The EU's New Cybersecurity Certification Framework

The European Parliament and the European Council has introduced the new Cybersecurity Act, concerning the role of  ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing the previous Cybersecurity Act.   By Joao Pedro Paro.

This legislation, which entered into force on 27 June 2019, takes into account that the use of network and information systems by citizens, organisations and businesses across the Union is now all-pervasive. As pointed out below, by extracting directly from the Regulation:

Digitisation and connectivity are becoming core features in an ever-growing number of products and services and with the advent of the Internet of Things (IoT) an extremely high number of connected digital devices are expected to be deployed across the Union over the next decade ( ection2).

Indeed, Cyber threats are a global issue. There is a need for closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behaviour, the adoption of codes of conduct, the use of international standards, and informationsharing, promoting swifter international collaboration in response to network and information security issues and promoting a common global approach to such issues (section 3).

The Union has already taken important steps to ensure cybersecurity and to increase trust in digital technologies. In 2013, the Cybersecurity Strategy of the European Union was adopted to guide the Union’s policy response to cyber threats and risks (section 15).

In an effort to better protect citizens online, the Union’s first legal Act in the field of cybersecurity was adopted in 2016 in the
form of Directive (EU) 2016/1148 which put in place requirements concerning national capabilities in the field of cybersecurity, established the first mechanisms to enhance strategic and operational cooperation between Member States, and introduced obligations concerning security measures and incident notifications across sectors which are vital for the economy and
society, such as energy, transport, drinking water supply and distribution, banking, financial market infrastructures, healthcare, digital infrastructure as well as key digital service providers (search engines, cloud computing services and online marketplaces). (Section15))

Efficient cybersecurity solutions are necessary for the industry to stay ahead of cyber threats, and therefore any certification scheme should be designed in a way that avoids the risk of being outdated quickly (section 72) .

In light of this, the EU Regulation establishes Cybersecurity Certification, which plays an important role in increasing trust and security in ICT products, ICT services and processes. The digital single market, and in particular the data economy and the IoT, can thrive only if there is general public trust that such products, services and processes provide a certain level of cybersecurity (section 65).

Connected and automated cars, electronic medical devices, industrial automation control systems and smart grids are only some examples of sectors in which certification is already widely used or is likely to be used in the near future (section 65).

In this respect, cybersecurity policies should be based on well-developed risk assessment methods, in both the public and private sectors. Risk assessment methods are used at different levels, with no common practice regarding how to apply them efficiently.

Promoting and developing best practices for risk assessment and for interoperable risk management solutions in public-sector and private-sector organisations will increase the level of cybersecurity. The new Regulation prescribes that the European cybersecurity certification framework should be established in a uniform manner in all Member States in order to prevent ‘certification shopping’ based on different levels of stringency in different Member States. European cybersecurity certification schemes should be built on what already exists at international and national level and, if necessary, on technical specifications from forums and consortia, learning from current strong points and assessing and correcting weaknesses (section49).

Furthermore, the manufacturer or provider of ICT products, ICT services or ICT processes who carry out a conformity self-assessment should be able to issue and sign the EU statement of conformity as part of the conformity assessment procedure. The European cybersecurity certification scheme might specify several evaluation levels depending on the rigour and depth
of the evaluation methodology used (sections 79,80 and 81).

For assurance level ‘basic’, the evaluation should be guided at least by the following assurance components: the evaluation should at least include a review of the technical documentation of the ICT product, ICT service or ICT process by the conformity assessment body. For assurance level ‘substantial’, the evaluation, in addition to the requirements for assurance level ‘basic’, should be guided at least by the verification of the compliance of the security functionalities of the ICTs products, services or process with its technical documentation (section 88).

Finally, for assurance level ‘high’, the evaluation, in addition to the requirements for assurance level ‘substantial’, should be guided at least by an efficiency testing which assesses the resistance of the security functionalities of ICT product, ICT service or ICT process against elaborate cyberattacks performed by persons who have significant skills and resources (section 90).

European cybersecurity certification schemes are intended to help harmonise cybersecurity practices and contribute to increasing the level of cybersecurity within the Union. The design of the European cybersecurity certification schemes should take into account and allow for the development of innovations in the field of cybersecurity (section 95).

The cybersecurity certification scheme shall be voluntary unless otherwise specified by Union law or Member State law, which shall lay down the rules on penalties applicable to infringements of this of European cybersecurity certification schemes, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. 

About the Author:  João Pedro Paro is Regulatory Consultant at Compliance & Risks and Lawyer enrolled in the Brazilian and Portuguese Bar Associations.

You Might Also Read: 

Get Ready For ePrivacy Regulation:

Clayden Law: GPPR Is 1-Year Old:

 

« Psycho-Cyberchology
Ransomware Hits Texas For Six »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Bromium

Bromium

Bromium deliver a new technology called micro-virtualization to address the enterprise security problem and provide protection for end users against advanced malware.

IronNet Cybersecurity

IronNet Cybersecurity

IronNet’s product and services provide enterprise-wide security management and visibility of your network, users and assets.

Polish Centre for Accreditation (PCA)

Polish Centre for Accreditation (PCA)

PCA is the national accreditation body for Poland. The directory of members provides details of organisations offering certification services for ISO 27001.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity.

Network Intelligence

Network Intelligence

Network Intelligence delivers a comprehensive suite of AI-powered cybersecurity solutions built on the ADVISE framework.

Charterhouse Voice & Data

Charterhouse Voice & Data

Charterhouse is your trusted technology partner - designing, provisioning and supporting the technology that underpins your operations including network security and data compliance.

Upfront Security

Upfront Security

Upfront Security helps companies with innovative products & services to prevent, recognise and recover from (identity) fraud.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

MoogleLabs

MoogleLabs

MoogleLabs leverage AI/ML, Blockchain, DevOps, and Data Science to come up with the best solutions for diverse businesses.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

CAT Labs

CAT Labs

CAT Labs is building digital asset recovery and cybersecurity tools to enable governments to fight crypto crime and to protect investors from hacks, fraud and scams.

CypherEye

CypherEye

CypherEye is a next generation trust platform that advances the current state of Multi-factor Authentication (MFA) to enable highly secure, private and auditable cyber-transactions.

InnovateHer

InnovateHer

At InnovateHer, our vision is to make the tech sector more equitable, by increasing diversity across the spectrum and creating more inclusive workplaces.

US Cyber Games

US Cyber Games

US Cyber Games is committed to inform and inspire the broader community on ways to develop tomorrow’s cybersecurity workforce.

rThreat

rThreat

rThreat is a cloud-based SaaS solution that challenges your cyber defenses using real-world and custom threats in a secure environment, ensuring your readiness for attacks.

System Two Security

System Two Security

System Two Security automates detection engineering and threat hunting.