CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Similar documents
Friedrich Smaxwil CEN President. CEN European Committee for Standardization

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Introduction to the European Standardization System

NIS Standardisation ENISA view

UK-led international standards for BIM

13967/16 MK/mj 1 DG D 2B

European Standards- preparation, approval and role of CEN. Ashok Ganesh Deputy Director - Standards

DIGITIZING INDUSTRY, ICT STANDARDS TO

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

The European System of Standardization in the Globalized Economy. AFSEC General Assembly Johannesburg, 10 August 2010

Some keynote messages on standardization and trade between US and EU

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

ENISA EU Threat Landscape

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Standardization of Knowledge and Skills for IT Security

Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

European Commission Directorate General Enterprise and Industry INSTITUTIONAL FRAMEWORK ON

Joint FIEEC-ZVEI Position on Cybersecurity

EUROPEAN COMMISSION DIRECTORATE GENERAL FOR INTERPRETATION

13543/17 PhL/at 1 DG G 3 B

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL

EUROPEAN COMMISSION Enterprise Directorate-General

Standardization supporting innovation and growth

Cybersecurity & Digital Privacy in the Energy sector

COUNCIL OF THE EUROPEAN UNION. Brussels, 28 January 2003 (OR. en) 15723/02 TELECOM 78 JAI 307 PESC 593

Standardization and Regulations in the EU/EFTA

1- ASECAP participation

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The European approach of using standards in support of regional legislation and free circulation of goods/services

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

EUROPEAN ACCREDITATION LEGAL FRAMEWORK

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

Recent developments CEN and CENELEC

RESOLUTION 47 (Rev. Buenos Aires, 2017)

The NIS Directive and Cybersecurity in

Quality Assurance and esecurity

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Security and resilience in Information Society: the European approach

European Union Agency for Network and Information Security

Enhancing the cyber security &

Package of initiatives on Cybersecurity

EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA

EC Mandate: Adaptation to climate change use of standards to make key infrastructures more resilient. Ab de Buck/ Caroline van Hoek

Cyber risk resilience

Standardization mandate addressed to CEN, CENELEC and ETSI in the field of Information Society Standardization

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Position Paper of the ASD Civil Aviation Cybersecurity Taskforce

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

An Overview of ISO/IEC family of Information Security Management System Standards

5972/17 GT/cb 1 DG G 3 C

Mandate to CEN, CENELEC and ETSI for Standardisation in the field of electric motors

European Standards - Supporting sustainable development. Ashok Ganesh CEN CENELEC Management Centre

New CEN-CENELEC Technical Committees for Infosec and Data Protection Standardization (TC8) Brussels - 19 September 2017 Alessandro GUARINO Chair,

European Standards & Community Specifications

Information technology Security techniques Information security controls for the energy utility industry

Coordination Meeting of Standardisation Activities for assessing the Environmental Impact of ICT

eidas Regulation (EU) 910/2014 eidas implementation State of Play

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Certification of EGNSS Timing Receivers and Services

European Standardization & Digital Transformation. Ashok GANESH Director Innovation ETICS Management Committee

Call for Expressions of Interest

H2020 & THE FRENCH SECURITY RESEARCH

USING STANDARDS TO ASSESS THE COMPETENCE OF CONFORMITY

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Status of activities Joint Working Group on standards for Smart Grids in Europe

EN 50600, EU COC, EMAS AND EUROPEAN DATA CENTRE ENERGY EFFICIENCY MANAGEMENT

INSPIRE status report

ENISA s Position on the NIS Directive

European Transport Policy: ITS in action ITS Action Plan Directive 2010/40/EU

Joint ITU-UNIDO Forum on Sustainable Conformity Assessment for Asia-Pacific Region (Yangon City, Republic of Union of Myanmar November 2013)

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

ARTICLE 29 DATA PROTECTION WORKING PARTY

Future-Proof Security & Privacy in IoT

Conformity assessment Requirements for bodies providing audit and certification of management systems. Part 6:

Third public workshop of the Amsterdam Group and CODECS European Framework for C-ITS Deployment

First Set of Standards for the grid. ISGF Webinar : 11th July 2013 Dinesh Chand Sharma Director Standardization, Policy and Regulation

Sector Vision for the Future of Reference Standards

Horizon 2020 Security

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Cybersecurity eit. Software. Certification. Industrial Security Embedded System

The role of Standardization in support of harmonization

DIGITAL AGENDA FOR EUROPE

The European Standards Organisations (ESOs) Outreach Activities

Cyber Security in Europe

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)

Pierre Sebellin. Systems Technical Officer International Electrotechnical Commission

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

ACCAB. Accreditation Commission For Conformity Assessment Bodies

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

ACCAB. Accreditation Commission For Conformity Assessment Bodies

MOTION FOR A RESOLUTION

Transcription:

CEN Identification number in the EC register: 63623305522-13 CENELEC Identification number in the EC register: 58258552517-56 CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act'' January 2018 Background The European Commission released on the 13 th September 2017 the Proposal for a Regulation of the EP and the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification ( Cybersecurity Act ) [COM (2017) 477]. With this document, CEN and CENELEC provide their input to the ongoing discussions in the European Parliament, Council of the European Union and the European Economic and Social Committee on the above-cited communication. Executive summary CEN and CENELEC welcome the proposal made by the European Commission for a Cybersecurity Act [COM (2017) 477] as part of its cybersecurity strategy to avoid purely national solutions and look forward to working together to address the current fragmentation of the European market. To ensure a coherent European approach to cybersecurity CEN and CENELEC stress the importance to: - Define what is meant by ICT products and services covered by the proposal, and formally engage with the European Standardization Organizations (ESOs) to establish a priority list of products, services and digital competences and qualifications so that standardization can timely accompany market needs. - Invite the formally recognized national, European and international standardization organizations (as per Regulation 1025/2012) to define the requirements and standards to be used in the certification schemes. Where applicable, priority should be given to International Standards, which enable European industry to access global markets. Rue de la Science 23-1040 Brussels - Belgium Tel: +32 2 550 08 11 - Fax: +32 2 550 08 19 info@cencenelec.eu - www.cencenelec.eu

- Apply the process of the New Legislative Framework (NLF), which provides a clear separation between legislation, standards, and conformity assessment and avoids creating a new practice, which would cause confusion in the market place. - Revise the technical details included within the security objectives and the assurance level sections, in order to make them fully applicable to real use cases and coherent with modern best practices. CEN and CENELEC contribution To ensure a coherent European approach to cybersecurity CEN and CENELEC stress the importance to: 1) DEFINE what is meant by ICT products and services covered by the proposal and formally engage with the European Standardization Organizations (ESOs) to establish a priority list of products, services and digital competences and qualifications so that standardization can timely accompany market needs. European Standards are valuable tools voluntary and strongly founded on the WTO/TBT principles for the promotion of best practice, increased efficiency, interoperability, and better quality of products and services in all business sectors. They are proven assets to the development of the Single Market and are used as a tool in support of European legislation and public policy: CEN, CENELEC and ETSI are recognized by Regulation 1025/2012 as European Standardization Organizations (ESOs), providing voluntary European Standards (ENs). With the new proposal, the European Commission states its intention to reinforce and preserve the security of ICT products and services and to increase trust in their use by the EU citizens. CEN and CENELEC share the view that the current proposal provides insufficient information on the ICT products and services intended to be covered by the upcoming EU certification framework, while not addressing the digital competences and qualifications required to respectively operate and use them. A majority of products and services currently placed on the market are ICT enabled. The scope of the new regulation needs to clearly set the boundaries of the ICT products and services that will be covered by the new certification schemes, and the main digital competences and qualifications that interact with them throughout the products and services lifecycles. Different security levels should be defined according to the need of users for trust and confidence (be it B2C, B2B or Critical Infrastructures). Conformity assessment methods need to be adapted to the different risk levels. CEN-CENELEC reply January 2018 Page 2 of 6

CEN and CENELEC therefore invite the European Commission to set out a coherent, risk-based approach in defining a list of products, services and/or digital competences and qualifications to which the certification schemes would apply first, whilst keeping in mind that the usage of certification schemes should be allowed regardless of the technology. European Standards could support the envisaged certification schemes, reflecting interactions and interdependence along the whole value chain in the ICT industry and for the benefit of all business sectors, while taking into account the broadest spectrum of stakeholders. Any framework should take into account existing standards that are already widely accepted, such as the Common Criteria (ISO 15408), the requirements and information security management for IT (ISO/IEC EN 27000, 27001, 27002), industrial automation and control systems (IEC 62443), and industry sector-specific standards. The European Standardization System enables the engagement all stakeholders: policy makers, societal, consumers and SMEs (Annex III organizations as defined by Regulation 1025/2012), and industry to collect requirement needs that could become part of European or International Standards on data protection, information protection and security techniques with specific focus on cybersecurity covering all aspects of the evolving information society. The use of International and European Standards guarantees openness, ensures broad stakeholder participation to the benefit of consumers and SMEs (as proven in CEN-CENELEC Joint Technical Committee (JTC) 13 Cybersecurity and Data Protection ), and leaves room for future innovations. 2) INVITE the formally recognized national, European and international standardization organizations (as per Regulation 1025/2012) to define the requirements and standards to be used in the certification schemes. Where applicable, priority should be given to International Standards, which enable European industry to access global markets. The primary objective of standardization is the definition of voluntary technical specifications with which current or future products, production processes, services or digital competences and qualifications may comply. Standardization can cover various issues, such as different grades or sizes of a particular product or technical specification where safety, efficiency, compatibility, and interoperability with other products or systems are essential. European Standards are established through a transparent, balanced, and consensus-based process where all stakeholders are invited to contribute (including ENISA s representatives and experts, consumers and SMEs). Therefore, CEN and CENELEC should be involved in developing standards as basis for testing and evaluation in certification schemes following the established standardization process as defined by Regulation 1025/2012. This will foster stakeholders commitment, the link between European and International Standards as well as coherent national implementations of European cybersecurity requirements to ensure the technical consistency of the Single Market. CEN-CENELEC reply January 2018 Page 3 of 6

The long-standing cooperation of the ESOs with ISO, IEC and ITU-T has allowed the alignment of European Standards with international ones, contributing to the global competitiveness of European businesses. Strengthening this cooperation in cybersecurity as well, will facilitate the development of ISO and IEC standards to support European legislative and policy needs. It will also secure EU businesses involvement in the definition and implementation of EU certification framework. Specific requirements developed by the European Commission or ENISA - in parallel to European and/or International Standards - would create competition with these standards, create uncertainty and ultimately stifle innovation. Therefore, CEN and CENELEC recommend, wherever possible, to make use of International Standards for testing and evaluation in the certification schemes to ensure certification against well-proven, community-approved technical specifications. 3) APPLY the process of the New Legislative Framework, which provides a clear separation between legislation, standards, and conformity assessment and avoids creating a new practice, which would cause confusion in the market place. For more than 30 years, the ESOs have developed harmonized standards, which manufacturers, economic operators, or conformity assessment bodies can use to demonstrate that products, services, or processes comply with relevant EU legislation. CEN and CENELEC have developed standards in all business sectors and for use in a variety of purposes. By definition, European Standards are voluntary and organizations that use them do so voluntarily. We believe that the conformity assessment system, provided by the New Legislative Framework, should be the preferred solution for the implementation of the new cybersecurity solutions. For products subject to harmonized regulation (e.g. medical devices, aviation, toys, electrical equipment, construction or measuring instruments), any scheme introduced by the future EU cybersecurity framework should fit seamlessly with existing ways to assess and demonstrate compliance with the legal framework, and allow for self-assessment. This approach has proven to be an efficient and effective tool to make high-risk products safe across Europe, which consumers can trust. CEN and CENELEC urge the European Commission to apply Regulation 1025/2012 1 when defining the requirements for ICT products, services and digital competencies and qualifications and reuse as much as possible the existing certification schemes instead of establishing a parallel 1 Also in the context of: Regulation (EC) No 765/2008 of the European Parliament and of the Council setting out the requirements for accreditation and market surveillance relating to the marketing of products, and Decision No 768/2008/EC of the European Parliament and of the Council on a common framework for the marketing of products CEN-CENELEC reply January 2018 Page 4 of 6

system for certification. The current proposal might lead to the establishment of a new practice and parallel system to the recognized standardization system, which will hamper the take-up of new solutions and technologies rather than increase trust or security of product and services. The upcoming regulation should clarify how the scheme s cybersecurity requirements will be established. Cybersecurity is an international challenge. International Standards and European Standards based on International Standards - provide the basis by which the European exportdriven industry can access global markets. The international standards system avoids national and regional technical particularities that lead to technical barriers to trade. To achieve a consistent and effective EU certification framework for cybersecurity, European and International Standards will need to play a crucial role. 4) REVISE the technical details included within the security objectives and the assurance level sections in order to make them fully applicable to real use cases and coherent with modern best practices. Technical cybersecurity details to be included in the regulation should be minimal and precise in order not to incur the risk of being not exhaustive or imprecise. Therefore, detailed considerations about security objectives should be generalized and left up to the certification schemes. The same consideration holds true for the assurance levels to be included and the criteria governing them. General requirements should be given, like mandating a risk-based approach or using management systems structures and vocabulary when feasible. If any technical indication is needed then the involvement of the ESOs will be crucial as they have the experience of working on this type of technical requirements. CEN-CENELEC reply January 2018 Page 5 of 6

About CEN and CENELEC The European Committee for Standardization ( CEN ) and the European Committee for Electrotechnical Standardization ( CENELEC ) are two officially recognized European Standardization Organizations under Regulation 1025/2012 on European Standardisation 2. CEN and CENELEC develop European Standards (ENs) and other technical deliverables through a transparent and consensus-driven process to meet the needs of European stakeholders, such as industry and service providers, including SMEs, public authorities and regulators, academia, research centres and societal stakeholders organizations. In addition, CEN and CENELEC provide a platform for the development of harmonized European Standards (hens) that may incorporate quality, safety, environmental, interoperability and accessibility requirements to support the implementation of the relevant European legislation. CEN and CENELEC membership is composed of national standardisation bodies from 34 countries, whose national networks involves more than 100 000 technical experts from industry, business and commercial federations (including SMEs), research, consumer organizations, environmental groups and other societal stakeholders. For more information, please see: www.cencenelec.eu CEN and CENELEC Cybersecurity activities: CEN-CENELEC/JTC 13 Cybersecurity and Data protection CEN-CENELEC/JTC 8 Privacy management in products and services CEN/TC 278 Intelligent transport systems CEN/TC 301 Road vehicles CEN/TC 377 Air Traffic management CEN/TC 428 Digital competences and IT professionalism CENELEC/TC 8X System aspects of electrical energy supply CENELEC/TC 9X Electrical equipment and systems for railways (Smart Cars) CENELEC/TC 13 Electrical energy measurement and control CENELEC/TC 205 Home and Building Electronic Systems CENELEC/TC 59X Consumer information related to household electrical appliances CEN/BT WG 220 Fintech CEN-CENELEC Focus Group on Blockchain and distributed ledger technologies CEN-CLC-ETSI Coordination Group Smart Energy Grids CEN-CLC-ETSI Coordination Group Smart Meters 2 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council Text with EEA relevance, OJ L 316, 14.11.2012, p. 12 33 CEN-CENELEC reply January 2018 Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback