in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017 European Union Agency for Network and Information Security
Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM in policy implementation Harmonisation across EU EXPERTISE Recommendations Independent Advice 2
EU Policy Context eidas Regulation NIS Directive EU Cyber Security Strategy (COM) Strengthening Europe's Cyber Resilience System (COM) General Data Protection Regulation Telecom Package article 13 a, art. 4 3
The NIS Directive National Cyber Security Strategies Cloud Computing Services Online Marketplaces Digital Service Providers Strategic Cooperation Network Incident Reporting Security Requirements Operators of Essential Services Transport Energy Healthcare Banking and Financial market infrastructures Search Engines Tactical/Operational CSIRT Network Digital Infrastructure 4
National Cyber Security Strategies (NCSS) 25 NCSS in EU; a few under development Different maturity levels CIIP - key subject in NCSSs PPPs - limited success so far Overlaps in mandates Assessment of NCSS is an issue 5
Certification if ICT products Defining Certification formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance * Security certification of products has been traditionally dominated by common criteria Within EU - SOG-IS MRA is the dominant player in common criteria certification Currently 13 Member States and 1 EFTA country - Multiple national and sectorial initiatives focused on security certification *EC COM(2017) 477 final 6
ICT security certification within EU policy context Network and Information Security Directive EU Cybersecurity Strategy General Data Protection Regulation eidas Regulation Payment Services Directive 2 Digital Single Market Strategy Strengthening Europe s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry Proposal for a Regulation on Privacy and Electronic Communications 7
A view from the semiconductor industry on product certification An ongoing joint initiative of: Infineon NXP STMicroelectronics ENISA to define European Baseline Requirements An EU Trust Label A reference framework and associated label would ensure appropriate levels of security for products and services, leading to a common level playing field for industry Challenges Standardization and certification A policy framework to ensure minimal security for connected devices (to be defined by COM) EU security standards commensurate with market needs Security processes and services: reliable security processes and services; support industry to implement security in their products Security requirements : Mandatory staged requirements for security and privacy in IoT Economic dimensions: a level playing field for cybersecurity and good security practices 8
Features of an EU certification framework ICT Security Certification Producers ICT Security Certification Consumers Industry Member States ECIL Group Avoid fragmentation caused by national ICT security certification initiatives Promote mutual recognition Simplify procedures, reduce the time and cost of deployment of IT products and services Improve competitiveness and quality of European products and services Give users more confidence in ICT products and services they purchase 9
Tentative policy approaches * *as of 27.04.2017 Option 0 - Do nothing: No EU policy initiative or action baseline scenario Option 1 - Soft law approach: Commission to encourage and support national or industry initiatives Option 2 - Extension of SOGIS agreement: Legislative proposal making MS participation to the SOG-IS agreement mandatory Option 3 - European certification & labelling framework: EUwide framework with its own scope, functioning and governance rules 10
Draft Cybersecurity Act 11
EU Cybersecurity Certification Framework One EU Cybersecurity Certification Framework, many schemes. Tailored schemes specifying: scope - product/service category evaluation criteria and security requirements assurance level Resulting Certificates from European schemes are valid across all Member States. Once a European scheme has been established: Member States cannot introduce new national schemes with same scope Existing national schemes covering same product/service cease to produce effects Existing certificates from national schemes are valid until expire date The use of EU certificates remains voluntary, unless otherwise specified in European Union law. The specified requirements of the scheme shall not contradict any applicable legal requirements, in particular requirements emanating from harmonised Union legislation 12
EU certification framework 13
National Certification Supervisory Authorities supervise the activities of conformity assessment bodies (CAB) and the compliance of the certificates issued by CABs be independent of the entities they supervise. handle complaints on certificates issued by CABs withdraw certificates that are not compliant and impose penalties participate in the new European Cybersecurity Certification Group 14
European Cybersecurity Certification Group Composed of national certification supervisory authorities Advise and assist the Commission, assist, advise and cooperate with ENISA Propose to Commission that it requests the Agency to prepare a scheme Adopts opinions addressed to the Commission relating to the maintenance and review of existing EU schemes Chair: Commission Secretariat assistance: ENISA 15
EU certification framework 16
Envisaged assurance levels Assurance level basic: limited degree of confidence in the claimed or asserted cybersec qualities Assurance level substantial: limited degree of confidence in the claimed or asserted cybersec qualities Assurance level high: high degree of confidence in the claimed or asserted cybersec qualities 17
Key elements of the framework Detailed specification of cybersec requirements against which ICT products will be evaluated One or more assurance levels Specific evaluation criteria and methods used Information to be supplied to CABs Conditions to use marks and labels Mechanisms to demonstrate continual compliance as appropriate Conditions to grant maintenance and extension of a certificate Consequences of non-conformity 18
New ENISA! Focused Mandate Adequate Resources Permanent Status EU Cybersecurity Agency 19
Mandate and objectives Promote the use of certification & contribute to the cybersecurity certification framework Be an independent centre of expertise Increase cybersecurity capabilities at Union level to complement MSs action Contribute to high Cybersecurity Assist EU Institutions and MSs in policy development &implementation Support capacity building & preparedness Promote cooperation &coordination at Union level Promote high level of awareness of citizens & businesses 20
Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu