More centralisation, fewer procedural rules and stronger digital protection. In a provisional working version of the revised Cybersecurity Act (CSA), obtained by Agence Europe, the European Commission wants to give the European Cybersecurity Agency (ENISA) more room for manoeuvre and relaunch work on the cybersecurity certification scheme, which has been at a standstill for several years (see EUROPE 13451/10).
However, there is nothing on high-risk suppliers (see EUROPE 13786/14). The question has not yet been decided by the College of Commissioners, and will only be included in the final version of the text, scheduled for Tuesday 20 January.
Greater role for ENISA. The provisional text therefore opens the door to greater responsibility for ENISA, which could be given an even more central role in the whole chain of risk management, harmonisation and European cooperation.
The current Cybersecurity Act already gives the Agency prerogatives over the development and technical structuring of cybersecurity certification schemes. It is also working on other schemes, such as those for cloud services (EUCS) (see EUROPE 13465/14), managed security services (MSS) and 5G.
The new provisional text reinforces a number of these prerogatives. ENISA is still responsible for drawing up cyber certification schemes, which are becoming all the more central to European cybersecurity policy, but with an extra level of involvement.
The text also mentions its contribution to capacity building in the field of certification, in particular by supporting Member States in assessment and revision activities.
Other obligations may now fall under its remit: - leading, where appropriate, standards development activities at European level; - supporting the Commission in setting up a European cybersecurity certification body; - developing and publicising a European framework and a system for certifying cybersecurity skills for use in national or private institutions.
Reinforcement of European cyber security requirements. The central point of the new text is the issue of the European Cybersecurity Certification Framework, which is being reorganised and given greater importance. The various schemes that make it up will have to indicate that “the ICT products, services and processes concerned comply with the specified security requirements in order to protect the availability, authenticity, integrity or confidentiality of the data stored, transmitted or processed, or the functions or services offered”.
In detail, these schemes should “protect against accidental or unauthorised storage, processing, access or leakage”, against “any unauthorised manipulation or modification”, and ensure that ICT products, services and processes “do not contain known exploitable vulnerabilities”.
This European framework should be established “with the aim of creating a digital single market for ICT products, services and processes, managed security services and entities”, the text details. Each scheme will be subject to the same rules for maintenance, updating and periodic assessment. ENISA can also develop technical specifications for a specific scheme.
Three levels of scheme security can be implemented: ‘basic’, ‘substantial’ and ‘high’, depending on the importance of the associated services. National certification schemes, which are not covered by the purpose and scope of a European cybersecurity certification scheme, “will have to be abolished”, says the text (see EUROPE 13434/9).
This resurgence of the European Cyber Certification Scheme heralds a resumption of the debate around the scope of the schemes and specific requirements, such as data localisation and European sovereignty. The missing chapter should deal with suppliers deemed to be high-risk, and therefore potentially banned.
In the cloud sector, for example, France has long been calling for stricter guarantees of security and sovereignty, equivalent to its own ‘SecNumCloud’ system, particularly in terms of protection against the extraterritoriality of certain foreign laws (see EUROPE 13394/9), but to no avail at this stage.
While some Member States are committed to more protective rules (in favour of European service providers, or under European supervision), others are more reticent about imposing rules that would effectively restrict access to the EU’s internal market.
What began as a simple technical harmonisation of disparate approaches has become a major strategic tool for the EU’s cyber security, in an increasingly changeable geopolitical context.
See the provisional text: https://aeur.eu/f/kag (Original version in French by Isalia Stieffatre)