develop a legal framework that would support the management of cybersecurity at a European level.

In this environment, European Regulation 2019/881 has been developed, which deals with a current and transcendent aspect such as cybersecurity at all levels within the countries of the European Union.

This new law on cybersecurity, which derogates Regulation 526/2013, consists of two main axes on which it develops. On the one hand, it lays the foundations for the structure and operation of the European Agency for Cybersecurity (ENISA) and, on the other hand, it defines the standards that will allow the certification of cybersecurity of ICT within the Europe of the 28.

The European Agency for Cybersecurity (ENISA)

The European Network and Information Security Agency was founded in 2004 with the aim of establishing computer security measures for the welfare of citizens.

Headquartered in Greece, this European Union agency works with both, governments and private entities. Its main activities are focused on the study and development of activities and policies related to cybersecurity in all its areas, being able to highlight:

  • Development of cybersecurity capabilities.
  • Improve cooperation among governments, institutions and organizations of the European Union.
  • Design and implementation of cybersecurity exercises.
  • Writing reports on the current situation in Europe regarding cybersecurity.
  • Standardization and certification of cybersecurity.
  • Activities for awareness and dissemination.

With the new European Regulation 2019/881 is intended that ENISA is responsible for bringing together all member countries becoming the reference organization on issues of cybersecurity, reducing the existing fragmentation.

To achieve this objective, its activities, organization chart, work teams and the budget items destined for the agency have been redefined.

Ley sobre Ciberseguridad de la Unión Europea

The European framework for certification of cybersecurity

As we have already mentioned, this law was proposed as one of its objectives to unify criteria for the normalization of cybersecurity actions, one more step in the creation of a European digital single market.

In order for products and services of a technological nature to enjoy all the security guarantees, it will be necessary to define schemes that certify their cybersecurity. These schemes must be properly defined (objectives, elements, levels of application, adoption processes, evaluation, review, etc.).

In addition, lists of products, services and processes that have been evaluated according to the cybersecurity conditions required in these schemes will be published. All this information, including the schemes, will be published on the ENISA website.

Manufacturers who wish to avail themselves of these measures must meet certain requirements, among which we can highlight:

  • Provide users with recommendations regarding the installation, configuration, operation and maintenance of the product or service.
  • Have your updates available.
  • Send the user information about possible cybersecurity problems.
  • Give access to records where the vulnerabilities of the product or service are reflected.

This certification of cybersecurity will have, with some exceptions, a voluntary nature and will serve as a method for self-assessment of the company in terms of computer security.

In an increasingly digital society, protecting the availability, authenticity, integrity and confidentiality of the data that is stored, processed and / or circulated has become one of the main workhorses of national and international authorities.

As a result of this desire to improve cybersecurity, the new Cybersecurity Law of the European Union has emerged, which reforms the structures and work mechanisms involved in this aspect.

The digital signature is one of the subjects in which it is very important to apply timely and robust cybersecurity actions. One of these is known as double factor authentication, which takes place with at least two layers of security, such as, among others, a password, a code sent by SMS or Email or a biometric fingerprint.

We will continue working to achieve the digital security of the signature processes in the companies. Advances like the one that the European Union is now making represent great steps for all the physical and legal persons of our Community. We will continue informing you!