Full name: Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

(Link to original text)

Type: Regulation

Objective and key elements:

• Sets the foundation for the cybersecurity strategy
• Security by design requirement introduced
• Reinforces ENISA, the EU Agency for Cybersecurity, link.
• Creates a European cybersecurity certification framework for ICT products, services and processes
• Sets obligations for manufacturers and providers of certified ICT products, services or processes to make certain information publicly available

Relevant to: Mainly ENISA, national cybersecurity certification authorities, and suppliers of ICT products, services and processes.

Status: In force, fully applicable since 28 June 2019.

On 2 December 2024, the Council adopted a targeted amendment to the CSA, aiming to enhance EU’s cyber resilience by enabling the introduction of European certification schemes for managed security services, increasing their quality and comparability. You can access the amendments here. Once formally adopted, the amendments to the Cybersecurity Act will enter into force on the 20th day following its publication in the Official Journal.

Guidance:

• European Commission: Questions and Answers - EU Cybersecurity

(Last updated 3 December 2024)

Implemented in Finland as:

• Laki sähköisen viestinnän palveluista annetun lain muuttamisesta 1207/2020

Status: In force.

National cybersecurity certification authority: The Finnish Transport and Communications Agency (Traficom)

(Last updated 23 September 2024)