European Parliament agrees EU Cybersecurity Act

March 15, 2019

The European Parliament has announced that it will adopt the EU Cybersecurity Act 2018.  The Act creates the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet the cybersecurity standards. 

The European Parliament also adopted a resolution asking for the EU to take action in relation to the security threats associated with China’s increasing technological presence in the EU. Concerns have been expressed about recent allegations that 5G equipment may have embedded backdoors that would give Chinese authorities and manufacturers access to personal and private information in EU member states.

The Act has been already informally agreed with member states. It emphasises the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems as well as products, processes and services. By 2023, the European Commission will assess whether any of the new voluntary schemes should be made mandatory.

The Cybersecurity Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA and reflects concern that third-country equipment vendors might present a security risk for the EU due to their own state security laws.

MEPs called on the European Commission and member states to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment.

Next steps

The Council of the European Union must now formally approve the Cybersecurity Act. The regulation will enter into force 20 days after it is published.

The resolution on Chinese IT presence in the EU will be sent to the Commission and to member states.