The Legal Framework for Cybersecurity Certification in the European Union
Nowadays, humanity is increasingly relying on information and other digital and communication technologies. Whether these are key companies within the energy or banking sectors, public transport, telephone operators, hospitals or governmental bodies, all these entities and bodies are highly dependent on the smooth functioning of their information and communication systems and networks. So, whether we want it or not, the use of digital technologies is now an indispensable part of most processes. However, this enhanced usage goes hand in hand with a continuous increase in the number of cyber-attacks afflicting those entities that have inadequate cyber security protection. This disturbing trend not only affects critical infrastructure entities, but basically can be seen wherever there is any material gain to be gained from an attack. For this reason, and not only within the European Union, new processes and measures are constantly being developed to prevent cyber threats as effectively as possible.
Until now, each individual EU country has more or less had its own certification authority tasked with certifying cyber security levels. Due to the significant differences of certification authorities within individual EU countries (or even the absence, such as in the Czech Republic) and the overall unification efforts of the European Union, the Cybersecurity Act[1] was adopted. Its aim is to strengthen overall cyber resilience by establishing an EU-wide certification framework for ICT products, services and processes. This unification of cybersecurity policy and certification, which is one of the key elements of the Digital Single Market, is one of the priorities of the 2015 Digital Agenda for Europe strategy, which aims to ensure a fair, open and secure digital environment within the European Union.
The European Union Agency for Cyber Security
The Cybersecurity Act is divided into two key areas. The first of these areas is the expansion and strengthening of the powers of the European Union Agency for Cyber Security (ENISA), which is the main EU expert body involved in European cyber security policy. ENISA's role is primarily to contribute to the development of EU cybersecurity policies and rights, while at the same time collecting and developing cybersecurity know-how to provide support and prevention services to individual EU Member States in their implementation of EU cybersecurity rights and policies. In this respect, ENISA has a duty to constantly review the cybersecurity landscape in order to develop new cybersecurity certification schemes, which are the key basis for the cybersecurity certification of individual ICT products, processes and services.
Cybersecurity Certification
The second key area of the Cybersecurity Act is the chapter focused on cybersecurity certification itself. Within this chapter, the European Framework for Cybersecurity Certification was introduced. This does not introduce directly applicable individual certification schemes, but merely establishes a mechanism for setting up European cybersecurity certification schemes and for certifying that all facts assessed in accordance with these schemes meet the specified security requirements under the Cybersecurity Act. Individual proposals for cybersecurity certification schemes are to be developed by ENISA, either on the basis of a rolling Union work programme issued by the European Commission or upon an explicit mandate passed down by the European Commission or the European Cybersecurity Certification Group. The Cybersecurity Act imposes stringent requirements on the development of cybersecurity certification systems. First and foremost, the cybersecurity certification system must meet the security objectives. The protection of data against accidental or unauthorised storage, processing, access, disclosure, destruction, loss, alteration or inaccessibility throughout the life cycle of an information and communication technology product, service or process is among the core security objectives of cybersecurity certification systems. Other critical security objectives include, for instance, identifying and documenting known dependencies and vulnerabilities and ensuring that certified ICT products, services or processes do not contain any known vulnerabilities, are secured at the level of default settings and design, and are provided with updated software and hardware that no longer contain any publicly known vulnerabilities, while incorporating mechanisms for securely updating them.
Types of cybersecurity certification including certifying entities
The European cybersecurity certification scheme is structured into several levels based on the level of assurance of their security, with the level of assurance being proportionate to the level of risk in terms of the likelihood and impact of an incident associated with the intended use of an ICT product, service or process. Cybersecurity certification at the national level is then carried out by different bodies, depending on the specific level of assurance provided, or in certain cases it may be possible to carry out 'self-certification' of cybersecurity.
The highest level of assurance - the high level - provides assurance that the ICT products, services and processes for which the certificate has been issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level that aims to minimise the risk of sophisticated cyber-attacks perpetrated by entities with significant skills and resources. The high-level European Cybersecurity Certificate is issued in the Czech Republic by the National Office for Cyber and Information Security, but this office may also delegate this activity to any conformity assessment body (see below).
The medium level of assurance - the substantial level - provides assurance that the ICT products, services and processes for which the certificate has been issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level that aims to minimise known cyber risks and mitigate the risk of incidents and cyber-attacks perpetrated by entities with limited skills and resources. The substantial-level European Cybersecurity Certificate is issued in the Czech Republic by conformity assessment bodies that perform conformity assessment activities, including calibration, testing, certification and inspection within the meaning of Regulation (EC) No 765/2008 of the European Parliament and of the Council.[2] These bodies are accredited by a national certification authority, which for the Czech Republic is the Czech Institute for Accreditation, authorised by a decision of the Ministry of Industry and Trade of the Czech Republic. The Cybersecurity Act lays down a myriad of requirements that conformity assessment bodies must meet, mainly certain formal (establishment under national law and legal personality), material (insurance), reputational (credibility of all related companies in the business group, if any) and personnel requirements (sufficiently educated, experienced and independent personnel).
The lowest level of assurance - the basic level - provides assurance that the ICT products, services and processes for which the certificate has been issued meet the corresponding security requirements, including security functionalities, and have been evaluated at a level that aims to minimise the known basic risks of incidents and cyber-attacks. Basic-level cybersecurity certification is carried out by conformity assessment bodies or, outside the institutional framework of cybersecurity certification, a self-assessment of conformity is carried out, which means that a manufacturer or provider of ICT products, services or processes may conduct a conformity assessment on its own. Thus, from the practical point of view, a self-assessment of conformity is only appropriate for those low complexity products, services or processes that pose only a low risk to the public.
The Conclusion
Clearly, the Cybersecurity Act is now a major EU regulation with the potential not only to create a relatively safer digital environment at the EU level, but also to expand cybersecurity certification bodies within the EU's "27" and to strengthen the EU's influence in this sector globally. It will be interesting to see how the life of the Cybersecurity Act will be implemented in practice, how the new certification authorities will operate and to what extent the regulation will have a positive impact, or whether it will be mired in bureaucracy and never develop into a functional regulation.
[1] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
[2] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.