EU Cybersecurity Act - Directory Listing...EU Cybersecurity Act ETSI Security Week 2019 18 June 2019 ETSI, Sophia Antipolis Ioannis Askoxylakis Cybersecurity Policy Officer Unit H1:

EU Cybersecurity ActETSI Security Week 2019

18 June 2019ETSI, Sophia Antipolis

Ioannis AskoxylakisCybersecurity Policy OfficerUnit H1: Cybersecurity Technology & Capacity Building Directorate H: Digital Society, Trust and CybersecurityDirectorate General for Communication Networks, Content & Technology DG CONNECTEuropean Commission

The EU Cybersecurity Certification Framework

Agenda

Context

Introduction

Cybersecurity Certification Schemes

Certification and Conformity self-assessment

The lifecycle of a European Cybersecurity Certification Scheme Plan, Request, Prepare, Implement, Review

Important Policy Aspects

State of Play

Building EU Resilience to cyber attacks

Reformed ENISA

EU Cybersecurity Certification Framework

NIS Directive Implementation

Rapid emergency response –Blueprint & Cybersecurity Emergency

Response Fund

Cybersecurity competence network with a European Cybersecurity

Research and Competence Centre

Building strong EU cyber skills base, improving cyber hygiene and

awareness

Creating effective EU cyber deterrence

Identifying malicious actors

Stepping up the law enforcement response

Stepping up public‐private cooperation against cybercrime

Stepping up political and diplomatic response

Building cybersecurity deterrence through the Member States' defence

capabilities

Strengthening international cooperation on

cybersecurity

Promoting global cyber stability and contributing to Europe's strategic

autonomy in cyberspace

Advancing EU cyber dialogues

Modernising export controls, including for critical cyber‐surveillance technologies

Continue rights‐based capacity building model

Deepen EU‐NATO cooperation on cybersecurity, hybrid threats

and defence

The EU Cybersecurity Certification Framework in context

Cybersecurity Act

Joint Communication on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”, JOIN/2017/0450

What's new with the Cybersecurity Act?

Adequate Resources Permanent Status

Focused Mandate


Introduction

The digitalisation of our society leads to greater need for cyber secure products and services.

Cybersecurity certification plays an important role in increasing trust in digital products and services.

A common European approach to cybersecurity certification is an important part of the Digital Single Market.

The Cybersecurity Act establishes the European cybersecurity certification framework.

The Framework enables the creation of tailored, voluntary European Cybersecurity Certification Schemes for ICT products, services and processes. One Framework, many schemes.

Benefits… for citizens/end users

Difficult to distinguish between more and less secure products/services

more information on the security properties of product/services ahead of purchase

Co-existence of schemes makes comparison difficult…

…end-users (OES) refrain from buying certified products/services

NOW FUTURE

Greater incentive for OES to buy certified products/service

Increased cyber resilience of critical infrastructures

…As end-users of digital solutions, governments would rely on an institutional framework to identify and express priority areas needing ICT security certification.

…For vendors/providers

• The possibility to obtain cybersecurity certificates that are valid across the EU would:

– Generate higher incentive to certify and enhance the quality of digital products/services

– Enhance competitiveness through reduced time and cost of certification

– Help gain access to market segments where certification is required

– Contribute to promote a chain of trust between vendors and end-users

• For SMEs and new business…

– Elimination of a potential market-entry barrier


Introduction - Key features

One Framework, many schemes. Tailored and Risk based schemes

Open, inclusive and transparent

Builds on EU acquis on accreditation and market surveillance, standardization

Reinforcing an EU-wide approach and building trust with peer reviews

A modern cybersecurity certification framework Certification of ICT processes (e.g. secure development lifecycle,

vulnerability handling and disclosure, provision of updates); Supplementary information such as guidance on secure configuration

and use, security contact points for security researchers;

International best practices in certification scheme structure


Cybersecurity Certification Schemes

Security Objectives

Assurance levels: Basic, Substantial, High

Elements of a cybersecurity certification scheme include:

Scope - product/service or category(ies) thereof

references to the international, European or national standards and to technical specifications

one or more assurance levels

conditions for the mutual recognition of certification schemes with third countries;

National Cybersecurity Certification

Authority

Conformity Assessment

Body (Eval. Facility)

National Accreditation

Body

Product

an EU Certification

Scheme

International, EU, national Standards/tech specs

Specifies

Evaluation process

Accredits

By reference to

Authorises & Notifies

1. Evaluates (applies evaluation process to assess product's conformity with requirements)

2. Certifies conformity

Assess conformity to

Scheme Governance

Certification Procedure

Product Requirements

Applies

EU

Member State

4. Certificate is recognised in the EU

European Cybersecurity Certification Scheme (Basic, Substantial) Elements of the Scheme

(incl. prod category, assurance level)

National Cybersecurity Certification

Authority

National Accreditation

Body

Product

an EU Certification

Scheme


Specifies

Evaluation process

Accredits

By reference to


2. Certifies conformity


Scheme Governance

Certification Procedure


Applies

EU

Member State

4. Certificate is recognised in the EU

European Cybersecurity Certification Scheme (High) Elements of the Scheme



Certification

The cybersecurity certification shall be voluntary, unless otherwisespecified by Union law or Member State law.

Conformity assessment bodies shall issue European cybersecuritycertificates referring to assurance level 'basic' or 'substantial'.

Where a European cybersecurity certification scheme requires anassurance level 'high', the European cybersecurity certificate under thatscheme is to be issued only* by a national cybersecurity certificationauthority.

A European cybersecurity certificate issued pursuant to this Article shall berecognised in all Member States.

Manufacturer

Product

an EU Certification

Scheme


Specifies

Evaluation process By reference

to


2. Attests conformity


Scheme Governance

Attestation Procedure


Applies

EU

Member State

4. Statement of Conformity is recognised in the EU

Conformity self-assessment (AL Basic only) Elements of the Scheme



The lifecycle of a European Cybersecurity Certification Scheme

Union Rolling Work Programmeon Cybersecurity Certification

ENISA Prepares candidate

scheme

ENISAConsults Industry, StandardisationBodies, other stakeholders

European Commission

Adopts* Candidate Scheme

European Commission

Requests ENISA to prepare Candidate

Scheme

European Cybersecurity Certification Group (MSs)

Advises ENISA and may propose the preparation of a candidate scheme to

ENISA

ENISA Ad hoc Working Group for each

scheme

Stakeholder Cybersecurity Certification Group

Advises Commission on strategic priorities and Union Rolling Work Programme on

Certification


Plan



scheme


European Commission


European Commission


Scheme

European Cybersecurity Certification Group


ENISA


scheme



Certification


Request



scheme


European Commission


European Commission


Scheme



ENISA


scheme



Certification


Prepare



scheme


European Commission


European Commission


Scheme



ENISA


scheme



Certification


Implement and Review

Annual Union Rolling Work Programme on Cybersecurity Certification


scheme


European Commission


European Commission


Scheme



ENISA


scheme



Certification


Important Policy Aspects

Standardisation

Cybersecurity Certification and Regulation

International aspects and Trade

Strong Preference for International Standards

Technical specifications developed by US-domiciled standards development organisations, may be taken into consideration

Respect for WTO rules


State of Play

Entry into force June 2019, followed by:

First request to ENISA

Establishment of the ECCG (invitation to Member States) and the SCCG (call for experts)

Launch public consultation on the URWP on Cybersecurity Certification

A voluntary European cybersecurity certification framework….

…to enable the creation of tailoredEU cybersecurity certification schemes for ICT products, services and processes…

…that are valid across the EU

Cybersecurity Act in a nutshell

Thank you for your attention!

Documents

EU Cybersecurity Act - Directory Listing...EU Cybersecurity Act ETSI Security Week 2019 18 June 2019 ETSI, Sophia Antipolis Ioannis Askoxylakis Cybersecurity Policy Officer Unit H1: