In various Western Balkan countries, new cybersecurity legislation is being developed. Most countries aim to transpose the new NIS 2 Directive into national legislation. For more information on this, see the article NIS2 Directive: Objectives, Implementation Challenges
As the Western Balkan countries are developing their new cybersecurity legislation, a trend has been noted that not only the NIS2 is being transposed but also other EU-Acts, such as the Cyber Security Act are being integrated into national legislation. For EU member states, European Regulations (or acts) are directly applicable and thus don’t require transposition into national legislation.
Western Balkan countries are taking the opportunity to include the EU Acts in their new legislation and, thus, create a comprehensive national cybersecurity law. But how is this done, and what lessons can we learn?
Is cybersecurity certification required under the NIS2 directive?
The NIS2 directive does not include paragraphs concerning cybersecurity certification. As mentioned above, the cybersecurity certifications originate from the Cyber Security Act (2019/881).
The Cyber Security Act introduced Cybersecurity Certification Schemes to create trust and transparency in the security of digital products, services and processes across the EU.
Common criteria for evaluating cybersecurity and assessing the level of security of products, services and processes result in standardisation and confidence in issued certificates declaring the digital security. With central authorities that can delegate permission to perform assessments and issue certificates, an effective system can be built to have sufficient capacity and successfully implement certification practices in a country.
While not obligatory in the context of the NIS2, certification may serve as proof of compliance with certain security obligations and can be used by national authorities as part of their supervisory toolkit.
As Acts such as the Cyber Security Act are transposed directly for EU member states, Western Balkan countries should look not only at EU member states but also at each other for good examples, including certification schemes, in their new legislation. On the other hand, EU member states often have installed national cybersecurity certification authorities, which are the central institutions tasked with the obligations that the Cyber Security Act poses. These national authorities may function as good examples of implementation practices.
