Scope

The regulation primarily imposes obligations on the respective EEA Member States, requiring them to adopt a national strategy on the security of network and information systems. While it does not directly mandate requirements for individual enterprises and public bodies, it requires member states to set national frameworks that enterprises must follow (and benefit from).

The regulation also sets out the role of ENISA (the European Union Agency for Cybersecurity) in facilitating a coordinated response to large-scale cybersecurity incidents and attacks across the EU.

A significant component of the regulation is the establishment of a European framework for ICT cybersecurity certification, providing a harmonized set of standards for ICT products, services, and processes.

Relevance

The introduction of a European cybersecurity certification framework under this Regulation marks a significant step towards harmonizing the cybersecurity certification processes across the EU, potentially influencing global cybersecurity practices.

For Norway, the certification framework will expand the scope of certification reflected in todays’ SERTIT scheme to include services and processes. Effective implementation will require additional resources for the national cybersecurity certification authority to handle complaints, declarations, and oversight of certification bodies. The inclusion of commercial certification bodies may increase costs for Norwegian companies that previously relied on the free certification services of SERTIT.

Key obligations

The regulation sets out the tasks of ENISA, including in light of policy development and legislation, enhancing cybersecurity capabilities in the EU, ensuring cooperation between member states, developing cybersecurity standards and certifications. ENISA shall also acts as an EU hub for network and information security, promoting best practices and initiatives across the EU, provide guidance and best practices for the security of critical infrastructure and digital service providers and create reports after significant incidents to guide organizations and citizens.

The regulation further introduces a comprehensive framework for the cybersecurity certification of ICT products, services, and processes, to be proposed by ENISA and adopted by the European Commission through implementing acts. Initially, the certification is voluntary, but the European Commission will periodically review the effectiveness and uptake of certification schemes. It may propose mandatory implementation in specific sectors covered by the NIS 2 Directive if needed.