In June 2019, the new EU Cybersecurity Act quietly came into force. It is effectively a Regulation (2019/881) which means it is applicable verbatim across the Union. The Act confers a permanent mandate to the EU cybersecurity agency ENISA, which sees its remit and budget significantly expanded. ENISA will not only support policy and legal developments, operational cooperation, crisis management, and capacity building in cybersecurity but also coordinated vulnerability disclosures among EU member states. Most interestingly, the agency has been tasked with setting up a cybersecurity certification framework for ICTs.
The Act establishes a European Cybersecurity Certification Group (the ‘ECCG’) to aid ENISA in developing an EU-wide cybersecurity certification scheme. The framework will cover ICT (Information and Communications Technology) products, ICT services and ICT processes and will provide three levels of assurance: basic, substantial, and high. The aim is to strengthen the security posture of ICTs within the Union, especially in light of the expanding digital footprint of IoTs, as well as enable better cross-border market competition through a uniform certification mechanism.
Further, the certification aims to offer better information to consumers on the security of any given ICT. The manufacturer or provider of a certified ICT will be required to provide supplementary information on secure configuration, installation, deployment, operation and maintenance of the ICT in question, the length of security support (including updates), contact information for receiving vulnerability disclosures, and a link to publicly disclosed vulnerabilities of the particular technology, including any relevant cybersecurity advisories.
Hefty Requirements Set to Pay Long-Term Dividends
The requirements placed on the ICT industry willing to certify seem onerous for those less active on the cybersecurity front, but are in fact considered standard in the industry, if rarely applied by manufacturers and providers today. Currently, the Act stipulates that the scheme is voluntary, although it may be envisaged that ICTs falling under the ‘high’ assurance level (e.g. those serving critical infrastructures, or personal data) may well become a regulatory requirement. The Act stipulates it will be up to Member States to make those decisions, and it is likely that Union countries will adopt the scheme in a similar vein to how the U.S. leverages FIPS and NIST standards.
For the ICT sector, the certification framework may seem like another burdensome scheme that will entail additional liabilities and implementation (and maintenance) costs. However, the scheme offers a number of long-term benefits that will more than offset these initial costs:
- Certified manufacturers/providers will be able to use a single scheme across all 28 member states that will be officially recognized by both the private and public sectors of those countries, enabling faster and wider market penetration, especially in security-sensitive industries;
- Those certifying under a ‘basic’ level may be able to self-certify to a certain extent, further cutting some initial costs with using third-party certification bodies;
- The certification will provide an internationally recognized cybersecurity seal of approval that can be instantly recognized and capitalized on by both the industry and consumers;
- More generally, certification will enable the manufacturer/provider to adopt a better security posture overall, minimizing risks and cutting costs related to cyber threats and attacks in the long run.
The scheme is likely to take a few years before it is ready for adoption, but ICT players should keep a close eye on ENISA’s efforts in the space in order to ensure that they are closely aligned with the agency’s eventual framework for faster and more streamlined certification when the time comes. Being first to market with an EU-approved certification valid in all 28 member states would provide a significant competitive advantage to any ICT provider.