ENISA, the European Union Agency for Network and Information and Security, has been given a permanent role as the top EU cybersecurity body and the key judge of products to be assessed for cybersecurity weaknesses.
Reflecting the increased role of cybersecurity in governing society, the EU has made ENISA or the the European Union Agency for Network and Information and Security, a permanent fixture. ENISA will have a central role in coordinating EU nations’ responses to cybersecurity threats.
The newly passed Cybersecurity Act ends ENISA’s temporary role, which was set to end in 2020 after a renewal in 2013.
ENISA was the agency the EU proposed in 2017, with officials at the time admitting it was poorly prepared for cyberattacks that “can be more dangerous to the stability of democracies and economies than guns and tanks”
The agency will oversee the act’s new EU wide rules for the certification of products, processes and services, which could help improve the security of Internet of Things devices. ENISA will also become a permanent part of the EU going forward.
ENISA, which has traditionally been seen as a cybersecurity think tank without teeth, follows new rules in May that allow the EU Council to impose sanctions on non-EU cyber attackers. Individuals or entities can face sanctions, which include bans on traveling to the EU, freezing assets, and blocking EU funds for suspects.
The EU and ENISA’s elevated and permanent role is part of its “toolbox” for “a joint EU diplomatic response to malicious cyber activities” to throw its collective weight against potential cyber attackers.
Organizations within the EU have been caught off guard by recent major cyberattacks with the greatest exposure to the most high profile ransomware attacks in recent history, namely WannaCry and NotPetya. The UK's National Health Service (NHS) faced a £92m bill from WannaCry, while NotPetya cost European businesses over $1 billion, with Danish shipping and logistics firm Maersk reporting losses of over $300 million. More recently, Norwegian metal giant Norsk Hydro lost tens of millions while recovering from a ransomeware attack.
The European scheme will focus on what problems security and IT products could face in the wild. It will be broken down into product categories, cybersecurity standards or technical specifications, and whether the evaluation was carried out independently or by the organization itself.
All EU member states will recognize the certification level with the hope that it will make cross-border trade easier and less costly.
The EU is planning to introduce a certification scheme built around labels for “basic”, “substantial”, and “high” that matches the risk of a product.