New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Transcription

1 in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017 European Union Agency for Network and Information Security

2 Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM in policy implementation Harmonisation across EU EXPERTISE Recommendations Independent Advice 2

3 EU Policy Context eidas Regulation NIS Directive EU Cyber Security Strategy (COM) Strengthening Europe's Cyber Resilience System (COM) General Data Protection Regulation Telecom Package article 13 a, art. 4 3

4 The NIS Directive National Cyber Security Strategies Cloud Computing Services Online Marketplaces Digital Service Providers Strategic Cooperation Network Incident Reporting Security Requirements Operators of Essential Services Transport Energy Healthcare Banking and Financial market infrastructures Search Engines Tactical/Operational CSIRT Network Digital Infrastructure 4

5 National Cyber Security Strategies (NCSS) 25 NCSS in EU; a few under development Different maturity levels CIIP - key subject in NCSSs PPPs - limited success so far Overlaps in mandates Assessment of NCSS is an issue 5

6 Certification if ICT products Defining Certification formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance * Security certification of products has been traditionally dominated by common criteria Within EU - SOG-IS MRA is the dominant player in common criteria certification Currently 13 Member States and 1 EFTA country - Multiple national and sectorial initiatives focused on security certification *EC COM(2017) 477 final 6

7 ICT security certification within EU policy context Network and Information Security Directive EU Cybersecurity Strategy General Data Protection Regulation eidas Regulation Payment Services Directive 2 Digital Single Market Strategy Strengthening Europe s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry Proposal for a Regulation on Privacy and Electronic Communications 7

8 A view from the semiconductor industry on product certification An ongoing joint initiative of: Infineon NXP STMicroelectronics ENISA to define European Baseline Requirements An EU Trust Label A reference framework and associated label would ensure appropriate levels of security for products and services, leading to a common level playing field for industry Challenges Standardization and certification A policy framework to ensure minimal security for connected devices (to be defined by COM) EU security standards commensurate with market needs Security processes and services: reliable security processes and services; support industry to implement security in their products Security requirements : Mandatory staged requirements for security and privacy in IoT Economic dimensions: a level playing field for cybersecurity and good security practices 8

9 Features of an EU certification framework ICT Security Certification Producers ICT Security Certification Consumers Industry Member States ECIL Group Avoid fragmentation caused by national ICT security certification initiatives Promote mutual recognition Simplify procedures, reduce the time and cost of deployment of IT products and services Improve competitiveness and quality of European products and services Give users more confidence in ICT products and services they purchase 9

10 Tentative policy approaches * *as of Option 0 - Do nothing: No EU policy initiative or action baseline scenario Option 1 - Soft law approach: Commission to encourage and support national or industry initiatives Option 2 - Extension of SOGIS agreement: Legislative proposal making MS participation to the SOG-IS agreement mandatory Option 3 - European certification & labelling framework: EUwide framework with its own scope, functioning and governance rules 10

11 Draft Cybersecurity Act 11

12 EU Cybersecurity Certification Framework One EU Cybersecurity Certification Framework, many schemes. Tailored schemes specifying: scope - product/service category evaluation criteria and security requirements assurance level Resulting Certificates from European schemes are valid across all Member States. Once a European scheme has been established: Member States cannot introduce new national schemes with same scope Existing national schemes covering same product/service cease to produce effects Existing certificates from national schemes are valid until expire date The use of EU certificates remains voluntary, unless otherwise specified in European Union law. The specified requirements of the scheme shall not contradict any applicable legal requirements, in particular requirements emanating from harmonised Union legislation 12

13 EU certification framework 13

14 National Certification Supervisory Authorities supervise the activities of conformity assessment bodies (CAB) and the compliance of the certificates issued by CABs be independent of the entities they supervise. handle complaints on certificates issued by CABs withdraw certificates that are not compliant and impose penalties participate in the new European Cybersecurity Certification Group 14

15 European Cybersecurity Certification Group Composed of national certification supervisory authorities Advise and assist the Commission, assist, advise and cooperate with ENISA Propose to Commission that it requests the Agency to prepare a scheme Adopts opinions addressed to the Commission relating to the maintenance and review of existing EU schemes Chair: Commission Secretariat assistance: ENISA 15

16 EU certification framework 16

17 Envisaged assurance levels Assurance level basic: limited degree of confidence in the claimed or asserted cybersec qualities Assurance level substantial: limited degree of confidence in the claimed or asserted cybersec qualities Assurance level high: high degree of confidence in the claimed or asserted cybersec qualities 17

18 Key elements of the framework Detailed specification of cybersec requirements against which ICT products will be evaluated One or more assurance levels Specific evaluation criteria and methods used Information to be supplied to CABs Conditions to use marks and labels Mechanisms to demonstrate continual compliance as appropriate Conditions to grant maintenance and extension of a certificate Consequences of non-conformity 18

19 New ENISA! Focused Mandate Adequate Resources Permanent Status EU Cybersecurity Agency 19

20 Mandate and objectives Promote the use of certification & contribute to the cybersecurity certification framework Be an independent centre of expertise Increase cybersecurity capabilities at Union level to complement MSs action Contribute to high Cybersecurity Assist EU Institutions and MSs in policy development &implementation Support capacity building & preparedness Promote cooperation &coordination at Union level Promote high level of awareness of citizens & businesses 20

21 Thank you PO Box 1309, Heraklion, Greece Tel: