During the previous weeks, we provided a thorough overview of the EU NIS Directive, focusing on the Operators of Essential Systems (OES), the Digital Service Providers (DSP) and the compliance frameworks. Our review of the EU cybersecurity policy and strategy would be incomplete without mentioning the EU Cybersecurity Act. On 27 June, the European Cybersecurity Act entered into force, setting the new mandate of ENISA, the EU Agency for Cybersecurity, and establishing the European cybersecurity certification framework.
The Cybersecurity Act in a Glance
The EU Cybersecurity Act (“Act”) provides a permanent mandate for the European Network and Information Systems Agency (ENISA) and changed its name to the EU Agency for Cybersecurity, while giving it substantially more authority and resources.
Many of the Act’s provisions further support or advance provisions of the NIS Directive. Most importantly, however, the Act:
- Establishes an EU cybersecurity certification framework for information and communication technology (ICT) products, services, and processes.
- Requires Member States to designate one or more national cybersecurity certification authorities.
- Establishes assessment bodies to determine conformity with the Act.
- Requires Member States to determine penalties for certification violations and infringement of European cybersecurity certification schemes.
The Act is intended to advance trust through an EU-wide certification framework consisting of cybersecurity certification schemes that include common cybersecurity requirements and evaluation criteria across national markets and sectors.
The opening clauses of the Act provide a thorough justification of the need to develop such as certification framework. IoT devices and related ICT products and services “are not sufficiently built-in by design, leading to insufficient cybersecurity.” The Act further notes that “the limited use of certification leads to individual, organizational and business users having insufficient information about the cybersecurity features of ICT products, ICT services, and ICT processes, which undermines trust in digital solutions.”
The ENISA Permanent Mandate
The EU Cybersecurity Act grants a permanent mandate to the agency, allocating more resources and new tasks.
ENISA will have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes and informing the public on the certification schemes as well as the issued certificates through a dedicated website.
ENISA is also mandated to increase operational cooperation at EU level, helping EU Member States who would request it to handle cybersecurity incidents and supporting the coordination of the EU in case of large-scale cross borders cyber-attacks and crises.
The EU Cybersecurity Certification Framework
Certification plays a critical role in increasing trust and security in products and services that are crucial for the EU Digital Market. At the moment, there are a number of different security certification schemes for ICT products in the EU, but without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of certificate fragmentation.
Title III of the Act sets out the Cybersecurity Certification Framework with the goal of improving the level of cybersecurity in the EU and establishing a harmonized approach to cybersecurity certification of ICT products, services, and processes. Certification is to be approached through the establishment of an EU rolling work program that identifies strategic priorities for the certification of products, services, and processes.
Certification granted will be based on cybersecurity certification schemes, which are “a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes.”
Under the framework, multiple schemes will be created for different categories of ICT products, processes and services. Each certification scheme will specify:
- The categories of products to be covered
- The cybersecurity requirements for each (referencing standards or technical specifications)
- The type of evaluation required (self-assessment or third-party evaluation)
- The intended level of assurance (Basic, Substantial, or High).
To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are proportional to the level of the risk associated with the intended use of the product, service or process in terms of the probability and impact of an incident. For example, a high assurance level means that the certified product has passed the highest security tests.
The resulting certificate will be recognized in all EU Member States, making it easier for businesses to trade across borders and for consumers to understand the security features of the product or service.
The governance for the implementation of the certification framework will be guided by two experts’ groups:
- the European Cybersecurity Certification Group (ECCG) composed of representatives from national cybersecurity certification authorities, and
- the Stakeholder Cybersecurity Certification Group (SCCG).
The SCCG is composed of selected individuals from all relevant stakeholders. Both groups advise the European Commission on the cybersecurity certification framework, advise ENISA on certification and standardization, and assist the Commission with a rolling work program for certification schemes. After the Act became effective, the European Commission issued a call for applications for the SCCG. Private sector organizations would be well-advised to apply for the SCCG so that they may become more informed and involved to protect their organizations’ interests.
The Commission will also prepare the “Union rolling work program for European Cybersecurity Certification,” which will identify strategic priorities for certification and include a list of ICT products, services and processes or categories that may benefit from being included in the scope of a European Cybersecurity Certification Scheme.
Are US-based Businesses Affected?
Short answer: yes. Any business offering ICT products, services, or processes within the EU, whatever their size, are affected by the Cybersecurity Act and should begin monitoring the ENISA and EU websites for updates on EU cybersecurity certification schemes. For example, ENISA published recently two reports supporting the certification framework. More importantly, the Standards Supporting Certification report focuses on five distinct areas that have frameworks, schemes or standards that can potentially be evolved to EU candidate cybersecurity certification schemes, namely IoT, cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in the healthcare and qualified trust services.
In addition, US-based companies should consider applying for membership in the SCCG and determine whether they want to obtain certification so they can compete evenly in the EU markets. To do so, they should analyze the risks associated with non-compliance with the certification schemes. The Act allows each Member State to determine penalties for non-compliance or violation of certification schemes. Penalties are, however, required to be “effective, proportionate and dissuasive.”
Marie-José van der Heijden, leader of Deloitte Legal Global Sanctions and Export Controls practice based in The Netherlands, commented that “cross-border offerings are increasingly fraught with compliance issues, and the EU Cybersecurity Act and its certification schemes, particularly as it relates to critical infrastructure companies, will surely impact both EU and U.S. businesses. The learning curve for many companies may be steep.”
Europe aims to be the leading cybersecurity certification and standardization area for ICT products, processes and services. The EU Cybersecurity Act is an opportunity to create a harmonized market for cybersecurity, which promotes closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behavior, the adoption of codes of conduct, the use of international standards, and information sharing.