On 29 May 2018, the Council of the European Union issued its proposal for the regulation of the European Union Agency for Network and Information Security (“ENISA”) and information and communication technology cybersecurity certification (the “EU Cybersecurity Act”). The proposal had two areas of focus: the first being to strengthen the powers of ENISA by making it a permanent agency of the EU; the second was to establish a European cybersecurity certification framework to ensure the application of a common cybersecurity certification for information and communications technology (“ICT”) goods. The proposal was adopted on 27 March 2019. and enters into force 20 days after its publication.
Why was this introduced?
The intention behind the proposed introduction of this voluntary cybersecurity certification framework is to seek to set a central standard for such a framework, thereby avoiding a splintered approach by Member States adopting their own separate standards. The Cybersecurity Act gives the EU Commission the authority to adopt cyber security certification schemes which will apply across the EU, once agreement is reached at EU level as to the security standards for each ICT product or service. The proposed certification framework includes a single certification supported by the recognition of certified products by different EU members. The certification proposes to offer confirmation and assurance that ICT products and services are cyber-secure.
The EU Cybersecurity Act outlines some of the elements which would be required for any finalised cybersecurity certification framework. The certification framework will need to detail the specific requirements for assessment bodies at the national level to ensure they are technically competent to evaluate products. The certification framework would also need to set out clearly defined evaluation criteria as well as rules for monitoring compliance and granting and renewing a cybersecurity certification.
How does it work?
Under the proposed framework, ENISA, working with an European Cybersecurity certification group, will be responsible for designing certification schemes for products and services which will work within a number of pre-defined objectives, such as (i) protecting data against accidental or unauthorized storage, processing, access, disclosure, destruction, loss, or alternation, (ii) ensuring only authorized persons, programs, and machines can access the protected data, (iii) recording transactions related to the protected data, (iv) making sure data transactions can be inspected, (v) recovering data in case of information security incidents, and (vi) requiring ICT products and services are provided from secure software applications. For now, the schemes are voluntary, however by 2034, the EU Commission will decide whether any of the voluntary schemes should be made mandatory in respect of the products to which they apply.
Once a relevant scheme has been established, the manufacturers of ICT products or providers of ICT services may then voluntarily apply to the assessment body of their choice to seek certification for their products or services. ENISA will then review any adopted certification schemes every five years to ensure they continue to meet the criteria designated in the Act. Any existing national schemes will be replaced with the new EU-wide frameworks. However, the EU-wide certification schemes will still be supervised by national supervisory authorities designated by Member States.
ICT products and services that comply with the certification framework will be certified by conformity assessment bodies with one of three assurance levels, namely, basic, substantial, and high level. The maximum validity of the certificates will be five years with the possibility for renewal.
The proposals for a harmonised approach to certification received general support during the public consultation but some criticism and concern has been expressed over the ENISA governance of the IT framework, the lack of EU definitions of resilience and deterrence and uncertainty over the legal authority of the framework. Inevitably frustration has also been expressed over the apparent avoidance of an attempt to seek the harmonisation of criminal law approaches to cybercrime and to seek a harmonized approach to encryption.
From a banking perspective concerns have been raised over potential fragmentation that might be expected from having different regulators and supervisors. The concern points to the adoption of the NISD, PSD2 and ECB as immediately referable evidence of the problems caused by differing Member State adoption. They also raised a concern over the overlap issues that may arise and which are already seen in the lap over between GDPR and NISD.