Angelika Niebler (EPP, Germany) has suggested that the European Union provides itself with a risk-based certification system. This is one of the proposals she made in her draft report published at the end of March on the draft regulation on the European Network Information Security Agency (ENISA).
Overall, the MEP supports the European Commission's approach, particularly with regard to strengthening ENISA’s mandate. Her main proposals focused on the certification framework and governance.
It should be recalled that in September 2017, the Commission presented its new cyber security strategy in which it suggests that the ENISA mandate should be strengthened and that they set up a voluntary EU wide certification framework that would help to assess the security properties contained in specific information and communication technology (ICT) products (see EUROPE 11865).
Although the European Economic and Social Committee adopted its opinion on 6 March, the European Parliament and Council have not yet established their respective positions.
At the European Parliament, the industry committee (ITRE) is responsible and the internal market committee (IMCO) can intervene as an associated committee (article 54 of Parliament’s internal regulation). It should be pointed out that the civil liberties committee submitted its opinion in the middle of March.
Niebler’s proposals
Angelika Niebler is in favour of setting up a European wide certification system for products and services, as proposed by the Commission but to which she also adds the necessary processes.
The MEP is also suggesting that they adopt a risk-based approach (rather than a “one size fits all” system). She also argues that the system should be voluntary as a general rule and compulsory for products, processes and services that present a high level of risk and explains that, “A high level of risk exists when an attack on the ICT product, process and service compromises the availability, authenticity, integrity, confidentiality or other important objectives and reasonably endangers the national sovereignty or public security of states”.
The draft report also introduces a new article compelling manufacturers to provide their products with a statement that outlines structured information relating to certification (article 47 a).
In the area of governance, the MEP recommends making the structure of governance more transparent, particularly by way of adopting a multi-annual work programme for the Union that identifies common action to undertake at a Union level and the priority certification domains.
With regard to the question of ENISA’s mandate, Angelika Niebler supports the idea of a renewed and permanent mandate whilst emphasising the need to remain realistic, “in consideration of the high number of experts still employed by ENISA compared to the personal numbers in certain national certificated and monitoring authorities”.
The draft report is available at the following link: https://bit.ly/2uKtOcG (Original version in French by Sophie Petitjean)