A new EU Regulation on cybersecurity promises a more coordinated approach across Europe. The new law will set up a framework for the establishment of European cybersecurity certification schemes. The intention is to prevent “certification shopping” based on different levels of stringency among member states. Certification will be voluntary initially, but regular assessments will be carried out to determine whether certification of particular products or services should become compulsory.
The cybersecurity certification framework will offer
“a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.”
Certification schemes will be able to specify assurance levels of “basic”, "substantial” and “high”. “Basic” level envisages a review of technical documentation to ensure that the product or service will minimise the known basic risks of incidents and cyberattacks. “Substantial” level is aimed at addressing known cybersecurity risk and the risk of incidents and cyberattacks carried out by actors with limited skills and resources. Evaluation will include testing to show effectiveness.
For a “high” level of assurance, evaluation will address the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources, and will involve penetration testing.
Certification schemes will have the option of permitting organisations to self-assess at the “basic” assurance level. Otherwise they are likely to require assessment by a conformity assessment body.
European cybersecurity certification schemes, European cybersecurity certificates and EU statements of conformity will be published on an ENISA website.
Once the scheme is up and running, overlapping national cybersecurity certification schemes will be ruled out.
Most of the Regulation will come into effect on 27 June. However, the elements requiring specific activity by member states have a later deadline of 28 June 2021. It is unclear what status the UK will have as part of the EU by that date. It is possible that a transition period will be in place, meaning that the UK will have to take steps to set up accreditation bodies and provide for remedies and penalties for non-compliance.
The certification scheme will operate much more broadly than the NIS Directive system established in 2016. The NIS Directive focused on services that are essential to the normal functioning of society, like health, transport and energy. It also delegated responsibility to member states acting in cooperation but through their own legal structures and bodies. In contrast, the new scheme will potentially involve all digital products and services, and there will be reduced scope for national governments to control how it works.
The new law will also establish EU cybersecurity body ENISA on a permanent basis. Originally set up in 2004, ENISA has been living hand to mouth since then, relying on defined term renewals of its role and funding.