EU Cybersecurity Certification Framework and the Philosopher's Stone

The EU’s new Cybersecurity Act aims to improve EU cyber resilience and response by building upon existing instruments that keep networks and information systems secure. With the Commission’s proposal, the current system could be reformed to remove constraints on the European Union Agency for Network and Information Security (ENISA). Instead, ENISA might become the center of the operation of setting up an EU certification framework.

But why is European Cybersecurity Certification Framework so important, and what’s new when it comes to implementation?

Image credit: Markus Spiske on Unsplash

It Makes a Single Cybersecurity Market Possible

One way in which the cybersecurity market is held back across the EU is undoubtedly a lack of a recognized cybersecurity certification scheme. What we have instead are national certifications which all work in different countries, but most of them aren’t mutually recognized outside of their home base market.

European Cybersecurity Certification Framework could, therefore, eliminate those problems and help create a single cybersecurity market for the EU. A harmonized approach at EU level defines mechanisms that establish EU-wide cybersecurity certification schemes which assess the ICT (Internet and Communications Technology) processes, products and services and make sure they comply with specified security requirements.

It Deals with Important Security Objectives

The European cyber security certification scheme will be so that it accomplishes specific security objectives:

protection of data — this will include protecting data against accidental or unauthorized destruction, loss, storage, access, processing or disclosure;

keeping data records — this provides recording which data was accessed, used or processed, by whom and when, as well as making sure that information is accessible and available to be checked;

quality development of ICT products, processes, and services — these need to be developed, manufactured and supplied according to the security requirements of the particular scheme, as well as making sure they are provided with updated software and hardware that has mechanisms for secure updates and no publicly known vulnerabilities.

Elements of EU Cybersecurity Certification Scheme

Each certification scheme should include items such as subject-matter and scope, type of categories of ICT processes and products and services that it covers. It should also detail how the certification scheme in question suits the needs of the target groups. Where that’s applicable, plans should also include assurance levels and any specific or additional requirements that would guarantee that conformity assessment bodies who are evaluating the cybersecurity requirements are technically competent to do so.

ENISA Prepares Candidate Schemes

Member States can propose the preparation of a candidate European cybersecurity certification scheme and may request ENISA to prepare it. ENISA then makes sure that those schemes are going to be consistent with the overall harmonized standard of candidate scheme preparation. ENISA is also responsible for maintaining a website dedicated to providing information about European cybersecurity certification schemes. It will also review those schemes that were adopted at least every five years to ensure that the feedback from interested parties has been taken into account.

EU Cybersecurity Certification Framework will make it easier for IoT manufacturers and developers to serve the EU market. A unified certification framework across all of EU will reduce the effects a fragmented market has on the online economy.