Cybersecurity Act

EESC opinion: Cybersecurity Act

Key points:

  • The EESC considers that ENISA's new permanent mandate as proposed by the Commission will significantly contribute to enhancing the resilience of European systems. However, the accompanying provisional budget and resources allocated to ENISA will not be sufficient for the agency to fulfil its mandate. The EESC recommends to all Member States to establish a clear and equivalent counterpart to ENISA, as most of them have not done it yet. The EESC also feels that, ENISA should prioritise actions to support e-government, should provide regular reports on the cyber-readiness of Member States focusing on sectors identified in Annex II to the NIS Directive and monitor the performance and decision-making of national certification supervisory authorities. The EESC supports the proposal to create a cybersecurity competence network sustained by a Cybersecurity Research and Competence Centre (CRCC).
  • The EESC recalls that the human factor constitutes one of the most important causes of cyber accidents. There is a need to build a strong cyber skills base and improve cyber hygiene also through awareness campaigns among individuals and businesses. The EESC supports the creation of an EU-certified curriculum for high schools and professionals.
  • The EESC believes that a European Digital Single Market needs a homogeneous interpretation of the rules for Cybersecurity and that a certification framework and schemes for the different sectors could provide a common baseline. Because different approaches must be provided for different sectors, the EESC believes that sectoral EU Agencies (EASA, ERA, EMA, etc.) should be involved in the process and in some cases, delegated to draw up cybersecurity schemes. Minimum European standards for IT security should be adopted in cooperation with CEN/CENELEC/ETSI. The envisaged European Cybersecurity Certification Group supported by ENISA should be made up of national certification supervisory bodies, private sector stakeholders, scientific and civil society actors. The EESC believes that certification activities cannot exclude a proper labelling system, to be applied also to imported products to reinforce consumers trust. With regards to funding, Europe should scale up investments converging different EU funds, national funds and private-sector investments towards strategic objectives in strong public-private cooperation, also through the creation of an EU Cybersecurity Fund for Innovation and R&D in the current and future Research Framework Programme. Furthermore, Europe should create a fund for deployment for the Cybersecurity, opening a new window in the current and future Connecting Europe Facility as well in the next EFSI 3.0.
  • Finally, the EESC believes a minimum security level is necessary for "ordinary" "Internet of People" (IoP) devices. In this case, certification is a key method of providing a higher level of security. Internet of Things (IoT) security should be a priority.