To enhance cyber resilience, the EU is building a certification framework for information and communication technology (ICT) products, services and processes. On 8 June 2018, the Council agreed a Proposal (known as the Cybersecurity Act) to prepare for negotiations with the European Parliament to finalise the text.
One of the effects of the Proposal is that it will upgrade the current European Union Agency for Network and Information Security (ENISA) into a more stable EU agency for cybersecurity.
The Proposal introduces a tool to create a more comprehensive regulatory framework for specific ICT processes, products and services designed to help ensure compliance with specified cybersecurity requirements.
Certificates issued under the scheme will be recognised, legally, across the EU. This will therefore have the dual effect of building trust in users – given the technology certification will mean the technology has received the European-security stamp – and enabling businesses to carry out their business cross-border. The resilience behind the technology in relation to accidental or malicious data loss or alteration will be certified.
This certification scheme addresses the barriers in the EU where Member States have implemented different standards to one another, for example Member States have issued regulations which improve country-specific requirements around security.
The details of this certification scheme and its requirements will, in particular, be important to network and data service operators, including cloud computing service providers.
The certification will be optional unless it is specified as a legal requirement under an EU law or Member State law.
A centre of excellence and resource for cybersecurity
Some key points to note in the cybersecurity space:
- The first piece of European legislation – the Directive on security of network and information systems (NIS Directive) (Directive (EU) 2016/1148) – had already given ENISA a key role in supporting its implementation. The Proposal legitimises ENISA. ENISA will support Member States, EU institutions and other stakeholders on cyber issues.
- The proposal explicitly mentions the role of the EU agency for cybersecurity. The EU agency will organise steady EU-level cybersecurity training, such as organising annual pan-European cybersecurity exercises. Further, it will support and promote EU policy on cybersecurity certification and advise Member States on implementation of the NIS Directive and will facilitate information sharing between the agency itself and the member states.
The Proposal creates a mechanism that will contain three different assurance levels: basic, substantial and high.
For the basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves. The general bases for cybersecurity requirements for EU personal data are provided by specific instruments, such as the NIS Directive and will be covered further under the EECC and the ePrivacy legislation (which replaces the ePrivacy Directive when in force).These will coexist with the General Data Protection Regulation.
This new certification framework will certainly increase trust and confidence around innovation in the technology space. Businesses should consider the developments in the EU’s cybersecurity regulatory framework and design and implement their security compliance programs accordingly.
We will watch closely as to how these negotiations develop within the European Parliament.