A new European Commission proposal will see cybersecurity certifications issued for devices under a single and central European framework and governance system.
Speaking at the ISSE 2017 Conference in Brussels, Jakub Boratynski, head of cybersecurity and the digital privacy unit at DG Connect, said that this will be a framework and governance system that is bespoke and tailored for different ICT schemes. He said that the “objective is to give people peace of mind of everything that the digital revolution brings.”
“Cybersecurity certification can play an important role in increasing trust for users and provide information about the features of a product or service,” he said. “Cybersecurity certification on its own can increase the measures of trust as we will not have a successful single market without the trust of businesses and citizens.”
Boratynski said that there had been some national schemes, and one European scheme focused on high level assurance products, but often membership is limited. In this case the framework will be bespoke and tailored for different ICT schemes, and these schemes would allow assurance of certificates across the EU.
He added that this will make users more aware of what security properties a product has, and play a positive role within the “Operator of Essential Services” incident notification mechanisms in the context of the NIS Directive.
“It will also allow vendors and providers of solutions to provide them an incentive to continue to enhance the quality of digital products and also increase competitiveness of European products internationally”, he said.
The first step will be proposing a framework and once that is agreed, the next stage will be the development of specific schemes which will determine what scope it covers and what criteria is to be required for what type of standards. He also acknowledged a level of assurance would be needed for cheaper consumer products "with no security identity.”
This would cause existing schemes to cease to exist and the use of certificates would be voluntary, but in future there would be EU legislation requiring a certain set of technical requirements to put them on the market, such as with medical devices.
Also as part of the new proposals, the European Union Agency for Network and Information Security (ENISA) will be given a permanent status, with a focused mandate that gives an overview of what agency will be doing.
Boratynski said that the certification process will involve member states working together to certify, and ENISA will play a central role in doing the background technical work and being at the heart of the industry to reach out to industry bodies to make sure what is being proposed at a European level fully responds to market needs.
He concluded by saying that there will be flexibility for cybersecurity agencies to continue issuing certificates.