A Bumpy Road for the EU’s Cybersecurity Certification Schemes

In 2019, the European Union (EU) Cybersecurity Act (Regulation (EU) 2019/881) tasked the European Union Agency for Cybersecurity (ENISA) with “the establishment and maintenance of a European cybersecurity certification framework …  with a view to increasing the transparency of the cybersecurity of ICT products, ICT services and ICT processes.” Under this framework, ENISA is to develop several different certification schemes for Information and Communications Technology (ICT), all open to public consultation. It has already proposed drafts for two of these candidates, the EU Cybersecurity Certification Scheme (EUCC), which aligns itself with Common Criteria ISO/IEC 15408, as well as the Cybersecurity Certification Scheme for Cloud Services (EUCS).

Both proposals have received a lukewarm response from member states and industry bodies. From an industry perspective, AmCham EU, the BSA Software Alliance, CCIA Europe, and the ITI Council, published a joint industry statement to express concerns over some of the EUCS elements. Similarly, GlobalPlatform, an industry-led technical standards organization, published an analysis on the EUCC, highlighting misalignment between the proposed scheme and established industry approaches.

The concerns expressed with regard to the schemes are different. The issues raised with the EUCS are more political in nature, dealing with concerns from mainly U.S.-based interests and their ability to provide their offerings to the EU internal market. At core is the issue of data sovereignty, which is perceived by U.S. industry as being anticompetitive. The EU’s interest here is preserving Europe’s privacy from misuse by foreign entities. This dichotomy reflects a deep chasm in how privacy is dealt with on either side of the Atlantic. U.S. providers have their own concerns, fearing that the EUCS will raise barriers to entry to the EU internal market and be a significant cost to implement from their end, eating away at their profit margins.

The EUCC proposal, on the other hand, has led to concerns that are more technical in nature. The challenges here concern the security assurance levels proposed by the EUCC, which do not seem to match those that have been established and accepted by the security industry, to date. The specifications developed by bodies, such as GlobalPlatform, EMVCo, GSMA, FIDO Alliance, and TCG, among others, have all become de facto standards through mass market adoption. The EUCC introduces two levels of security assurance: high and substantial. The main point of contention with the EUCC is that “where a European cybersecurity certification scheme … requires an assurance level ‘high’, the European cybersecurity certificate under that scheme is to be issued only by a national cybersecurity certification authority.” This would mean that even the highest level in a certification from globally-recognized industry standardization bodies would only be recognized as substantial at best. The other problem is that the EUCC's "high" includes levels of security that many in the industry consider as being "substantial," so Europe will issue a high certificate (mixing both security levels of high and substantial). This is likely to dilute the potency of security certification in a market that is already governed by well-established industry standards.

Public policy and regulation are always a contentious issue for an industry, especially for instituted and successful ones. However, industry concerns can be wildly divergent, from the clearly legitimate to the contemptibly exploitative. The opposition to the EUCS is focused on cloud providers’ ability to continue to compete in the EU internal market, while minimizing the impact of potential certification requirements that would curb this ability. The industry concern here is an economic one and fails to recognize the underlying impetus for EU data protection in the first place, which is to minimize the possibility of extraterritorial and unauthorized access by foreign entities to European citizen data, a legitimate EU concern. The merits of the EUCS are being debated at the nation-state level, and have become very politicized, and no doubt heavily influenced by industry lobbies.

The debate around the EUCC is another matter altogether, focused much more technically on specifications and standards. There is a legitimate concern here on ensuring continued stability and confidence in established security standards. The EUCC is a welcome initiative from industry bodies, as it aims to enshrine and promote a shared vision, in particular the use of security standards more globally. Yet, the issue is that its current wording may well do just the opposite by inadvertently watering down existing industry standards, creating confusion in the market. The best course of action would be for ENISA to allow industry standards to obtain “high” security assurance levels.

Ultimately, ENISA, and the EU, more broadly, are set on an ambitious regulatory path for cybersecurity, and they are not content to remain silent on issues that have long been left to the industry. The Schrems judgements (and, in particular, Schrems II) are just another case in point driving home the need for the EU to take preemptive action on that front. However, there are as many highly relevant and valuable industry efforts that should not be ignored as there are exploitative practices that need to be quashed. The EU should ensure that it does not inadvertently stifle existing foundations stemming from industry best practices and standards in its bid to strengthen trust in the digital internal market.