Cybersecurity Act update
Posted on 02.05.2019
The Framework is foreseen to have many certification schemes, all voluntary, which will be tailored and risk based in their nature through the use of ‘Assurance Levels’. The schemes will specify the evaluation process pertinent to the product category and assurance levels. These Assurance Levels will be representative of the level of the risk associated with the intended use of the ICT product, service or process, in terms of the probability and impact of an incident. As such, the Assurance Levels are reflected into three levels: Basic, Substantial, High. Through the different voluntary EU certification schemes which may be proposed, the Commission will take on the responsibility of assessing the efficiency of the scheme after three years of its adoption. If found unsatisfactory, the Commission could propose a legislative act (separate from the Cybersecurity Act) in order to enforce mandatory requirements. IVDR/MDR provisions already lay down initial requirements for cybersecurity and a Guidance Document is currently being developed at Commission level which will set cybersecurity requirements for Medical Device Software. This Guidance is expected before the end of the year.