In December 2018, the EU parliament, the Council and the Commission reached a political agreement on the EU Cybersecurity Act. The ‘act’ takes the form of a regulation, the final version of which can be found here >>
EU Cybersecurity Act has two main objectives:
- To give ENISA (European Union Agency for Network and Information Security) a permanent mandate, ENISA’s current temporary mandate ends in 2020.
- And to lay down a framework for European cybersecurity certification schemes concerning ICT products, services and processes.
How does the framework for cybersecurity certification work?
The Commission will publish a program for European Cybersecurity Certification that identifies the strategic priorities for the certification schemes (“The Union rolling work programme for European Cybersecurity Certification”). The program will include a list of ICT products, services and processes, or categories of these, that the Commission estimates would benefit from inclusion in the scope of a certification scheme. The Cybersecurity Act defines the grounds on which this inclusion should be done, including market demand and developments in cyber threat landscape.
Based on the program, the Commission may request ENISA to prepare a candidate European cybersecurity certification scheme or review an existing scheme. In certain circumstances the Commission, together with the European Cybersecurity Certification Group (ECCG) may request preparation or review of a scheme not included in the program. The ECCG is a new body to be composed of representatives of national cybersecurity certification authorities or representatives of other relevant national authorities.
Following such a request, ENISA will prepare a certification scheme that meets the requirements set out in the Regulation. These requirements include a list of the elements that schemes should cover, and a list of security objectives that the schemes should achieve. The requirement lists establish a minimum of what the schemes should cover. Certification schemes are to be reviewed at least every five years, taking in feedback from interested parties.
Promoting security by design thinking
One of the objectives of the framework is to facilitate inclusion of security features in the early stages of product and service development and thus to promote Security by design thinking. The Security by design principle is the twin of the Privacy by design principle endorsed by the GDPR. The framework could well produce certification schemes that would be useful for the fulfilling of GDPR requirements. Indeed, many of the security objectives the schemes are required to achieve would be instrumental in implementing the technical security measures required by Article 32 of the GDPR.
A European cybersecurity certification scheme may specify one or more of the following assurance levels: basic, substantial and/or high. The level of assurance must correspond to the level of the risk, in terms of the probability and impact of an incident, associated with the intended use of the ICT process, product or service the scheme concerns.
Conformity assessments will be carried out by nationally accredited conformity assessment bodies. The certification schemes may also allow for self-assessment of compliance by manufacturers or providers of ICT products and services. Self-assessment will be possible only for ICT products and services of low risk corresponding to assurance level basic.
Recourse to European cybersecurity certification and self-assessment of conformity is basically voluntary, unless otherwise provided in Union or Member States legislation. The Commission will assess regularly the efficiency and utilization of adopted certification schemes and decide whether any particular schemes should be made mandatory through EU legislation.
The first program is to be published no later than 12 months after the entry of the force of the Regulation, perhaps in early 2020. Although by no means certain, an educated guess would be that IoT will feature strongly in the first program. This is indicated by the explicit mention of connected devices and IoT in the recitals of the regulation, and in the Commission press release announcing the agreement on the regulation text in December 2018.
The purpose of this blog post was to shed light on the content and objectives of the new EU Cybersecurity Act. How the Act will be applied and what it means for different actors in the field is yet to be determined. Once more information is released, we will examine the practical implications of the Cybersecurity Act and share our detailed thoughts on a new blog.