The European Parliament’s internal market and consumer protection committee (IMCO) thinks that the cyber security certification system should be made “compulsory” for high risk products and services and those linked to essential services. This is one of the proposals in its report for an opinion on the regulation on the cyber security agency adopted on 17 May.
It should be recalled that the European Commission presented its new strategy for cyber security in September 2017 in which it suggests strengthening ENISA’s mandate and introducing an EU level voluntary certificating framework that helps assess the security properties of specific information and communication technology (ICT) products (see EUROPE 11865).
The work has just started at the Council (see EUROPE 12008). At the European Parliament, the civil liberties committee (LIBE) had already submitted its opinion by the middle of last March. The internal market committee (IMCO) is, in this regard, acting as an associate committee (article 54 of the internal Parliament regulation); the industry committee (ITRE), the lead committee, is due to vote in June (see EUROPE 11994).
IMCO Committee suggestions
The internal market and consumer protection committee is, overall, in support of the main guidelines in the draft regulation. On the subject of the certification system, it is further consolidating the security objectives in these systems, which it describes as a “minimum” list (which includes security by design) and its constitutive elements, such as the maximum certification validity period. The main novelty focuses on the compulsory nature of the certification for at-risk mechanisms used when providing so-called “essential” services. Similarly to the draft compromise from the Bulgarian Presidency of the Council, IMCO’s opinion suggests authorising self-certification whereby manufacturers would be able to declare for themselves that their product or service complies with the criteria of a specific certification system.
It is also proposing to expand the functions of the agency. It is suggesting providing it with: a control function, namely, one that involves assessing the procedures for awarding European cyber security certificates and carrying out independent periodic ex post inspections in to ICT certificated product and services compliance; the role of drafting guidelines on information sharing procedures between member states and minimum security requirements for information technology mechanisms marketed in the Union or those it exports. MEPs are also looking at the possibility of drawing up a work programme six months after the entry into force of the regulation, which will have to be re-examined every two years.
In other areas, the report introduces a peer review mechanism for the national certification monitoring authorities (article 50a). (Original version in French by Sophie Petitjean)