The EU cybersecurity certification Framework

Cyber-attacks are on the rise, and they are becoming more sophisticated. Our current business model is globally interconnected; commercial transactions and even social life transcend national borders. Consequently, our vulnerability to cyber-attacks has been increased, however, the competences of the cyber security and police authorities, as well as political responses, are predominantly national.

This situation has made European authorities aware of the need to deal with these threats in an effective and coordinated way, relying their actions on policies dealing specifically with cybersecurity within the European Union. By means, the aim is thus to improve cooperation, exchange of information and coordination between the Member States and the institutions, bodies, offices and agencies of the Union.

The European Commission, as part of the Digital Single Market Strategy, has approved Regulation No. (EU) 2019/881, on ENISA (the European Union Agency for Cybersecurity) and on certification of information and communications technology cybersecurity, which came into force on June 27, 2019.

This new regulation has two main objectives. On the one hand, to give ENISA (the European Agency for Cybersecurity, now named the European Union Agency for Cybersecurity) a greater role in the field of cybersecurity, establishing a series of objectives and tasks. On the other hand, the creation of a common certification framework at European level, with the aim of guaranteeing an adequate level of cybersecurity of ICT products, services and processes in the EU, avoiding the fragmentation of the internal market.

Concerning the first objective, the first substantive point of the Regulation is to give more powers to the European Union Agency for Cybersecurity (ENISA). It will now have a permanent mandate facilitating the exercise of the new functions assumed, one of which is to increase cooperation on cybersecurity within the Union, for example in cases of large-scale cyberattacks or cross-border crises. This strengthening is also reflected in the economic resources for ENISA, increasing from 11 to 23 million euros over a period of five years.

It is noteworthy that European regulation focuses on users by addressing concepts such as users’ awareness, and the application of good practices online. Both public bodies and private stakeholders will receive recommendations on safe configurations and maintenance of their devices, and the availability and duration of updates, as well as the perceived risks.

With regard to the second objective, the regulation creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. It is the first EU legislation on the internal market to take up the challenge of enhancing the security of connected products, Internet of Things devices and critical infrastructure through such certificates.

The creation of the cybersecurity certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables their users to ascertain the level of security assurance, and ensures that these security features are independently verified.

As to the second objective of the regulation, the certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. This will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service, for instance, smart cards. This will certify that ICT products and services which have been certified in accordance with such a scheme comply with specified requirements. In particular, each European scheme should specify: a) the categories of products and services covered, b) the cybersecurity requirements, for example by reference to standards or technical specifications, c) the type of evaluation such as self-assessment or third party evaluation, and d) the intended level of assurance for instance, basic, substantial and/or high.

ENISA’s mandate is immediate from the entry into force of the Regulation, whereas the cybersecurity certification framework will have to be developed. In this respect, the Commission’s agenda has already included the submission of proposals to ENISA for the preparation of certification projects, as well as the creation of expert groups on cybersecurity.

Finally, this European regulation not only seeks to increase users’ confidence in the use of connected devices, but also to strengthen the European cybersecurity industry and the European Single Market, positioning it as a global benchmark, in line with other markets such as the United States or China.

With significant expertise in protecting innovative products and designs, and in defending intellectual property rights on the Internet, Dreyfus is well positioned to assist you in enhancing your assets on the web.