On 17 April 2019, the European Union (EU) adopted the European Cybersecurity Act which introduces a European cybersecurity certification framework for technology (ICT) products, processes and services.
The EU Agency for Cybersecurity, ENISA, is now mandated to work on the development of such a framework for European cybersecurity certificates over the next 12 months. Initially European cybersecurity certification schemes will be voluntary, but the European Commission has until 2023 to determine which European certificates should be mandatory. National certificates will remain valid as long as there is no equivalent at EU level.
Once European certification is in effect, manufacturers, vendors and service providers will go through a single process to obtain a European certificate valid in all member states for their product or service. This will reduce compliance costs for businesses trading cross-border in the EU, which would have otherwise have to apply for certificates in several countries.
The proposed framework will ensure that connected products and internet of things devices manufactured in or for the EU will be developed with cybersecurity measures in-mind from the design stage (security by design).
The objective of the EU is to increase the trust and reliance of citizens and companies in ICT products and services by guaranteeing that they meet specified cybersecurity standards at assurance levels of ‘basic’, ‘substantial’ or ‘high’. Moreover, the Commission believes this could give European companies a competitive advantage worldwide, as the demand for more secure solutions is expected to rise.
“This is a ground breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, internet of things devices, as well as critical infrastructure through such certificates,” says the Commission.
This is a major topic for national cybersecurity agencies like France’s ANSSI and Germany’s BSI, who will speak on the subject at the FERMA Forum in Berlin in November.