European Union Agency for Network and Information Security

ENISA activities in ICT security certificationDr. Prokopios Drogkaris | NIS ExpertNLO Meeting | Athens | 30.01.2018

2

By affixing the CE marking to a product, a manufacturer declaresthat the product meets all the legal requirements for CE marking and can be sold throughout the European Economic Area.

ENISA activities in ICT Security Certification | P. Drogkaris

What are these symbols anyway?

3

• Defining Certification

“formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance”*

• Security certification of products has been traditionally dominated by common criteria

• Within EU

- SOG-IS MRA is the dominant player in common criteria certification

- Multiple national and sectorial initiatives focused on security certification

ENISA activities in ICT Security Certification | P. Drogkaris

Background

*EC COM(2017) 477 final**http://ec.europa.eu/newsroom/document.cfm?doc_id=46999

**

4ENISA activities in ICT Security Certification | P. Drogkaris

ICT security certification within EU policy context

EU Cybersecurity Strategy

Digital Single Market Strategy

Strengthening Europe’s Cyber Resilience System and Fostering a

Competitive and Innovative Cybersecurity Industry

Network and Information Security Directive

General Data Protection Regulation

Proposal for a Regulation on Privacy and Electronic

Communications

eIDAS Regulation

Payment Services Directive 2 Cybersecurity Act Proposal

5

• Avoid fragmentation caused by national ICT security certification initiatives

• Promote mutual recognition

• Simplify procedures, reduce the time and cost of deployment of IT products and services

• Improve competitiveness and quality of European products and services

• Give users more confidence in ICT products and services they purchase

ENISA activities in ICT Security Certification | P. Drogkaris

Features of an EU framework

Member States

Industry

ICT Security Certification Producers

ICT Security Certification Consumers

ECIL Group

6ENISA activities in ICT Security Certification | P. Drogkaris

ENISA Activities

Stocktaking on the development of a European ICT security certification and labelling framework

Imprint of European ICT security certification laboratories landscape

Supporting policy discussions, engagement and dialogue with stakeholders

Establishing working relations with industry working groups

Towards an EU framework based on existing schemes and responding to emerging lightweight requirements

Draft Cybersecurity ActProvisions on certification

8

• Voluntary European cybersecurity certification framework

• Enabling the creation of individual EU certification schemes for ICT products and services that are valid across EU

• Each scheme will specify:

• Scope, Evaluation criteria, Assurance level, Security requirements and Rules for monitoring compliance

• European Cybersecurity Certification Group (ECCG)

• National Certification Supervisory Authorities• European Commission• ENISA

Proposed certification framework

ENISA activities in ICT Security Certification | P. Drogkaris

9ENISA activities in ICT Security Certification | P. Drogkaris

Framework overview

10

• Support and promote the development and implementation of the Union policy on cybersecurity certification of ICT products and services

• preparing candidate European cybersecurity certification schemes for ICT products and services

• Provide Secretariat assistance to the European Cybersecurity Certification Group

• Compile and publish guidelines and developing good practices concerning the cybersecurity requirements of ICT products and services

• Facilitate the establishing and taking-up of European and international standards for risk management and for the security of ICT products and services

• Perform and disseminate regular analyses of the main trends in the cybersecurity market both on the demand and supply side

• Support European Cybersecurity Certification Group

ENISA activities in ICT Security Certification | P. Drogkaris

Envisaged ENISA tasks in a nutshell

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you