EU Cybersecurity Act

The EU Cybersecurity Act, formally known as Regulation (EU) 2019/881, was adopted in 2019 and has two main objectives:

1. To strengthen the EU Agency for Cybersecurity (ENISA) with a permanent mandate and additional resources and personnel to enhance its activities and expertise.

2. To establish a European cybersecurity certification framework that aims to harmonize cybersecurity certifications for ICT products, services, and processes across the EU.

Once a product or service is certified under the EU framework, it becomes mutually recognized across all member states. This eliminates the need for companies to go through separate national certification processes, saving time and resources.

Who Does the EU Cybersecurity Act Apply To?

The EU Cybersecurity Act applies to:

• Manufacturers, developers, and service providers of IT products, services, and processes within the EU.
• Organizations that handle critical infrastructure such as energy, transportation, banking, healthcare, and digital infrastructure.
• Any entity that provides digital services like online marketplaces, search engines, and cloud computing services.

An Overview of the EU Cybersecurity Act

Cybersecurity Certification Framework

The EU Cybersecurity Act establishes a voluntary—but highly recommended— certification framework that ensures ICT products, services, and processes meet certain cybersecurity standards. The certification process involves rigorous testing, evaluation, and regular reassessment to ensure continuous compliance and covers technical controls, organizational measures, and product lifecycle aspects. 

Certifications are categorized into three assurance levels: basic, substantial, and high, depending on the risk level and impact. 

Strengthening ENISA's Role

The act adds additional resources to ENISA to help the agency better support member states, EU institutions, and businesses in their cybersecurity efforts. It is tasked with preparing the EU for large-scale cyber incidents by developing response plans and conducting regular exercises. 

Additionally, ENISA must provide technical guidance, facilitate cooperation, and assist in developing and implementing EU cybersecurity policies. It must also focus on capacity building, raising awareness, and providing training programs to enhance cybersecurity skills across the EU. 

Risk Management and Reporting 

Under the EU Cybersecurity Act, organizations must conduct regular risk assessments and update their cybersecurity practices accordingly. Additionally, they must establish incident response plans, including detection, response, recovery, and post-incident analysis procedures. 

The act also requires organizations to report significant cybersecurity incidents promptly to facilitate coordinated responses and mitigate the impact of cyber threats. 

Building Transparency and Trust

The Act promotes the sharing of threat intelligence and best practices among member states, industry stakeholders, and the cybersecurity community to improve collective defenses.

All certified products and services will be listed in a public database to enhance transparency and trust among consumers and businesses and organizations are encouraged to communicate their cybersecurity practices and certification status to stakeholders to build confidence and demonstrate compliance.

Promoting International Cooperation

The EU Cybersecurity Act emphasizes the importance of international cooperation in addressing global cyber threats and supports the development of international norms and frameworks for cybersecurity, fostering a coordinated global response to cyber incidents. 

How Finite State Helps You Comply with the EU Cybersecurity Act

Finite State offers a comprehensive solution to support compliance with the EU Cybersecurity Act by helping organizations improve their software supply chain security and monitor for vulnerabilities. Finite State

• Enforces Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
• Offers Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
• Automates Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they're introduced across the SDLC to help teams keep applications secure.
• Provides Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.

Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with the EU Cybersecurity Act.