Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Sara Merken
Companies could get products like smart medical devices and connected cars certified by the same standards across all European Union member states, under a proposal currently being negotiated.
The EU Cybersecurity Act aims for a single certification scheme for information and communication technology (ICT) devices, on products ranging from video game consoles to fire alarms. Some European countries, however, have their own cybersecurity certification rules, creating potential conflicts within the 28-nation bloc.
The Council of the EU June 8 agreed on its position about the proposal. That allows for future negotiations with the European Parliament. The Council and Parliament will then need to agree on a final text for it to become law.
The goal of an EU-wide certification plan is building more consumer trust in products, the draft legislation says. The EU Cybersecurity Act is part of Europe’s push towards a digital single market. It would be the latest EU measure touching on cybersecurity, after the Network and Information Security (NIS) Directive of 2016 and the General Data Protection Regulation, which kicked in May 25.
“While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity” the draft says.
The proposed legislation aims to “decrease entry barriers and fragmentation among different national certifications. Whether this will be the case in practice remains to be seen,” according to Diletta De Cicco, a privacy and cybersecurity legal consultant, and Charles-Albert Helleputte, a partner with experience in data protection matters, both with Mayer Brown LLP’s Brussels office.
“At EU political level, the idea is that more harmonization should strengthen cross border trade for technological products and foster innovation,” De Cicco and Helleputte told Bloomberg Law in an email.
The pending production certification proposal “demonstrates that cybersecurity is high on the EU political agenda,” Helleputte and De Cicco said.
The proposal would bolster the status of the EU Agency for Network and Information Security (ENISA) to make it a permanent EU cybersecurity agency. The agency currently serves as a body of expertise on cybersecurity. ENISA would get new powers to support member states and EU institutions on cybersecurity issues. It would also be able to organize cybersecurity exercises.
ENISA would be responsible for carrying out product certifications. Certifying products would be voluntary for companies unless otherwise stated in EU or member states’ law.
The act would create a set of technical requirements and rules related to production certification—with security a high priority. But many details are yet to be worked out.
“One thing is clear: we will not be using the same techniques to be certifying things like toasters to light bulbs to air crafts to cars,” Steve Purser, ENISA’s head of core operations, told Bloomberg Law.
Peter McLaughlin, a Boston-based partner who leads Burns & Levinson LLP’s privacy and cybersecurity practice, said European regulators will have a big challenge at times even defining certification.
“For example, will it mean that the product as released includes appropriate encryption for data?” he said. “Or will it mean that the product can be updated remotely and automatically by the manufacturer so that safeguards keep up with identified vulnerabilities?”
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)