ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Transcription

1 ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens European Union Agency for Network and Information Security

2 What are these symbols anyway? By affixing the CE marking to a product, a manufacturer declares that the product meets all the legal requirements for CE marking and can be sold throughout the European Economic Area. 2

3 Background Defining Certification formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance * ** Security certification of products has been traditionally dominated by common criteria Within EU - SOG-IS MRA is the dominant player in common criteria certification - Multiple national and sectorial initiatives focused on security certification *EC COM(2017) 477 final ** 3

4 ICT security certification within EU policy context Network and Information Security Directive EU Cybersecurity Strategy General Data Protection Regulation eidas Regulation Digital Single Market Strategy Proposal for a Regulation on Privacy and Electronic Communications Payment Services Strengthening Europe s Cyber Directive 2 Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry Cybersecurity Act Proposal 4

5 Features of an EU framework ICT Security Certification Producers Member States ICT Security Certification Consumers ECIL Group Industry Avoid fragmentation caused by national ICT security certification initiatives Promote mutual recognition Simplify procedures, reduce the time and cost of deployment of IT products and services Improve competitiveness and quality of European products and services Give users more confidence in ICT products and services they purchase 5

6 ENISA Activities Supporting policy discussions, engagement and dialogue with stakeholders Establishing working relations with industry working groups Stocktaking on the development of a European ICT security certification and labelling framework Imprint of European ICT security certification laboratories landscape Towards an EU framework based on existing schemes and responding to emerging lightweight requirements 6

7 Draft Cybersecurity Act Provisions on certification

8 Proposed certification framework Voluntary European cybersecurity certification framework Enabling the creation of individual EU certification schemes for ICT products and services that are valid across EU Each scheme will specify: Scope, Evaluation criteria, Assurance level, Security requirements and Rules for monitoring compliance European Cybersecurity Certification Group (ECCG) National Certification Supervisory Authorities European Commission ENISA 8

9 Framework overview 9

10 Envisaged ENISA tasks in a nutshell Support and promote the development and implementation of the Union policy on cybersecurity certification of ICT products and services preparing candidate European cybersecurity certification schemes for ICT products and services Provide Secretariat assistance to the European Cybersecurity Certification Group Compile and publish guidelines and developing good practices concerning the cybersecurity requirements of ICT products and services Facilitate the establishing and taking-up of European and international standards for risk management and for the security of ICT products and services Perform and disseminate regular analyses of the main trends in the cybersecurity market both on the demand and supply side Support European Cybersecurity Certification Group 10

11 Thank you PO Box 1309, Heraklion, Greece Tel: