On May 29, 2018, the Council of the European Union released a proposal for the future of cybersecurity regulation in Europe (the “EU Cybersecurity Act”). At a time of increased cybersecurity risks, the EU Cybersecurity Act would strengthen the powers of the European Union Agency for Network and Information Security (“ENISA”) by making it a permanent agency of the European Union (“EU”). The EU Cybersecurity Act would also create a European cybersecurity certification framework for information and communications technology (“ICT”) goods. The goal of the EU Cybersecurity Act is to build cyber resilience and response capabilities within the EU. Harmonizing standards to promote efficiency is also a central theme of the EU’s Digital Single Market strategy.
The EU Cybersecurity Act is an output of a broader Cybersecurity Package which was first introduced in 2017 before going through several impact assessments and a comment period. To become law, the proposal will have to be approved by the European Parliament.
EU Cybersecurity Agency
The first major policy in the EU Cybersecurity Act is the designation of ENISA as a permanent EU cybersecurity agency. ENISA was originally created in 2004 as a temporary EU agency focused on Network and Information Security. Since then, the growing issue of cybersecurity has prompted the agency’s mandate to be extended and expanded. Today ENISA organizes European cyber crisis exercises to test resiliency capabilities, supports national Cyber Security Incident Response Teams (“CSIRTs”), and provides a forum for sharing of information and best practices.
Under the EU Cybersecurity Act, ENISA’s mandate would remain focused on policy development and implementation. The agency would continue to be a reference point for cybersecurity policy and work with national CSIRTs in their response to cybersecurity incidents. However, the scope of ENISA’s mandate would also be broadened. ENISA would play a greater role on the European and global stage by facilitating implementation of the European Commission’s Recommendation on Coordinated Response to Large-Scale Cybersecurity Incidents and Crises, assisting with the development of international standards, and supervising the Europe-wide cybersecurity certification framework for ICT devices.
Cybersecurity Certification System
The second major policy introduced in the EU Cybersecurity Act is the concept of a cybersecurity certification framework. The goal of this proposal is to prevent unnecessary fragmentation between member states adopting separate standards. This has the potential to assist businesses by lowering the costs of certifying their products in several different jurisdictions. The proposed certification framework would also involve the mutual recognition of certified products by different EU members. This would make it easier for companies to go to market quickly because they would not have to certify in multiple countries.
There are several potential benefits of a common cybersecurity certification framework. Common standards would make it easier to develop interoperable products. This may lead to fewer gaps in the cybersecurity of networks with highly differentiated nodes. An EU-wide standard would also be intended to increase consumer trust in ICT products which have been certified, thus encouraging commerce and the use of more smart devices. Marks or labels for certified products may be used to accomplish this objective.
The EU Cybersecurity Act outlines some of the elements which would be required for any finalized cybersecurity certification framework. First, a certification framework would need specific requirements for assessment bodies at the national level to ensure they have the technical competence to evaluate products. Second, a certification framework would need clearly defined evaluation criteria as well as rules for monitoring compliance and granting and renewing a cybersecurity certification. A cybersecurity certification framework would also need to have a process for reporting and addressing previously undetected vulnerabilities.
The EU Cybersecurity Act contemplates different methods of executing a certification system. For example, certification could be done by private sector actors conducting conformity self-assessments against a pre-published standard. This concept is imperfect because of the possibility of self-interested bias in self-certification. Alternatively, ENISA and national level regulators could conduct an end-to-end certification process, including verification checks and product testing. While this would eliminate the self-interest problem, it would likely also be slower and more expensive. More likely the end result will be some combination of the two processes which varies based on different product types.
There are still several open questions surrounding the proposed cybersecurity certification framework. It is unclear if the European Commission will issue general or sector-specific cybersecurity guidelines. Since the cybersecurity needs of different products and services vary considerably, it is difficult to come up with a one size fits all standard. It is also unclear what the remedies would be for products which were found to fall short of the standard. On an international level, it is unclear how a proposed European cybersecurity certification framework would work with other countries. These questions need to be addressed in order to create an effective cybersecurity certification framework.
Implications for Canada
The EU Cybersecurity Act highlights two major trends. First, as digitalization and more connected devices have increased cybersecurity risks, cybersecurity has become an important issue for governments. As a result, the agencies associated with cybersecurity preparedness have seen their portfolios expand. Australia has recently expanded the Australian Cyber Security Centre and the United States is currently reassessing its cyber strategy (see our blog post on the recent cybersecurity and privacy Executive Order). Canada’s government is currently considering substantial revisions to the Personal Information Protection and Electronic Documents Act (see our blog post) and the Office of the Superintendent of Financial Institutions and the Investment Industry Regulatory Organization of Canada have issued cybersecurity guidance. Canadian business should therefore monitor whether the trend of increased government and regulatory action regarding cybersecurity will be continued in Canada.
The second trend highlighted by the EU Cybersecurity Act is the need for international cooperation. Cross-border cybersecurity incidents have become increasingly common and necessitate an integrated global response. The proposed EU cybersecurity certification framework is just one part of this effort. Since ICT products have complicated global supply chains, the EU may have to negotiate with countries like Canada for mutual recognition of certification systems for different component goods. Canada’s place in this global cybersecurity environment is still being determined.