ENISA and a new cybersecurity act [EU Legislation in Progress]

In September 2017, the Commission adopted a cybersecurity package with new initiatives to further improve EU cyber-resilience, deterrence and defence. As part of these, the Commission tabled a legislative proposal to strengthen the EU Agency for Network Information Security (ENISA). Following the adoption of the Network Information Security Directive in 2016, ENISA is expected to play a broader role in the EU’s cybersecurity landscape but is constrained by its current mandate and resources. The Commission presented an ambitious reform proposal, including a permanent mandate for the agency, to ensure that ENISA can not only provide expert advice, as has been the case until now, but can also perform operational tasks. The proposal also envisaged the creation of the first voluntary EU cybersecurity certification framework for ICT products, where ENISA will also play an important role. Within the European Parliament, the Industry, Research and Energy Committee adopted its report on 10 July 2018. An agreement was reached with the Council during the fifth trilogue meeting, on 10 December 2018. The text was adopted by the European Parliament on 12 March and by the Council on 9 April 2019. The new regulation came into force on 27 June 2019.