EEA EFTA Comment on the EU Cybersecurity Agency (ENISA) and the Cybersecurity Act

Published 06-06-2018
On 6 June 2018, Iceland, Norway and Liechtenstein submitted a joint EEA EFTA Comment on the proposal for a Regulation of the European Parliament and of the Council concerning the European Union Agency for Network and Information Security (ENISA) ( the ‘EU Cybersecurity Agency’) and repealing Regulation (EU) 526/2013 , and on the Information and Communication Technology cybersecurity certification (“Cybersecurity Act”) (COM(2017) 477 final).

The EEA EFTA States have participated in ENISA since 2005 through the EEA Agreement. ENISA has played a key role in enhancing the cybersecurity prevention work in the European Economic Area, in particular when it comes to promoting cooperation among the member states and sharing its expertise on network information security challenges.

In this regard, the EEA EFTA States welcome and support the Commission proposal to reinforce the role of ENISA and to give it a permanent mandate, and to establish a cybersecurity certification framework.

However, they request clarification on several issues concerning ENISA’s mandate and the system for the cybersecurity certification framework. The EEA EFTA States are of the view that there is a need to clarify in the draft Regulation how much authority ENISA will have to intervene in matters vis-à-vis national authorities:

“The EEA EFTA States would like to emphasise that a new Regulation must respect the sovereign rights and responsibility of the members of the EEA to decide on national cybersecurity measures.”

Finally, due to a better overview and easier updating, the EEA EFTA States consider that the New Approach Notified and Designated Organisations (NANDO) Information System could be used for the listing of the notified conformity assessment bodies, pursuant to Art. 52(2).

Submitting comments on important policy issues is one of the ways in which the EEA EFTA States participate in shaping EU legislation. A typical EEA EFTA Comment provides a brief commentary and suggestions regarding Commission initiatives such as green papers or legislative proposals. The comments are endorsed by the Standing Committee of the EFTA States and officially noted by the EEA Joint Committee after they have been sent to the relevant services in the Commission, the European Parliament or the Council.

The EEA EFTA Comment on the EU Cybersecurity Agency (ENISA) and the Cybersecurity Act is available here.

A full list of EEA EFTA Comments is available here.

Was the content helpful?