Chapter II – Tasks (Art. 5-12)
Art. 5 CSA - Development and implementation of Union policy and law
Art. 6 CSA - Capacity-building
Art. 7 CSA - Operational cooperation at Union level
Art. 8 CSA - Market, cybersecurity certification, and standardisation
- ENISA shall support and promote the development and implementation of Union policy on cybersecurity certification of ICT products, ICT services and ICT processes, as established in Title III of this Regulation, by:
- monitoring developments, on an ongoing basis, in related areas of standardisation and recommending appropriate technical specifications for use in the development of European cybersecurity certification schemes pursuant to point (c) of Article 54(1) where standards are not available;
- preparing candidate European cybersecurity certification schemes (‘candidate schemes’) for ICT products, ICT services and ICT processes in accordance with Article 49;
- evaluating adopted European cybersecurity certification schemes in accordance with Article 49(8);
- participating in peer reviews pursuant to Article 59(4);
- assisting the Commission in providing the secretariat of the ECCG pursuant to Article 62(5).
- ENISA shall provide the secretariat of the Stakeholder Cybersecurity Certification Group pursuant to Article 22(4).
- ENISA shall compile and publish guidelines and develop good practices, concerning the cybersecurity requirements for ICT products, ICT services and ICT processes, in cooperation with national cybersecurity certification authorities and industry in a formal, structured and transparent way.
- ENISA shall contribute to capacity-building related to evaluation and certification processes by compiling and issuing guidelines as well as by providing support to Member States at their request.
- ENISA shall facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products, ICT services and ICT processes.
- ENISA shall draw up, in collaboration with Member States and industry, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States’ national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148.
- ENISA shall perform and disseminate regular analyses of the main trends in the cybersecurity market on both the demand and supply sides, with a view to fostering the cybersecurity market in the Union.
In order to support the businesses operating in the cybersecurity sector, as well as the users of cybersecurity solutions, ENISA should develop and maintain a ‘market observatory’ by performing regular analyses and disseminating information on the main trends in the cybersecurity market, on both the demand and supply sides.
ENISA should further develop and maintain its expertise on cybersecurity certification with a view to supporting the Union policy in that area. ENISA should build on existing best practices and should promote the uptake of cybersecurity certification within the Union, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level (European cybersecurity certification framework) with a view to increasing the transparency of the cybersecurity assurance of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.
Efficient cybersecurity policies should be based on well-developed risk assessment methods, in both the public and private sectors. Risk assessment methods are used at different levels, with no common practice regarding how to apply them efficiently. Promoting and developing best practices for risk assessment and for interoperable risk management solutions in public-sector and private-sector organisations will increase the level of cybersecurity in the Union. To that end, ENISA should support cooperation between stakeholders at Union level and facilitate their efforts relating to the establishment and take-up of European and international standards for risk management and for the measurable security of electronic products, systems, networks and services which, together with software, comprise the network and information systems.
In cooperation with competent authorities, ENISA should be able to disseminate information regarding the level of the cybersecurity of the ICT products, ICT services and ICT processes offered in the internal market, and should issue warnings targeting manufacturers or providers of ICT products, ICT services or ICT processes and requiring them to improve the security of their ICT products, ICT services and ICT processes, including the cybersecurity.
ENISA should regularly consult standardisation organisations, in particular European standardisation organisations, when preparing the European cybersecurity certification schemes.