European Commission presents Cybersecurity Package.

On 20 January, the European Commission presented a new Cybersecurity Package, aimed at further strengthening the resilience and capabilities of the European Union (EU) in the field of cybersecurity. The package includes a proposal for a Regulation on a Cybersecurity Act 2 (CSA 2) revising the existing EU cybersecurity framework (Regulation (EU) 2019/881). In addition, the package contains a proposal for a Directive amending the NIS 2 Directive (Directive (EU) 2022/2555).

Strengthening ICT supply chains

The new CSA is intended to contribute to reducing risks in EU information and communication technology (ICT) supply chains, in particular those resulting from dependencies on suppliers from third countries that raise cybersecurity concerns. To this end, a trusted framework is to be established based on a harmonised, proportionate and risk-based approach. This framework is intended to enable the EU and the Member States to mitigate risks in 18 critical sectors. These 18 sectors are not newly defined in the proposal for a Regulation; instead, reference is made to the NIS 2 Directive. Annexes I and II to that Directive define critical sectors, including healthcare and public administration.

Strengthening ENISA’s mandate

According to the CSA proposal, the European Union Agency for Cybersecurity (ENISA) is to provide early warnings of cyber threats and incidents to public administrations and companies operating in the EU. In addition, ENISA is to develop a Union-wide approach to provide relevant actors with improved services for vulnerability management and to develop targeted support measures, including technical guidance on risk management, tools for assessing the level of cybersecurity maturity and practical guidance on handling security incidents, tailored to the critical sectors referred to in the NIS 2 Directive. Furthermore, the CSA proposal introduces the necessary amendments to enable ENISA to operate the single reporting entry point for security incidents announced in the Digital Omnibus.

Simplification of cybersecurity certification

The CSA draft is intended to ensure that products and services reaching consumers in the EU are assessed more efficiently with regard to their security. This is to be achieved through a renewed European Cybersecurity Certification Framework (ECCF). The ECCF is intended to provide greater clarity and simpler procedures, allowing certification schemes to be developed as a rule within 12 months. In addition, a more flexible and transparent governance framework is to be introduced in order to better involve the relevant actors through information provision and public consultations.

Simplification of cybersecurity rules

The package also provides for simplifications of cybersecurity rules in order to facilitate compliance with existing EU requirements and the associated risk management obligations. These measures complement the single reporting entry point for security incidents at ENISA proposed under the Digital Omnibus and aim to make reporting and supervisory processes more coherent. Targeted amendments to the NIS 2 Directive are intended in particular to increase legal clarity by specifying rules on competences, streamlining reporting requirements and simplifying supervision of entities operating cross-border.

Relevance for social security institutions

Social security institutions, as data-intensive public bodies, are increasingly targeted by cyberattacks and, as part of critical infrastructure, are particularly in need of protection. At the same time, they are confronted at both European and national level with complex and partly overlapping reporting obligations in the event of security incidents. The adjustments proposed in the Cybersecurity Package create the legal basis for a simplified and more coherent reporting structure, for example through the establishment of a single reporting point at ENISA. This can help to reduce administrative burdens for social security institutions, avoid duplicate reporting and ensure a clear and uniform reporting process without lowering the level of protection.