The EU Plans to Adopt a Cybersecurity Certification Framework
At present, there is no EU-wide certification framework that allows suppliers of ICT products to obtain information security certificates valid in all 28 EU countries. For example, if a supplier of software for smart meters obtains a certificate based on the so-called Common Criteria (CC) for Information Technology Security Evaluation (ISO 15408), the certificate will be legally recognized in 13 out of 28 EU countries. Hence, the supplier may need to obtain other certificates in the other 15 EU countries. As a result, the supplier will likely incur significant compliance costs to obtain an EU-wide certification. It is sufficient to note that, if the supplier wishes to obtain the “Smart Meter Gateway” certificate in accordance with the requirements of the German Federal Office for Information Security (BSI), it will need to pay more than EUR 1 million. The costs for obtaining similar certifications in UK and France are also substantial (about EUR 150,000 per country).
To reduce the financial and administrative burden related to obtaining certificates in different regions of the EU, the EU has put forward a proposal for the creation of a legal framework that will lead to the issuance of cybersecurity certificates which are recognized throughout the entire EU. Such certificates will make it easier for businesses to trade within the borders of the largest economy in the world having more than 500 million consumers.
The purpose of this article is to examine the proposed EU cybersecurity certification framework (Section 2) and discuss how other countries can benefit from similar legislative initiatives (Section 3). Finally, a conclusion is drawn (Section 4).
2. The essence of the proposed EU cybersecurity certification framework
Under the proposed framework, the European Union Agency for Network and Information Security (ENISA) will be responsible for designing a European cybersecurity certification scheme which will need to comply with a number of pre-defined objectives, including, but not limited to, (i) protecting data against accidental or unauthorized storage, processing, access, disclosure, destruction, loss, or alternation, (ii) ensuring that only authorized persons, programs, and machines can access the protected data, (iii) recording any transactions related to the protected data, (iv) making sure that any data transactions can be inspected, (v) recovering data in case of information security events, and (vi) requiring that ICT products and services are provided on the basis of secure software applications.
ICT products and services that comply with the certification framework will be certified with one of three assurance levels, namely, basic, substantial, and high level. The basic level provides a limited degree of confidence in the cybersecurity qualities of the certified product or service. The substantial level provides a substantial degree of confidence, whereas the high level provides a higher level of confidence.
The certificates issued in accordance with the framework will be issued by conformity assessment bodies. The maximum validity of the certificates will be three years with the possibility for a renewal.
3. How can other countries benefit from implementing similar certification schemes?
Many countries signed international agreements for recognition of cybersecurity certification schemes. For instance, 28 countries are members of the Common Criteria Recognition Arrangement (CCRA) obliging its signatories to recognize the Common Criteria (CC) mentioned above. The members include but are not limited to, the United States, the United Kingdom, South Korea, Japan, the Netherlands, Italy, Germany, France, and Australia. However, many countries have not signed the CCRA and require companies selling ICT products to obtain local certificates. The lack of worldwide international recognition imposes significant administrative and financial burden on companies willing to operate on a global scale. Therefore, there is a need for a worldwide legal framework, similar to the proposed EU cybersecurity certification framework, which will ensure the validity of cybersecurity certificates in most of the 195 countries in the world today.
It should be pointed out that worldwide legal frameworks are not an unusual phenomenon nowadays. By way of illustration, the Berne Convention governing copyright-related matters applies to 175 countries. The New York Convention governing the recognition and enforcement of foreign arbitration awards applies to 159 countries. The Convention on Cybercrime covers 57 countries. The Patent Cooperation Treaty (PCT) is valid in 152 countries. Considering these observations, it will not be surprising if more than 50 countries become parties to a cybersecurity certification convention. Such a convention will facilitate the global trade of ICT products and services and allow companies to invest less in legal compliance and more in research and development.
The new EU cybersecurity certification network will address the problems related to the current fragmentation of the EU cybersecurity market. However, there is a need for an even wider cybersecurity certification network that will cover a larger number of countries. The ICT field is in the process of constant development and companies operating in the field frequently release new products. By requiring companies to obtain separate certificates in different countries, governments impose a tremendous burden on companies, thus hampering the release of new products.
Governments do not need to reinvent the wheel and search for a totally new approach on how to handle the worldwide fragmentation of cybersecurity certification schemes. They can look at the numerous international treaties signed by them to solve similar matters. For example, the Patent Cooperation Treaty was signed with the aim to allow applicants to obtain patents in all 152 countries without the need to submit separate patent applications in all those countries. The need to prepare 152 patent applications was rightly seen as an obstacle to innovation.
1. ‘Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security,’ May 2000. Available at https://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf .
2. Conklin, A., White, G., Cothren, C., Davis, R., Williams, D., ‘Principles of Computer Security: CompTIA Security+ and Beyond, Fifth Edition‘, McGraw Hill Professional, 2018.
3. ‘Cybersecurity certification framework backed by EU law makers’, Out-Law.com, 8th of June 2018. Available at https://www.out-law.com/en/articles/2018/june/cybersecurity-certification-framework-eu/
4. Mayes, K., Markantonakis, K., ‘Smart Cards, Tokens, Security and Applications‘, Springer, 2017.
5. Merkow, M., Breithaupt , J.,’Computer Security Assurance Using the Common Criteria‘, Cengage Learning, 2004.
6. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (”Cybersecurity Act”). Available at https://ec.europa.eu/info/law/better-regulation/initiative/111956/attachment/090166e5b507c22c_en .
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.