On the 11th of December the European Parliament, the Council and the European Commission reached a political agreement on the Cybersecurity Act. The act reinforces the mandate of the EU Agency for Cybersecurity ENISA (European Union Agency for Network and Information and Security), to better support Member States with tackling cybersecurity threats and attacks. The Act also establishes an EU framework for cybersecurity certification, boosting the cybersecurity of online services and consumer devices.
With nearly 40 percent of EU companies having no Incident Response Plan in place, and only 69 percent of EU companies having no or only a basic understanding of their exposure to cyber risks, the Cybersecurity Act is a very welcome step in raising cyber awareness and shaping a safer cyber environment for European businesses and citizens.
European Cybersecurity Certificates
The Cybersecurity Act will create a framework of European Cybersecurity Certificates for products, processes and services. These certificates will be valid throughout the EU, but will be voluntary unless otherwise specified in EU law or member states' law. The Commission will regularly monitor the impact of certification schemes and assess their level of use by manufacturers and service providers. There will be three different assurance levels, based on the level of risk associated with the intended use of the product. For the most basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves.
Protecting consumers and businesses by helping them to understand what level of security they can expect when buying or using connected devices should be a major responsibility for every industry. Besides raising awareness, and in acknowledgement of the fact that that non-IT staff (and in some cases IT staff themselves!) can represent a major cybersecurity risk, these EU certification frameworks are an important step towards solving some of the biggest challenges in establishing a more cyber-secure Europe.
Promoting security by design
The creation of the cybersecurity certification framework incorporates security features into the early stages of technical design and development, also known as ‘security by design’. It enables users of connected products to ascertain a level of security assurance, and ensures that these security features are independently verified.
With small and medium-sized enterprises (SMEs) representing 99 percent of all businesses in the EU, the certification framework is intended to be a 'one-stop-shop for cybersecurity certification’, the European Commission states on its website. This should result in ‘significant cost savings’ for SMEs, because they will not have to apply for several certificates in individual countries.
Highlights of the Cybersecurity Act:
- The European Union Agency for Network and Information and Security (ENISA) will receive a permanent mandate with more human and financial resources;
- ENISA will increase its support to the EU Member States, in order to improve capabilities and expertise, notably in the areas of cyber crisis coordination and the prevention of and response to cyber incidents;
- Within the Cybersecurity Certification Framework, ENISA will have market-related tasks, notably to prepare the European cybersecurity certification schemes with the expert assistance and close cooperation of national certification authorities and the industry;
- ENISA will strengthen its support to Member States and the EU institutions in the development, implementation and review of general cybersecurity policy.
In addition, ENISA will help increase cybersecurity capabilities at EU level and support capacity building and preparedness. Finally, and firmly endorsed by Infradata, ENISA will be an independent centre of expertise that will help promote a high level of awareness amongst citizens and businesses.
During debates at events such as CloudFest 2018, accompanied by other recognised cybersecurity experts, Infradata repeatedly advocated the use of certification frameworks and collaboration towards more cyber resilience on a European and global level. That’s because we believe that to successfully protect businesses and consumers from advanced cyberattacks, we have to work together.
Challenging the Internet of Insecure Things
The Cybersecurity Act is the first internal market law that addresses the challenge of enhancing the security of connected products - such as Internet of Things devices and - as well as critical infrastructure through such certificates.
With the growing use of IoT-based solutions, some IoT vendors appear to favour usability over IT security. The question for security specialists is therefore what the correct level of acceptable risk should be.
The Cybersecurity Act assigns business ownership to IoT security and applies security-by-design to products. As a result, apportioning selected areas of the security budget to manage IoT risks is even more important. With more and more IoT devices being 'recruited' into botnets and used to initiate massive DDoS attacks in 2018, the EU framework for cybersecurity certification is an important step towards preventing massive traffic volumes from hitting EU-based businesses and consumers.