EU - Country Commercial Guide
Last published date:

The March 2019 Cybersecurity Act set up a mechanism to develop a voluntary certification scheme for information and communications technology security products, processes, and services.  The European Commission has not yet proposed the specific areas that would benefit from certification schemes, and the European Union Agency for Cybersecurity has created ad-hoc stakeholder groups to help it create certification schemes, which includes industry participation in accordance with the Act.  On April 18, 2023, the Commission proposed a targeted amendment to the EU Cybersecurity Act.  The proposed amendment will enable the future adoption of European certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audits and consultancy.

The Data Governance Act

The Data Governance Act focuses on providing a legal framework, processes, and structures to promote data sharing.  While the General Data Protection Regulation regulates international transfers of personal data, the Data Governance Act regulates international transfers of non-personal data by a user who was granted access to such data by the public sector.  The Data Governance Act focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries.  It also facilitates the collection and processing of data made available through a voluntary registration system for “data altruism organizations” and creates a European Data Innovation Board to enable the sharing of best practices by Member States and to advise the Commission on cross-sector interoperability standards.  The Data Governance Act is applicable across 27 Member States starting from September 2023.

Cyber Resilience Act

The EU Cyber Resilience Act is proposed legislation, first published on September 15, 2022, that introduces common cybersecurity rules for products with digital elements, covering both hardware and software.  It is part of a larger cybersecurity framework that includes other regulations such as the EU Cybersecurity Act and the NIS2 Directive.  The legislation would, for the first time, apply the CE mark to software, and create approval processes for a wide range of digital products and services required to receive the mark and become eligible to be sold and used on the EU market.  The Act is currently undergoing negotiations between the European Parliament, Council and Commission.