Follow ACC Docket Online:  

What Your Business Needs to Know about the EU Cybersecurity Certification Framework

With the dawn of a new decade comes the emergence of a new technological revolution — 5G. It’s the next generation of wireless communications and will provide individuals with unprecedented internet speeds. To put this in perspective, where it might take over a minute to completely download an HD music video from YouTube on your current 4G/LTE network, it will take a matter of seconds to download the same video on a 5G network. Moreover, 5G will facilitate a boom in internet-connected (“connected”) devices during this decade. From connected cars to connected refrigerators, the opportunities are endless.

Unfortunately, with increased connectivity comes an increased risk of cyber threats. In addition to disruptions to business operations caused by a data security event, the regulatory consequences can be even more severe. For example, the EU General Data Protection Regulation (GDPR) requires covered businesses to disclose the occurrence of a data breach within 72 hours of discovery of the breach. In addition, GDPR’s penalties for noncompliance can be significant — fines as high as €20 million or four percent of total global revenues, whichever amount is higher.  

Securing information and communication technologies will be critical to prevent data breaches and to ensure compliance with GDPR. However, until recently, there was no cybersecurity certification framework to demonstrate compliance with GDPR’s security requirements. 

Fortunately, this past summer, the EU Cybersecurity Act (“Act”) took effect, creating a framework for a voluntary EU-wide cybersecurity certification program. This article will review the GDPR’s cybersecurity requirements and how the act’s cybersecurity certification framework ushers in a new era for EU Digital Single Market. 

GDPR cybersecurity requirements  

GDPR established privacy as a fundamental human right in the European Union and designated security as one of the pillars necessary to guarantee that right. In daily practice, clients often ask how they can show that their cybersecurity program is GDPR-compliant. 

Giving a satisfactory answer presents a challenge because business abhors uncertainty and distrusts the lawyerly “it depends.” The difficulty stems from the fact that while GDPR spells out all the other principles in detail in Article 5, what amounts to appropriate security measures is addressed only vaguely in Article 32.

GDPR directs controllers and processors to conduct a risk analysis that takes into account “the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” GDPR also directs controllers and processors to implement unspecified but “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” 

This language contrasts with GDPR Preamble Paragraphs 2 and 13 where it attempts to reconcile the data subject’s right of privacy and the GDPR’s objective of promoting the “free movement of personal data within the internal market” in order to accomplish “economic and social progress” and “legal certainty and transparency for economic operators.” 

Further complicating matters is Article 42. Article 42 refers individuals to a future data protection certification mechanism that may be used as an “element by which to demonstrate compliance with the requirements” of the article. In turn, Article 42 encourages the establishment of a data protection certification mechanism with the purpose of helping controllers and processors demonstrate compliance with GDPR. Article 42 further notes that the certification mechanism must be scalable for small and large enterprises and be voluntary.  

Until recently, the only tools available to help businesses demonstrate compliance with GDPR’s security requirements were ISO 27001 certification, NIST (but this operationally applies in the United States only where there is no certification), and various industry-specific standards such as HITRUST in the US health sector.  

EU Cybersecurity Act 

The EU Cybersecurity Act took effect in June 2019 and has two key purposes:  

  1. Strengthen the European Union Agency for Network and Information Security (ENISA) by making it a permanent agency and enhancing its role in promoting a high level of cybersecurity in the European Union; and 
  2. Establish the first EU-wide cybersecurity certification framework to create a common certification in the EU Digital Single Market and improve cybersecurity standards for information and communications technology (ICT) devices, products, and services.  

The cybersecurity certification framework (“Framework”) is a critical portion of the EU Cybersecurity Act because it will help harmonize cybersecurity standards in the EU Digital Single Market. ENISA is empowered to help design various certification schemes for different categories of ICT devices, products, and services based on the Framework’s requirements and objectives. Once certification schemes are in place, businesses will be able to voluntarily obtain certifications that are valid across the European Union.  

ICT devices, products, and services will be certified based on three different assurance levels: basic, substantial, or high. Each assurance level has its own unique evaluation process, with more rigorous evaluation requirements as you go up. Basic assurance level certifications demonstrate compliance by self-assessment. 

In contrast, substantial and high-level certification assessments must be conducted by a third party such as a national cybersecurity certification authority. Penalties for violations of the Framework or specific certification scheme will be developed and implemented by each EU member state and shall be “proportionate and dissuasive.” 

Conclusion  

The EU Cybersecurity Act helps bring much needed certainty to demonstrate compliance with the GDPR’s security requirements. The act and subsequent certification schemes will also help businesses better protect their connected and ICT devices, products, and services. 

If you do business in the European Union, you should continue to monitor the development of certification schemes by ENISA and consider pursuing such certifications once implemented to better protect your business interests in the European Union.

About the Authors

Veronica PastorVeronica Pastor is deputy general counsel at the Association of Corporate Counsel and focuses on privacy, cybersecurity, and international contracts. [email protected]

Matthew DiazMatthew Diaz is an associate at Ice Miller LLP and focuses his practice on data security, privacy, and telecommunications. [email protected]



The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.