A balancing act: The EU proposes a new framework for cybersecurity certification

EU Cybersecurity Act is to be adopted by the end of 2018, during the current Austrian presidency. The Act proposes the creation, under the auspices of ENISA, of a new certification scheme that will apply to all IT products, services and processes developed, licenced or merchandised in EU. Certificates issued under the scheme will be legally recognised across the EU. This would standardise the miscellaneous certification schemes and requirements currently in effect across the 28 Member States. The spectrum of technological devices that the Act applies to ranges from smart fridges, game consoles and fitness apps to SCADA systems used to control public water supply or power plants. In addition to harmonisation, the proposed framework would have the twofold effect of building consumer trust and fostering cross-border commerce in IT products and services.

Catchall certification framework

Currently, the landscape of certification schemes and standards is varied. Member States enforce separate certification procedures and requirements, such as the French Certification Sécuritaire de Premier Niveau (CSPN), the Dutch Baseline Security Product Assessment (BSPA) and the German BSI 7148.What adds another layer of complexity to the current picture is that some public tenders for ICT services, for example, require ISO 27001, while others apply national standards.¹ The patchy implementation of international standards within the industry does nothing to improve clarity.

Setting harmonisation as its primary ambition, the proposal introduces a tool to create a more comprehensive regulatory framework for specific ICT processes, products and services, that would help ensure compliance with cybersecurity requirements. The proposal also foresees that national certification schemes which, in their subject-matter, are covered by the EU scheme, would cease to exist. At the same time, it does not explain in any detail when a national is deemed ‘covered’ by the new EU scheme. Therefore, there will be some room left for duplication and misinterpretation. Neither is the EU certification scheme intended to become mandatory, unless so required by EU or national law. This explains why critics have expressed concerns that, rather than greater unity, the proposal may lead to increasing fragmentation.²

Empowered ENISA and other actors

In a nutshell, the proposed scheme would involve the following main actors:

ENISA will act as a facilitator between stakeholders and as an advisory body to Member States.³ However, first and foremost, it will contribute to the establishment and maintenance of a cybersecurity certification framework at Union level,⁴ while not serving as a certification body itself. Therefore, although it will be ENISA’s task to create (in cooperation with other stakeholders) the blueprint against which future ICT products will be evaluated, the evaluation itself will be delegated to the national level.

Each Member State will designate one or more national cybersecurity certification supervisory authorities (CSAs) in its territory, or upon agreement designate an entity in the territory of another Member State as its CSA.⁵ CSAs may (but do not have to be) responsible for the certification itself. In either case, they will act as the accreditor and supervisor, and will handle complaints⁶ in cases where certificates have been issued at level ‘high’ (see below). CSAs would also be granted the power to make binding decisions and issue fines.

The certification procedure can be delegated to a conformity assessment body (CAB) authorised and overseen by the CSA.⁷ CABs are accredited by the national CSA, and can be a governmental or private entity, as long as they are able to demonstrate the highest level of independence, professionalism and competence. To add another link to the chain, CABs are themselves entitled to engage subsidiaries and subcontractors. Under the framework, manufacturers would be able to submit an application for certification to the CAB of their choice. Lastly, for the lowest-risk products, the proposal also foresees self-certification, i.e. an option for the companies to assess their own products.

The proposal sets forth the establishment of European Cybersecurity Certification Group consisting of representatives of CSAs, authorities or other relevant national authorities. This group will serve as an advisor and intermediary between the Commission and the CSAs, and will participate in the drafting process of the framework.

Reasonable expectations to certifiable security

Besides laying down the procedural framework of certification, supervision and appeal handling, the proposal gives hints about the substance of the certification scheme that is to be created.

Certificates can be issued at three levels. Assurance level basic provides assurance against the known basic risks for cyber incidents and cyber attacks have been minimised according to the evaluation. Evaluation activities shall include at least a review of a technical documentation or substitute activities with equivalent effect.⁸ Basic assurance can be subject to self-certification. In its current state, the proposal therefore leaves many key terms, such as ‘basic risks’, undefined.

Certificates issued at assurance level substantial are for products, processes or services that have been evaluated to a level which seeks to minimise known cyber risks, cyber incidents and cyber attacks. Substantial level certificates signal preparedness to tackle cyber attacks carried out by actors with limited skills and resources. The evaluation activities shall include at least a review of the non-applicability of publicly known vulnerabilities, and testing that the ICT processes, products or services correctly implement the necessary security functionality. Again, it will be extremely complicated to substantiate any of the key terms in the ever-changing technological context.

Assurance level high is designed for the most critical ICT products, services and processes that run the highest risk and often also fall under the scope of NIS Directive. This assurance level entails minimising the vulnerability to state-of-the-art cyber attacks carried out by actors with significant skills and resources. The evaluation activities will include at least: reviewing the non-applicability of publicly known vulnerabilities, testing that the ICT processes, products or services correctly implement the necessary security functionality, at the state-of-the-art, and assessing their resistance to skilled attackers via penetration testing.⁹ Actual testing is therefore essential only for certificates issued at this level. Some stakeholders have voiced the opinion that any product, process or service that requires risk assessment at such a level should be subject to obligatory certification.¹⁰

The framework will foresee a liability system. However, it is unclear, whether a manufacturer or developer whose products or processes have received the highest assurance, but suffers a significant security breach, would be entitled to take action against the CAB. It also remains to be seen how much trust end-users should put in certified products, when the industry and assurance bodies alike are very aware that there is no such thing as 100% security 100% of the time. Giving cyber security a measurable form is definitely the single most demanding task faced by ENISA, Commission and the Cyber Security Cooperation Group.

Finding the balance

The proposal requires that not only the outcome (i.e. products or services), but also the whole development process can be certified, which implies a proactive approach to security by design. Although voluntary, it can be expected that certification of certain products will become (and is already) mandatory under national laws, or will become a norm of behaviour through ICT sector self-regulation. Therefore, it can be expected that manufacturers and developers will need additional resources to ensure compliance.

One way to alleviate this problem would be by allowing for broader self-certification. This market-friendly viewpoint has been supported by, for instance, Digital Europe, Business Europe and the American Chamber in Europe. In contrast, it has been argued that certification would lead to better cyber security only when it is mandatory. This applies in particular to the ICT elements of critical infrastructure and highly vulnerable interconnected consumer products such as IoT devices.¹¹ The proposal as it currently reads does not foresee such obligations. The American Chamber,  European Telecommunications Standards Institute, Business Software Alliance and stakeholders from many Member States¹² have argued in favour of more efficient application of existing international, national or EU accreditation standards and avoiding creating another specific set of requirements.

There are two sorts of fears. Firstly, that the entry into force of the Act would lead to stringent controls that impede innovation and commerce. Secondly, that as long as at least some high-risk categories are not tightly regulated, the Act would end up creating additional administrative burden and complexity, while not in fact promoting cybersecurity. The proposal as it currently stands leaves many unanswered questions and much room for interpretation. Excessive vagueness in key terms has led some interest groups to articulate unease about the possibility of ‘certification shopping’ and the parallel co-existence of various partially-contradictory certification schemes.

There are numerous reasons to speed up the process of figuring out the actual framework, one of them being that while ENISA, the Commission, coordination groups, national cybersecurity certification authorities and others will come up with a framework, anything spot-on and specific there will have become yesterday’s struggle. Requirements stated too vaguely, on the other hand, will not deliver better security. Therefore, ENISA has to perform a difficult balancing act that, despite some criticism alongside the NIS Directive and GDPR, will mark a step towards common understanding, improved cooperation and tighter security, both in the virtual and real environments.

Author: Ann Väljataga, NATO CCDCOE Law Branch

1. E.g. Estonia operates the national three-level IT Baseline Security System ISKE, sometimes in parallel with ISO 27001, Germany implements the IT Baseline Protection Manual. [↩]
2. See e.g. DigitalEurope, Cybersecurity Act: DIGITALEUROPE urges co-legislators to ensure certification schemes do not lead to more market fragmentation in Europe, 21 June 2018. [↩]
3. Cybersecurity Act, Council General Approach (hereinafter CS Act), Art 3(1). [↩]
4. Ibid, Art 3(6). [↩]
5. Ibid, Art 50(1). [↩]
6. Ibid (59), Art 48(4a). [↩]
7. Cybersecurity Act, Annex II; Article 2, Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93, OJ L 218, 13.8.2008, p. 30–47. [↩]
8. Cybersecurity Act, Article 46(2). [↩]
9. Ibid, Article 46(3). [↩]
10. Ibid, Article 46(4). [↩]
11. See e.g. Pen Test Partners, EU Cybersecurity Act IoT FAIL, 19 July 2018; IFIA and CEOC Position Paper on EU Cyber Security Act, 27 October 2017; European Parliament, Briefing; ENISA and a new cybersecurity act. [↩]
12. See e.g. Stupp, Catherine, French cybersecurity chief warns against ‘step back into the past’, 25 April 2018. [↩]