The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Similar documents
ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

NIS Standardisation ENISA view

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

ENISA EU Threat Landscape

Discussion on MS contribution to the WP2018

Cyber Security Beyond 2020

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

ENISA Cooperation in the EU / NIS Directive

Network and Information Security Directive

The NIS Directive and Cybersecurity in

Package of initiatives on Cybersecurity

ENISA s Position on the NIS Directive

Securing Europe s IoT Devices and Services

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

13967/16 MK/mj 1 DG D 2B

Cybersecurity Package

Cybersecurity & Digital Privacy in the Energy sector

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

European Union Agency for Network and Information Security

Call for Expressions of Interest

Security and resilience in Information Society: the European approach

Securing Europe's Information Society

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

The Network and Information Security Directive - ENISA's contribution

European Cybersecurity cppp and ECSO. org.eu

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

Cloud Computing Standards C-SIG Plenary Brussels, 15 February Luis C. Busquets Pérez DG CONNECT E2

eidas Regulation (EU) 910/2014 eidas implementation State of Play

Joint FIEEC-ZVEI Position on Cybersecurity

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Cyber security: a building block of the Digital Single Market

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

European Union Agency for Network and Information Security

Technical guidelines implementing eidas

Where is the EU in cloud security certification?: Main findings

Digital Platforms for 'Interoperable and smart homes and grids'

Security Aspects of Trust Services Providers

Valérie Andrianavaly European Commission DG INFSO-A3

ECSC Brief Razvan GAVRILA NIS Expert. European Union Agency for Network and Information Security

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Security frameworks for Gov Clouds: A Technical Analysis

Cyber Security in Europe

Enhancing the cyber security &

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Future-Proof Security & Privacy in IoT

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

This document corrects document COM(2017)477 final of

EISAS Enhanced Roadmap 2012

DMR Interoperability Process DMR Association

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Achieving Global Cyber Security Through Collaboration

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Towards a European Cloud Computing Strategy

Horizon 2020 Security

H2020 WP Cybersecurity PPP topics

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

EUROPEAN ACCREDITATION LEGAL FRAMEWORK

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity eit. Software. Certification. Industrial Security Embedded System

Overview of ICT certification laboratories FINAL V1.1 JANUARY European Union Agency For Network and Information Security

Improving Resilience in European e-communication networks MTP 1

HEALTH IN ECSO (European Cyber Security Organisation) 18 October 2017

ehealth Ministerial Conference 2013 Dublin May 2013 Irish Presidency Declaration

Shaping the Cyber Security R&D Agenda in Europe, Horizon 2020

ehaction Joint Action to Support the ehealth Network

H2020 & THE FRENCH SECURITY RESEARCH

European Cyber Security Certification: ECSO Meta-Scheme Approach

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

Standardization mandate addressed to CEN, CENELEC and ETSI in the field of Information Society Standardization

Third public workshop of the Amsterdam Group and CODECS European Framework for C-ITS Deployment

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Privacy Seals: A way forward for building trust. The EuroPriSe project. 1

ehealth Network ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2018/0328(COD)

D3.1 Validation workshops Workplan v.0

ENISA S WORK ON ICS AND SMART GRID SECURITY

The Digitalisation of Finance

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

RESOLUTION 47 (Rev. Buenos Aires, 2017)

EUROPEAN COMMISSION Enterprise Directorate-General

Report of the Working Group on mhealth Assessment Guidelines February 2016 March 2017

European Cybersecurity PPP European Cyber Security Organisation - ECSO

The German IT Security Certification Scheme. Joachim Weber

Transcription:

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18 European Union Agency for Network and Information Security

Background Defining Certification formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance (*) Security certification of products has been led by the evolution of Common Criteria and work of SOG-IS and private initiatives (*)EC COM(2017) 477 final 2

ICT security certification in the EU Network and Information Security Directive EU Cybersecurity Strategy General Data Protection Regulation eidas Regulation Payment Services Directive 2 Digital Single Market Strategy Strengthening Europe s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry Proposal for a Regulation on Privacy and Electronic Communications 3

The EU certification framework of the Cybersecurity Act

Features of an EU certification framework ICT Security Certification Producers ICT Security Certification Consumers Industry Member States ECIL Group Avoid fragmentation caused by national ICT security certification initiatives Promote mutual recognition Simplify procedures, reduce the time and cost of deployment of IT products and services Improve competitiveness and quality of European products and services Give users more confidence in ICT products and services they purchase 5

EU cybersecurity certification steps Commissio n requests ENISA ENISA drafts scheme involving all stakeholders and ECCG Commission adopts scheme by means of implementing acts MS or ECCG propose to Commission the drafting of a scheme 6

Key elements of a cybersecurity certification scheme Detailed specification of cybersecurity requirements against which ICT products will be evaluated One or more assurance levels Specific evaluation criteria and methods used Information to be supplied to CABs Conditions to use marks and labels Mechanisms to demonstrate continual compliance as appropriate Conditions to grant maintenance and extension of a certificate Consequences of non-conformity 7

ENISA output on certification to date

ENISA certification activities at large Supporting policy discussions, engagement and dialogue with stakeholders Establishing working relations with industry working groups Stocktaking on the development of a European ICT security certification and labelling framework Analysing the ICT security certification laboratories landscape in the EU Seeking to engage towards the EU framework based on existing schemes and responding to emerging lightweight requirements 9

Imprinting the landscape Supplementary to community building, involving subject matter experts from Member States and private sector 2013-2014: Cloud certification 2016: Definition of Cybersecurity - Gaps and overlaps in standardisation 2017: Challenges of security certification in emerging ICT environments 2017: Considerations on ICT security certification in EU - Survey Report 2017: Gaps in NIS standardisation - Recommendations for improving NIS in EU standardisation policy 2017: Recommendations on European Data Protection Certification 2018: Overview of the practices of ICT Certification Laboratories in Europe 10

ENISA in support of the EU Cloud Strategy: Certification Strategic objective of EC Strategy: List of voluntary certification schemes Cloud Certification Schemes List (CCSL): List of existing certification schemes 13 Certification schemes included Powered by ENISA, supported by the EC and the Cloud Selected Industry Group (C-SIG) Cloud Certification Schemes Meta-framework (CCSM): Meta-framework based on existing certification schemes Mapping detailed ICT security requirements of the public sector in the EU (11 countries) Outputs to be used for procurement Visit: https://resilience.enisa.europa.eu/cloud-computing-certification 11

An ENISA survey on certification 57% is aware of multiple existing ICT security certification schemes Main problems encountered: costs, duration, transparency and support 90% agreed that mutual recognition is desirable at European level 66% agreed for the need of self-declaration schemes Need for certification and labelling at the IoT (75%) and ICS (66%) domains 81% of the respondents agreed also that certification and labelling can be effective tools to increase transparency and enhance trust 66% highlighted the need for greater efforts to promote security certification in specific sectors 78% envisage a role for the Commission and EU bodies (e.g. JRC, ENISA, ACER) in an EU wide approach 12

EU Conformity Assessment Bodies An ENISA Study analyzing Context of operation Legal framework and standards in the evaluation process Organisation of laboratories and practices thereof A few figures 1864 CC certificates in the EU until November 2017 On average 100-150 per year 13

Significance of CC in business Minimal 35% Core 46% Minimal 36% Core 36% Certification oriented 6% IT security oriented 13% CCRA Certification oriented 7% SOG-IS IT security oriented 21% 14

Certificates issued 2014 2015 2016 TOTAL Germany 62 46 11 878 Spain 7 7 8 80 France 75 57 57 777 Italy 1 8 3 21 thnetherlands 5 12 45 Sweden 6 7 3 21 UK 7 10 1 41 15

Standardisation in support of certification Standards provide common rules that can be leveraged upon in certification Definitions objects of standards Category of products, services Application needs Requirements Specific security functions Assurance levels Evaluation Methodology and process Accreditation of CABs 16

ENISA-CEN/CENELEC-ETSI workshop 17

Shifting ENISA to support the EU certification framework

Envisaged mission of ENISA in certification To contribute to the emerging EU framework for the certification of products and services and carry out the drawing up of certification schemes in line with the Cybersecurity Act providing stakeholders with a sound service that leads to efficiencies and value in the EU Key outputs Key outputs of ENISA Certification include draft and finalised schemes for the certification of products and services, in the meaning of the Cybersecurity Act 19

Drawing up a certification scheme principles Open: a scheme to be drawn up by means of open consultations accessible to all parties interested in the technology, products or services affected by the said scheme Consensus seeking: The consultation process to be collaborative and consensus based refraining from favouring any particular stakeholder Transparent: Any new scheme activity to be publicised broadly through means available to ENISA. Information concerning technical discussions and consultations to be recorded. Feedback received during the consultation process to be treated in an equitable manner and responses to be provided for 20

Carrying out certification tasks ENISA in certification seeks to carry out the following tasks: Stakeholders coordination Collection of stakeholders requirements Editing of draft certification schemes Organising and managing scheme drafting activities as projects Management of stakeholders feedback 22

Priorities in between The primary objectives of ENISA throughout the period until the Cybersecurity Act comes into force are to: Identify the types of certification schemes in its remit Stimulate the interest of stakeholders in the prospect and opportunity emanating from the EU certification framework Generate a list of prospective schemes based on: existing ones seeking to transition to the EU Framework new application areas (e.g. consumer), types of products (e.g. IoT) and services (e.g. Cloud) Collect and validate stakeholder requirements in EU certification Make available the organisational conditions to timely fulfil its role 23

Conclusions 01 Sound preparation of ENISA is underway, during the legislative process 02 Broad stakeholder involvement is seen as a key success factor 03 Internal organisation follows suit 04 Agreeing on principles and content priorities for EU certification schemes are critical steps to take 26

Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback