Questions and Answers – EU Cybersecurity
What has the EU done so far to reinforce cybersecurity?
The EU has now a range of instruments to protect electronic communications networks, including the Directive on Security of Network and Information Systems (NIS Directive), the EU Cybersecurity Act, and the new telecoms rules.
The Directive has introduced new mechanisms for cooperation at EU level, measures to increase national capabilities and obligations for operators of essential services and digital service providers to adopt risk management practices and report significant incidents to the national authorities.
The Cybersecurity Act introduces, for the first time, EU wide rules for the cybersecurity certification of products, processes and services. In addition, the Cybersecurity Act sets a new permanent mandate for the EU Agency for Cybersecurity (ENISA), as well as more resources allocated to the Agency to enable it to fulfil its goals.
According to the new telecoms rules (Electronic Communications Code), Member States have to ensure that the integrity and security of public communications networks are maintained, with obligations to ensure that operators take technical and organisational measures to appropriately manage any risks to the security of networks and services. It also provides that competent national regulatory authorities have powers, including the power to issue binding instructions and ensure compliance with them. In addition, Member States can attach conditions concerning the security of public networks against unauthorised access to the general authorisations for operators, for the purpose of protecting the confidentiality of communications.
Finally, in May 2019, the Council established a sanctions regime, which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU and its Member States. The new sanctions regime is part of the EU’s cyber diplomacy toolbox, a framework for a joint EU diplomatic response to malicious cyber activities that allows the EU to make full use of measures within the Common Foreign and Security Policy, including, statements by the High Representative, diplomatic demarches and, if necessary, restrictive measures, to respond to malicious cyber activities.
What is the EU Cybersecurity Certification Framework and what are its advantages?
A European cybersecurity certification scheme is a comprehensive set of rules, technical requirements, standards and procedures, agreed at European level for the evaluation of the cybersecurity properties of a specific product, service or process.
Cybersecurity certification plays an important role in increasing trust and security in products, services and processes that are crucial for the proper functioning of the Digital Single Market. Given the large diversity and many uses of ICT products, services and processes, the European Cybersecurity Certification framework enables the creation of tailored and risk-based EU certification schemes.
In particular, each European scheme should specify: a) the categories of products and services covered, b) the cybersecurity requirements, for example by reference to standards or technical specifications, c) the type of evaluation (e.g. self-assessment or third party evaluation), and d) the intended level of assurance (e.g. basic, substantial and/or high).
To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. For example, a high assurance level means that the product that was certified has passed the highest security tests.
The resulting certificate will be recognised in all Member States, making it easier for businesses to trade across borders and for users to understand the security features of the product or service. This allows for beneficial competition between providers across the whole EU market, resulting in better products and higher value for money.
Security by design: The Framework also encourages manufacturers or providers involved in the design and development of products, services or processes to implement measures at the earliest stages of design and development. This will allow protecting the security of thoseproducts, services or processes to the highest possible degree, in such a way that the occurrence of cyberattacks is anticipated and minimised (“security-by-design”).
The European certification framework will rely as much as possible on international standards as a way to avoid creating trade barriers or technical interoperability problems.
Who will benefit from this certification framework and how?
The ability to understand whether a product, system or service meets specific requirements lies at the heart of being able to trust the digital systems we rely on. The Framework will be therefore useful for:
- Citizens and end-users (e.g. operators of essential services), who will be able to make more informed purchase decisions related to products and services they rely on a daily basis.For example a citizen, who is considering purchasing a Smart TV and is aware of the cybersecurity risks involved when connecting smart objects to the Internet, will be able to consult the European Cybersecurity Certification website of the EU Agency for Cybersecurity. They will be able to find a model that has been certified with the appropriate cybersecurity requirements, guidance from the vendor on how to setup, configure and operate the TV in a secure way and for how long the vendor commits to provide cybersecurity patches if new vulnerabilities are found.
- Vendors and providers of products and services (including Small and medium-sized enterprises (SMEs) and new businesses), who will enjoy cost and time savings as they will undergo a single process for obtaining a European certificate which is valid, and therefore allows them to compete effectively, in all Member States.Besides, vendors of ICT products and services will be keen to make buyers aware possibly by using a specific label linked to the certificate.
- Governments, who, like all individual and commercial buyers, will be better equipped to make informed purchase decisions.
To add further value to cybersecurity certification, manufacturers or providers of certified products, services or processes, including those for which an EU statement of conformity has been issued, shall provide specific supplementary cybersecurity information (e.g. guidance and recommendations to assist end users with secure configuration, installation, deployment, operation and maintenance of the products or services, etc.).
What will the added value of the Framework be for SMEs and start-ups, in particular?
SMEs and new businesses traditionally face more difficulties in expanding into new markets with different requirements. The Framework will help reduce such market-entry barriers for SMEs and new businesses because companies will have to undergo the certification process of their products only once and the corresponding certificate will be valid across the EU. Furthermore, as the demand for more secure solutions is expected to rise worldwide, companies, including SMEs, whose products are certified, will enjoy a competitive advantage to satisfy such a need. Moreover, the possibility for companies to self-attest conformity with security requirements for products, processes and services that present low risk makes the Framework even more attractive for SMEs and new businesses.
Take the example of an SME that develops and sells ICT applications to larger companies that require certain assurances that the applications are appropriately secure and that they have been developed following best practices when it comes to secure coding. Using a European Cybersecurity Certificate, that SME can demonstrate both the security of its products as well as its secure development practices, hence meeting the requirements of its clients not only in one Member State, as is often the case today, but also across the entire EU.
Will cybersecurity certification become mandatory?
Schemes established under the Framework are voluntary, i.e. vendors can decide themselves whether they would like their products to be certified under them. However, the Cybersecurity Act foresees that the Commission shall assess the efficiency and use of the adopted European cybersecurity certification schemes. In particular, it will assess whether a specific European cybersecurity certification scheme should become mandatory through relevant EU legislation to ensure an adequate level of cybersecurity of ICT products, services and processes and improve the functioning of the internal market. Moreover, other legislation at national or EU level could make use of existing schemes as a simple way to describe future obligations on products or systems.
How is the EU Agency for Cybersecurity being reinforced?
Until now the EU Agency for Cybersecurity had a temporary mandate, which was renewed last time in 2013 and was set to expire in 2020. The Cybersecurity Act gave the Agency a permanent mandate, thus putting it on a stable footing for the future.
The current tasks of the EU Agency for Cybersecurity, such as supporting policy development and implementation as well as cyber capacity building, have been strengthened and refocused. New tasks have been added, most prominently regarding cybersecurity certification.
The new mandate incorporates additional important tasks already entrusted to the EU Agency for Cybersecurity by the NIS Directive, which was agreed in 2016, such as the role of the secretariat of the Computer Security Incident Response Teams (CSIRTs) Network that brings together national CSIRTs of EU Member States. In order to fulfil these increased responsibilities the Agency’s staff can grow by 50% and the financial resources are doubled, increasing from 11 to 23 million EUR over a period of 5 years.
What are the main tasks of the EU Agency for Cybersecurity under the new mandate?
- Support to policy implementation in the area of cybersecurity, especially the NIS Directive, as well as to other policy initiatives with cybersecurity elements in different sectors (e.g. energy, transport, finance). The EU Agency for Cybersecurity will also assist Member States in the implementation of specific cybersecurity aspects of Union policy and law relating to data protection and privacy.
- Cybersecurity capacity building, for example with trainings to help improve EU and national public authorities’ capabilities and expertise, including on incident response and on the supervision of cybersecurity related regulatory measures.
- Market related tasks (standardisation, cybersecurity certification), such as analysis of relevant trends in the cybersecurity market to better match demand and supply and support the EU policy development in the areas of ICT standardisation and ICT cybersecurity certification.
- Operational cooperation and crisis management aimed at strengthening the existing preventive operational capabilities and supporting operational cooperation as secretariat of the CSIRTs Network. The EU Agency for Cybersecurity will also provide assistance to Member States who request it in order to handle incidents and will play a role in the EU coordinated response to large-scale cross-border cybersecurity incidents and crises.
- Coordinated vulnerability disclosure: The EU Agency for Cybersecurity will assist Member States and Union institutions, agencies and bodies in establishing and implementing vulnerability disclosure policies on a voluntary basis. It will also help improve the cooperation between the organisations, manufacturers or providers of vulnerable products and services, and members of the cybersecurity research community who identify such vulnerabilities.
What is the European Commission’s recommendation for a common EU approach to the security of 5G networks?
Fifth Generation (5G) networks will form the future backbone of our societies and economies,including in many critical sectors such as energy, transport, banking, and health, highlighting the need to address any vulnerabilities with regard to security and trust. In March 2019 the European Commission recommended a set of operational steps and measures to ensure a high level of cybersecurity of 5G networks across the EU. In particular, it recommended to Member States to complete an EU-wide risk assessment by October 2019 and to identify a set of possible mitigating measures, by December 2019. For more information about the Recommendation, including next steps, see this press release and these Questions and Answers.
What are the next steps?
The European Commission has proposed to significantly boost investment in cybersecurity and advanced digital technologies in the EU in the next EU budget period, notably through its proposal for a Digital Europe Programme. It has also proposed a new European Cybersecurity Competence Centre and network to pool resources and coordinate on priorities with Member States and to implement relevant projects in the area of cybersecurity. The proposal also aims at creating a Network of National Coordination Centres and a Cybersecurity Competence Community in order to ensure better cooperation and synergies among the existing experts and specialist structures in the Member States. This goes hand-in-hand with the key objective to increase the competitiveness of the EU’s cybersecurity industry and to turn cybersecurity into a competitive advantage for other European industries.