Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).
In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices. Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.
Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes. The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.
Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below).
The Commission is tasked with preparing, with the support of stakeholder groups, “a Union rolling work programme” for European cybersecurity certification schemes. This will be published in order to allow industry, national authorities and standardization bodies to prepare for future European cybersecurity certification schemes.
The regulation (at nearly 175 pages) and the framework is quite detailed. We set out key elements below.
Key elements of the new EU cybersecurity certification framework
- Importantly, the framework creates a mechanism to establish European cybersecurity certification schemes based on existing European or international standards. The regulation recognizes that the certification schemes “should be non-discriminatory and based on European or international standards.”
- The schemes will be implemented and supervised by national cybersecurity certification authorities. Certification schemes operated by industry or other private organizations fall outside of the scope of the regulation, but may be proposed and approved as formal European cybersecurity certification schemes.
- New schemes will replace existing national certification schemes – with the exception of schemes for national security purposes – and certificates should be recognized throughout the Union. This is in order to avoid companies, for example, having to certify to multiple national schemes in order to participate in national procurement procedures. (The regulation recognizes that existing mutual recognition of certificates within the Union have only been partly successful.) Once a certification scheme is adopted, manufacturers of relevant products, services and processes should be able to submit an application for certification to a conformity assessment body of their choice anywhere in the Union. Certificates issued under schemes also should be valid and recognized throughout the Union.
- The schemes and certificates issued under the schemes may specify different assurance levels: ‘basic’, ‘substantial’ or ‘high.’ Assurance levels are intended to be commensurate with the level of risk associated with the intended use of the ICT product, service or process “in terms of the probability and impact of an incident.” Security requirements corresponding to each assurance level are intended to reflect the “rigour and depth of the evaluation” of the ICT product, service or process.
- In addition to more formal certification, certification schemes may provide for “conformity self-assessment.” However, conformity self-assessment is only for low complexity ICT products, services or processes that present a low risk to the public and correspond to assurance level ‘basic.’
- The new certification schemes initially will be voluntary. That said, the Commission is required to evaluate by 2023 whether specific schemes should become mandatory for certain ICT products, services or processes.
- EU Member States will establish penalties for infringing European cybersecurity certification schemes. Penalties must be “effective, proportionate and dissuasive.”
ENISA’s role and involvement of stakeholders
As part of its role to prepare new European cybersecurity certification schemes, ENISA will maintain a website that provides information on and publicizes the schemes, consultations, and national cybersecurity certification schemes that have been replaced.
ENISA is also tasked under the regulation with disseminating information regarding the level of the cybersecurity of ICT products, services and processes, and also with issuing warnings targeting manufacturers or providers of ICT services or processes and requiring them to improve security.
ENISA will be required to regularly consult standardization organizations, in particular European standardization organizations, when preparing candidate schemes. ENISA also will establish an ENISA Advisory Group as an advisory body to ensure regular dialogue with the private sector, consumers’ organizations and other relevant stakeholders. The regulation also establishes a “Stakeholder Cybersecurity Certification Group,” composed of experts from relevant stakeholders, that is charged with advising ENISA and the Commission on cybersecurity certification and related matters.
The Cybersecurity Act now needs to be approved by the Council and will come into force 20 days after being published. It is expected that the first Union rolling work programme for European Cybersecurity Certification, identifying strategic priorities for Cybersecurity Certification schemes, will be published within a year of the regulations coming into force.