European Commission wants ENISA to introduce EU-wide cybersecurity certification scheme

“Cyber security attacks know no borders and no one is immune,” European Commission President Jean-Claude Juncker noted in his State of the Union Speech on Wednesday. He also said they can be more dangerous to the stability of democracies and economies than guns and tanks.

EU-wide cybersecurity certification scheme

European Commission President Jean-Claude Juncker

With that in mind, the European Union needs a strong cybersecurity agency, and the Commission has submitted a proposal for a regulation aimed at strengthening the role of ENISA, the Union’s Greece-based Agency for Network and Information Security.

Details of the proposal

Following a review of ENISA’s mandate, and a conclusion that it must be broadened to meet the challenges of a changing cybersecurity ecosystem, the proposal would help the agency:

  • Increase capabilities and preparedness of Member States and businesses;
  • Improve cooperation and coordination across Member States and EU
    institutions, agencies and bodies;
  • Increase EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises;
  • Increase awareness of citizens and businesses on cybersecurity issues;
  • Increase the overall transparency of cybersecurity assurance of ICT products and services to strengthen trust in the digital single market and in digital innovation.

Naturally, if the proposal is accepted, ENISA will be given more resources and will have to hire additional staff members – according to Euractiv, 40 in total.

An EU-wide certification scheme

As mentioned before, under the new proposal, ENISA would be tasked with drafting certification rules that will apply to information and communications technology products across the EU.

“The general purpose of a European cybersecurity certification scheme is to attest that the ICT products and services that have been certified in accordance with such scheme comply with specified cybersecurity requirements. This for instance would include their ability to protect data (whether stored, transmitted or otherwise processed) against accidental or unauthorised storage, processing, access, disclosure, destruction, accidental loss or alteration,” the proposal states.

“EU cybersecurity certification schemes would make use of existing standards in relation to the technical requirements and evaluation procedures that the products need to comply with and would not develop the technical standards themselves. For instance, an EU-wide certification for products such as smart cards, which are currently tested against international CC standards under the multilateral SOG-IS scheme, would mean making this scheme valid throughout the EU.”

Such a EU-wide certification scheme will result in similar national ones ceasing to apply. The goal is to unify the effort, and make it so that companies don’t have to be certified individually in each member state (with different testing methodologies, cybersecurity certification procedures, and on different technical requirements).

But, as certification can be a very expensive process and could, therefore, result in higher product/service prices, cybersecurity certification will remain voluntary.

ENISA asks for advisors

The report also details the agency’s proposed administrative and management structure, which will include a Permanent Stakeholders’ Group.

The PSG’s task will be to advise the agency in respect of the performance of its activities, and will be composed of up to 33 members that will either be:

  • Recognised experts from the ICT industry, providers of electronic communications networks or services, consumer groups, academic experts in the cybersecurity arena (they will not represent a country, nor a company, but will be selected upon the basis of their own specific expertise and personal merits), and
  • Representatives of competent authorities, law enforcement agencies and data protection supervisory authorities.

In fact, ENISA has already asked for interested parties to apply for a membership in the group – the deadline for submitting an applications is October 4th.

Don't miss