The Council of the EU is planning to introduce limits on the European self-assessment system for cyber security products and services that present low levels of risk and complexity. This was revealed in the new Bulgarian draft compromise that will be examined by the working party on 26 and 27 April.
It should be recalled that in September 2017 the Commission presented its new cyber security strategy in which it suggests that the ENISA ought to be strengthened and that a voluntary certification framework should be implemented throughout the EU, which would help assess the security properties of a specific communication and information technologies (CIT) products (see EUROPE 11865). Parliament's industry committee (ITRE) vote is planned for 19 June (see EUROPE 11994). Work at the Council in this regard is on track.
New Presidency compromise text
Following the most recent exchange of views at the working party on 10 April and in view of the discussions planned for the end of the week, the Bulgarian Presidency of the Council has slightly amended its previous compromise proposal (see EUROPE 11964).
The proposal still aims to introduce a European cyber security self-assessment system but explains that this would only be, “appropriate for low complexity ICT products and services that correspond to basic assurance levels” (article 47a). In recital 55 it explains that manufacturers or providers should redraft or sign the EU compliancy declaration (recognised in all EU member states) and maintained for 10 years. In the previous castings, the Council proposed to differentiate between the different assurance levels: basic, substantial or high.
The draft compromise then lists the constitutive elements of the European cyber security certification systems (article 47), while explaining that these elements are just the minimum. It also explains that it is up to the compliance assessment bodies to award this kind of certificate apart from those for high risk mechanisms when, in general, this responsibility would be in the hands of the national certification authorities.
In the definitions, the Presidency text explains that, “Certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards”.
The new text suggests more explanation should be provided with regard to certain European Network Information Security Agency (ENISA) tasks. Therefore, in a different article on awareness and education, it proposes that the agency provides guidelines on good practices for individual users and supports the exchange of good practices between member states (article 9a).
Please go to the following link to see the new compromise text: https://drive.google.com/file/d/1Ts0Rv4qcAUrVc65QNBKYRbUIYg3ntDgH/view?usp=sharing. (Original version in French by Sophie Petitjean)