Cybersecurity Act (CSA)

About

Recitals

TITLE I – General Provisions (Art. 1-2)
Art. 1CSA - Subject matter and scope
Art. 2CSA - Definitions
TITLE II / Chapter I – Mandate and objectives (Art. 3-4)
Art. 3CSA - Mandate
Art. 4CSA - Objectives
Chapter II – Tasks (Art. 5-12)
Art. 5CSA - Development and implementation of Union policy and law
Art. 6CSA - Capacity-building
Art. 7CSA - Operational cooperation at Union level
Art. 8CSA - Market, cybersecurity certification, and standardisation
Art. 9CSA - Knowledge and information
Art. 10CSA - Awareness-raising and education
Art. 11CSA - Research and innovation
Art. 12CSA - International cooperation
Chapter III – Organisation of ENISA (Art. 13-28)
Art. 13CSA - Structure of ENISA
Art. 14CSA - Composition of the Management Board
Art. 15CSA - Functions of the Management Board
Art. 16CSA - Chairperson of the Management Board
Art. 17CSA - Meetings of the Management Board
Art. 18CSA - Voting rules of the Management Board
Art. 19CSA - Executive Board
Art. 20CSA - Duties of the Executive Director
Art. 21CSA - ENISA Advisory Group
Art. 22CSA - Stakeholder Cybersecurity Certification Group
Art. 23CSA - National Liaison Officers Network
Art. 24CSA - Single programming document
Art. 25CSA - Declaration of interests
Art. 26CSA - Transparency
Art. 27CSA - Confidentiality
Art. 28CSA - Access to documents
Chapter IV – Establishment and structure of ENISA’s budget (Art. 29-33)
Art. 29CSA - Establishment of ENISA’s budget
Art. 30CSA - Structure of ENISA’s budget
Art. 31CSA - Implementation of ENISA’s budget
Art. 32CSA - Financial rules
Art. 33CSA - Combating fraud
Chapter V – Staff (Art. 34-37)
Art. 34CSA - General provisions
Art. 35CSA - Privileges and immunity
Art. 36CSA - Executive Director
Art. 37CSA - Seconded national experts and other staff
Chapter VI – General provisions concerning ENISA (Art. 38-45)
Art. 38CSA - Legal status of ENISA
Art. 39CSA - Liability of ENISA
Art. 40CSA - Language arrangements
Art. 41CSA - Protection of personal data
Art. 42CSA - Cooperation with third countries and international organisations
Art. 43CSA - Security rules on the protection of sensitive non-classified information and classified information
Art. 44CSA - Headquarters Agreement and operating conditions
Art. 45CSA - Administrative control
TITLE III – Cybersecurity certification network (Art. 46-65)
Art. 46CSA - European cybersecurity certification framework
Art. 47CSA - The Union rolling work programme for European cybersecurity certification
Art. 48CSA - Request for a European cybersecurity certification scheme
Art. 49CSA - Preparation, adoption and review of a European cybersecurity certification scheme
Art. 50CSA - Website on European cybersecurity certification schemes
Art. 51CSA - Security objectives of European cybersecurity certification schemes
Art. 52CSA - Assurance levels of European cybersecurity certification schemes
Art. 53CSA - Conformity self-assessment
Art. 54CSA - Elements of European cybersecurity certification schemes
Art. 55CSA - Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes
Art. 56CSA - Cybersecurity certification
Art. 57CSA - National cybersecurity certification schemes and certificates
Art. 58CSA - National cybersecurity certification authorities
Art. 59CSA - Peer review
Art. 60CSA - Conformity assessment bodies
Art. 61CSA - Notification
Art. 62CSA - European Cybersecurity Certification Group
Art. 63CSA - Right to lodge a complaint
Art. 64CSA - Right to an effective judicial remedy
Art. 65CSA - Penalties
TITLE IV – Final provisions (Art. 66-69)
Art. 66CSA - Committee procedure
Art. 67CSA - Evaluation and review
Art. 68CSA - Repeal and succession
Art. 69CSA - Entry into force
Annexes
Art. Annex ICSA - Annex

Chapter VI – General provisions concerning ENISA (Art. 38-45)

Art. 38 CSA – Legal status of ENISA
1. ENISA shall be a body of the Union and shall have legal personality.
2. In each Member State ENISA shall enjoy the most extensive legal capacity accorded to legal persons under national law. It may, in particular, acquire or dispose of movable and immovable property and be a party to legal proceedings.
3. ENISA shall be represented by the Executive Director.
Art. 39 CSA – Liability of ENISA
1. The contractual liability of ENISA shall be governed by the law applicable to the contract in question.
2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by ENISA.
3. In the case of non-contractual liability, ENISA shall make good any damage caused by it or its staff in the performance of their duties, in accordance with the general principles common to the laws of the Member States.
4. The Court of Justice of the European Union shall have jurisdiction in any dispute over compensation for damage as referred to in paragraph 3.
5. The personal liability of ENISA’s staff towards ENISA shall be governed by the relevant conditions applying to ENISA’s staff.
Art. 40 CSA – Language arrangements
1. Council Regulation No 1 ⁽¹⁾ shall apply to ENISA. The Member States and the other bodies appointed by the Member States may address ENISA and receive a reply in the official language of the institutions of the Union that they choose.
2. The translation services required for the functioning of ENISA shall be provided by the Translation Centre for the Bodies of the European Union.
^{(1) Council Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).}
Art. 41 CSA – Protection of personal data
1. The processing of personal data by ENISA shall be subject to Regulation (EU) 2018/1725.
2. The Management Board shall adopt implementing rules as referred to in Article 45(3) of Regulation (EU) 2018/1725. The Management Board may adopt additional measures necessary for the application of Regulation (EU) 2018/1725 by ENISA.
Show Related Recitals
- Recital CSA 63
  ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council ⁽¹⁾. The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council ⁽²⁾. ENISA should comply with the provisions applicable to the Union institutions, bodies, offices and agencies, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).
  
  ^{(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
  
  (2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).}
Art. 42 CSA – Cooperation with third countries and international organisations
1. To the extent necessary in order to achieve the objectives set out in this Regulation, ENISA may cooperate with the competent authorities of third countries or with international organisations or both. To that end, ENISA may establish working arrangements with the authorities of third countries and international organisations, subject to the prior approval of the Commission. Those working arrangements shall not create legal obligations incumbent on the Union and its Member States.
2. ENISA shall be open to the participation of third countries that have concluded agreements with the Union to that effect. Under the relevant provisions of such agreements, working arrangements shall be established specifying in particular the nature, extent and manner in which those third countries are to participate in ENISA’s work, and shall include provisions relating to participation in the initiatives undertaken by ENISA, to financial contributions and to staff. As regards staff matters, those working arrangements shall comply with the Staff Regulations of Officials and Conditions of Employment of Other Servants in any event.
3. The Management Board shall adopt a strategy for relations with third countries and international organisations concerning matters for which ENISA is competent. The Commission shall ensure that ENISA operates within its mandate and the existing institutional framework by concluding appropriate working arrangements with the Executive Director.
Show Related Recitals
- Recital CSA 54
  Cyber threats are a global issue. There is a need for closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behaviour, the adoption of codes of conduct, the use of international standards, and information sharing, promoting swifter international collaboration in response to network and information security issues and promoting a common global approach to such issues. To that end, ENISA should support further Union involvement and cooperation with third countries and international organisations by providing the necessary expertise and analysis to the relevant Union institutions, bodies, offices and agencies, where appropriate.
Art. 43 CSA – Security rules on the protection of sensitive non-classified information and classified information
After consulting the Commission, ENISA shall adopt security rules applying the security principles contained in the Commission’s security rules for protecting sensitive non-classified information and EUCI, as set out in Decisions (EU, Euratom) 2015/443 and 2015/444. ENISA’s security rules shall include provisions for the exchange, processing and storage of such information.
Art. 44 CSA – Headquarters Agreement and operating conditions
1. The necessary arrangements concerning the accommodation to be provided for ENISA in the host Member State and the facilities to be made available by that Member State together with the specific rules applicable in the host Member State to the Executive Director, members of the Management Board, ENISA’s staff and members of their families shall be laid down in a headquarters agreement between ENISA and the host Member State, concluded after obtaining the approval of the Management Board.
2. ENISA’s host Member State shall provide the best possible conditions for ensuring the proper functioning of ENISA, taking into account the accessibility of the location, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses of staff members.
Show Related Recitals
- Recital CSA 18
  Within the framework of Decision 2004/97/EC, Euratom taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level ⁽¹⁾, the representatives of the Member States decided that ENISA would have its seat in a town in Greece to be determined by the Greek Government. ENISA’s host Member State should ensure the best possible conditions for the smooth and efficient operation of ENISA. It is imperative for the proper and efficient performance of its tasks, for staff recruitment and retention and for enhancing the efficiency of networking activities that ENISA be based in an appropriate location, among other things providing appropriate transport connections and facilities for spouses and children accompanying members of staff of ENISA. The necessary arrangements should be laid down in an agreement between ENISA and the host Member State concluded after obtaining the approval of the Management Board of ENISA.
  
  ^{(1) Decision 2004/97/EC, Euratom taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level, of 13 December 2003 on the location of the seats of certain offices and agencies of the European Union (OJ L 29, 3.2.2004, p. 15).}
Art. 45 CSA – Administrative control
The operations of ENISA shall be supervised by the European Ombudsman in accordance with Article 228 TFEU.

Chapter V - Staff (Art. 34-37)

TITLE III - Cybersecurity certification network (Art. 46-65)

AI

Proposal

Final

Consumer & E-commerce

Proposal

Final

Cybersecurity

Proposal

Final

Data

Proposal

Final

Digital Privacy

Proposal

Final

Digital Services

Proposal

Final

Cybersecurity Act (CSA)

About

Chapter VI – General provisions concerning ENISA (Art. 38-45)