Cybersecurity Act update

The European Commission (DG CONNECT) presented an update at a recent MDCG working group meeting on the state of the Cybersecurity Act. The Act, which establishes the European Cybersecurity Certification Framework was approved by the European Parliament on 12 March 2019. Further to the such, the Council approved the text on 9 April 2019 during the General Affairs Council and the expected entry into force is foreseen for early June 2019.

Posted on 02.05.2019

The Framework is foreseen to have many certification schemes, all voluntary, which will be tailored and risk based in their nature through the use of ‘Assurance Levels’. The schemes will specify the evaluation process pertinent to the product category and assurance levels. These Assurance Levels will be representative of the level of the risk associated with the intended use of the ICT product, service or process, in terms of the probability and impact of an incident. As such, the Assurance Levels are reflected into three levels: Basic, Substantial, High. Through the different voluntary EU certification schemes which may be proposed, the Commission will take on the responsibility of assessing the efficiency of the scheme after three years of its adoption. If found unsatisfactory, the Commission could propose a legislative act (separate from the Cybersecurity Act) in order to enforce mandatory requirements. IVDR/MDR provisions already lay down initial requirements for cybersecurity and a Guidance Document is currently being developed at Commission level which will set cybersecurity requirements for Medical Device Software. This Guidance is expected before the end of the year.