By Swann Bigot – July 16, 2018
Photo credit : pixabay
The European Commission proposed in September 2017 a set of measures to build strong cybersecurity across the European Union. The EU certification framework for ICT products, services and processes and a stronger EU Cybersecurity Agency with a permanent mandate and clear tasks are parts of this effort. The Council’s proposal of a Cybersecurity Act was adopted last June and backed by the Industry Committee of the EU Parliament in July.
BRUSSELS – Facing the dependence of economic, technological and social development of member states on information and communications technologies (ICTs) and in a context of growing and changing cyber threats, the European Union decided to strengthen its cyber resilience by setting up an EU certification framework for information and communication technology (ICT) products, services and processes.
The certification framework will provide rules, technical requirements, standards and procedures to ICT manufacturers and providers of ICT services. The released EU certificate will confirm that the product, service or process has no known vulnerabilities and comply with international standards and technical specifications.
The Council of the European Union agreed on June 8 its general approach on the proposal, known as the Cybersecurity Act. The draft legislation also upgrades the current European Union Agency for Network and Information Security (ENISA) into a permanent EU agency for cybersecurity with stronger resources and tasks.
Why a EU common certification framework ?
The EU common certification framework will increase security and safety of innovative digital solutions. Since network and information systems play a vital role in our societies, their reliability and security is critical. Cybersecurity certification will allow to prove their reliability and will generate trust among customers and users within the European Digital Single Market.
The ICT industry could use the new mechanism to certify products such as connected and automated vehicles, smart medical devices, industrial automation control systems and smart grids. This certification will enable the Internet of Things to be more secure and safe for consumers and organizations. Security and safety will generate trust in these products, services and devices used in the daily life.
Cybersecurity is critical as the global IoT market is expected to grow from $157 billion in 2016 to $457 billion by 2020, according to a study of the UK advisory firm GrowthEnabler. The global IoT market share will be dominated by three sub-sectors : smart cities (26%), industrial IoT (24%) and connected health (20%). These sub-sectors are followed by smart homes (14%), connected cars (7%), smart utilities (4%) and wearables (3%).
The EU has already invested over the period 2014-2017 almost EUR 200 million in IoT research, innovation and deployment. A sustainable development of IoT is not possible without a strong cybersecurity framework.
IoT products are potential targets since they can be used during cyber intelligence campaign to secretly collect audio or visual data. The recent spike of attacks from China against IoT devices based in Helsinki days before the Summit between the US President Donald Trump and the Russian President Vladimir Putin was seen by analysts as an attempt to secure secret access to valuable intelligence during the bilateral meeting.
Moreover, ICT products such as connected medical devices are exposed to cyberthreats. Security is a priority and requires cooperation between governments, industry, system operators and IT engineers. Mandatory procedures such as cyber-risk management during design, operation, and maintenance are necessary. Common certification framework appears to enable better cyberesilience.
Currently, the cybersecurity certification of ICT processes, products and services is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes.
Common cybersecurity certification
The draft regulation adopted by the Council on June 8 creates a mechanism for setting up EU cybersecurity certification schemes. EU certificates issued under the scheme will be legally valid across the Member states, making it easier for users to gain confidence in the security and reliability of these technologies, and for ICT companies such as network and data service operators or innovative products manufacturers to innovate and carry out their business across borders, within the Digital Single Market, without conflicting or overlapping national cybersecurity certifications.
Certification will be voluntary unless otherwise specified in EU law or national legislation and will cover cyberesilience to accidental or malicious data loss or alteration.
The EU certification includes three different assurance levels: basic, substantial or high. Under a basic assurance level, for low complexity ICT products and services presenting a low risk for the public interest, manufacturers or service providers will have the possibility to carry out the conformity assessment themselves,.
If the draft legislation is eventually approved by the EU Parliament and enters into force, companies will have to design and implement their security compliance programs accordingly to this new EU cybersecurity certification framework.
EU cybersecurity agency
The draft EU legislation also grants the European Network and Information Security Agency (ENISA), created in March 2004 and based in Greece, a permanent mandate and clarifies its role as the EU agency for cybersecurity.
The first EU legal act on cybersecurity, the network and information security (NIS) directive from 2016, had already given ENISA a key role in supporting the implementation of the provisions introduced by the directive.
ENISA is given by the proposed legislation new tasks in supporting member states, EU institutions and other stakeholders in efforts to ensure a secure cyberspace. According to the proposal, ENISA will organize regular EU-level cybersecurity exercises and will support and promote EU policy on cybersecurity certification. Furthermore, the EU Cybersecurity Agency will provide expertise and advice and will act as a Union center of information and knowledge.
Besides, the upgraded ENISA will promote the exchange of best practices and cooperation between Member States and private stakeholders, offering policy and law suggestions to the European Commission and Member States, acting as a reference point for Union sectoral policy initiatives with regard to cybersecurity matters, fostering operational cooperation between the Member States and between them and the European institutions, agencies and bodies.
The underlying task of the new EU Cybersecurity Agency will be to promote the implementation of the relevant legal framework in a comprehensive perspective, in particular the effective implementation of the NIS Directive adopted in 2016, described by the Council as essential in order to increase cyber resilience in Europe.
Sovereignty of Member States
However, the text of the draft legislation underlines the sovereignty of Members States. The activities carried out by the EU Cybersecurity Agency relating to the operational capacities of Member States should be solely complementary to the own actions taken by them in order to comply with the NIS Directive.
A national liaison officers network will facilitate the exchange of information and cooperation between ENISA and the Member states.
Lastly, the proposal approved by the Council in June and backed by the Industry Committee of the EU Parliament in July provides an increase of the financial and human resources of the EU Cybersecurity Agency.
When will this text become law ?
The text agreed on June 8 is the Council’s position for negotiations with the European Parliament. The Industry Committee of the Parliament backed the proposal on July 10. A total of 56 members of EU Parliament voted in favour of the draft legislation, five voted against it and one abstained.
Rapporteur Angelika Niebler (EPP, Germany) said that : “Today’s vote is a very important step towards a long-term vision of cybersecurity in the EU for two reasons. Firstly, from the perspective of consumers, it is important that users have trust and confidence in ICT solutions. Secondly, I strongly believe that Europe can become a leading player in cybersecurity. We have a strong industrial base and it is vital to continue working on improving cybersecurity for consumer goods, industrial applications and critical infrastructure.“
Both the Council and the EU Parliament have now to agree on the final text before it can enter into force. Negotiations are underway ahead of the Parliament’s plenary session in September.
© Copyright 2018 – Swann Bigot, consultant and international law graduate, working on cybersecurity and ICT law.
Thank you for reading us, please feel free to comment and share this article if it helped you.