A new certification framework for Europe: building trust in digital technologies with the new Cybersecurity Act

The European Commission’s proposal for a regulation on ENISA and on Information and Communication Technology cybersecurity certification, also known as “the Cybersecurity Act”, has been a major step towards better prepared and more cyber resilient European Union.

ENISA, the European Cybersecurity Agency, will now have a permanent mandate and its budget will be doubled.

Nevertheless, this new budget will still be less than an average European bank’s.

Hopefully it could be doubled again in 7 years’ time and every 7 years after that.

ENISA will now have reinforced competences for assisting the Member States (MS): it will be empowered to promote security-by- design and privacy-by-design for IT services, products and processes.

It will also be able to deploy technical capabilities in response to cyberattacks at the request of a MS.

My idea was to propose the Agency to have technical capabilities to analyse threat information data at large scale, the ability to conduct forensic analysis on terminal equipment and the ability to analyse malware, among others.

This detailed list of capabilities, however, appears in the text in a summed up version: “necessary resources, including technical and human capabilities and skills”.

Nonetheless, the new capabilities, even if not expressly mentioned, will pave the way for ENISA to one day play a central role in organizing an EU- coordinated response in cases of cyberattacks, in accordance with the procedures set in the Blueprint for rapid emergency response, adopted in the 2017 Cybersecurity package.

This is not the case yet as my wish for the Agency to have its own “EU CERT” was not realized.

Another area where ENISA could play a leading role in the future is by creating a certification scheme for 5G equipment, in accordance with the new cybersecurity certification framework rules discussed below.

Among the new tasks of ENISA is to promote a high level of cybersecurity awareness, including cyber hygiene and cyber literacy among the European citizens and businesses.

The Agency will be supporting the MS by enabling closer coordination and facilitating exchange of best practices.

The aim is to achieve a certain level of cybersecurity risks-related knowledge at all levels: from the young children at school or university students, to experienced professionals or, most importantly, various businesses where the topic is still not properly addressed.

This will also have a crucial role in developing the cybersecurity industry in the EU, in particular SMEs and start-ups.

Also, in order to keep SMEs and start-ups in the game, part of the new European cybersecurity certification scheme will be a conformity self-assessment, which can be carried out by a manufacturer or provider of low complexity ICT products and services with low risk for the public interest.

This will allow for SMEs and start-ups to keep their position on the market by adhering to the new certification rules set at EU level.

An important task related to capacity building is that ENISA is going to assist Member States by organising regular and at least biennial cybersecurity exercises at the Union level.

This is highly insufficient: these exercises need to be organized at least twice a year in order to keep the pace with the fast evolving cyber threats landscape.

The main goal is to achieve better cooperation and partnership between the MS, which will be achieved only partially because of the agreed frequency of exercises.

Nonetheless, ENISA will now have the opportunity to draft policy recommendations based on the evaluation process of the exercises outcome and the lessons learned from the gathered experience.

Another significant point regarding ENISA is that in order to achieve its objectives, it may cooperate with the competent authorities of third countries or with international organisations, in particular NATO and Europol.

Essentially, ENISA will have the freedom to establish working arrangements with the aforementioned organisations. In addition, it will also provide advice and support to the Commission on matters concerning agreements for mutual recognition of cybersecurity certificates with third countries.

The idea behind this it to have our EU standards having worldwide applicability rather than only EU-wide, which for instance could be the case with a successful ENISA-developed 5G certification scheme.

This leads us to the next section of the Cybersecurity Act, the EU cybersecurity certification framework.

An important achievement with this new piece of legislation is that the certification framework is more future proof: there will be no maximum validity of the scheme, which means no additional cost for the companies forced to reissue certificates after a certain time.

From now on, ENISA’s task will be to review the schemes every five years.

I agree with the negotiation team’s final position that a mandatory certification at this stage would not have been a step in the right direction.

In this way, this new certification framework will not be used as advantageous by the big names in the field.

When issuing certificates and EU statements of conformity, national cybersecurity certification authorities will be subject to peer review.

It will cover these authorities’ activities related to the issuance of certificates and whether it adheres to a strict separation of roles and responsibilities.

It will also cover the procedures for monitoring and enforcing the obligations of manufacturers and providers of ICT products or services, among other things.

The peer review will be performed by minimum 2 authorities coming from other MS and the Commission and will be carried out at least once every 5 years.

ENISA can also take part in these reviews. The added value of the peer review is that more tech-savvy MS could help less cybersecurity-prepared countries which will help avoiding fragmentation of the market.

At the final trialogue in December 2018 it was agreed that European Cybersecurity Certification Group (ECCG) will be established.

The ECCG, composed of representatives of the abovementioned national cybersecurity certification authorities, will advise and assist the Commission on the consistent implementation of the Union rolling work programme, a strategic but not legally binding document to serve stakeholders when preparing for future cybersecurity certification schemes.

The ECCG or the Commission could, in duly justified cases, request ENISA to prepare candidate schemes. This brings the necessary balance between the Group and the Commission.

Last but not least, we managed to convince our colleagues from the other EU institutions of the significance of the establishment of a Stakeholder Certification Group (SCG), which will advise the Commission on strategic issues and assist with the preparation of the Union rolling work programme.

ENISA and the Commission will both have a say in the selection process of the members.

Our objective was to reinforce the presence of stakeholders in the process of elaborating the new certificates.

Academia, industry and consumer associations are going to be able to provide advice also to ENISA.

Moreover, in cases of urgency, the SCG will have the power to advise the Commission and the ECCG on establishing new certification schemes not included in the work programme.

Furthermore, ad-hoc working groups that will include relevant stakeholders with expertise on the concrete subject will be set to advise ENISA throughout the development phase of the schemes.

What has not been accepted in the final text of the Cybersecurity Act and will perhaps be included in another EU cybersecurity related legislation, is the establishment of a cybersecurity adviser to the President of the Commission.

In the future, this role could be in the hands of ENISA’s Executive Director or a separate individual.

Such an expert will provide invaluable input to the President on ENISA’s activities, on the national CSIRTs and any cybersecurity strategies.