As part of the European Cyber Security Package, the European Commission last autumn proposed a ‘European Cyber Security Act’. The essence of the proposal is the introduction of a quality mark for products and services in the field of cyber security. This is, for example, relevant for the market for products that can be connected to the Internet (Internet of Things (IoT)). As part of a series of consultations, the proposal was also recently discussed in Brussels by experts in the field of cyber security, technical standardisation and certification. As expected, the proposal was subject to criticism.
One of the key issues was the specific, dynamic character of cyber risks and the importance of a secure ecosystem. If we take the example of a camera connected to the internet, it quickly becomes clear that the quality mark is not only able to monitor the product as such (the camera’s hardware and software), but must also include the role of the maker (system software updates) and other service providers (connectivity, antivirus software). And how should products that require a high update frequency be dealt with?
Issuing of certificates
Another thorny issue concerns the question of who grants the certificate: the supplier (‘self-certification’) or an independent third party (‘third-party certification’)? Industry experts pointed to the fact that the rapid rate of development and production of IoT products makes it essential for suppliers to award the quality mark themselves; there is simply no time for certification by independent parties. Industry also pressed hard for a voluntary quality mark, while the European consumer organisations strongly advocated the opposite.
Other concerns that were raised concerned the limited scope of the proposal (no solution for security issues confronting the business community) and the question whether the proposed certificate would serve the desired objective. Certificates are generally not properly understood. The introduction of a new quality mark in addition to the already mandatory CE marking will possibly only lead to more confusion.
Proliferation of certificates
Various ‘cyber security certificates’ are currently available within the EU. The European Commission fears a proliferation of mutually incompatible certificates (lack of uniform requirements, limited geographical validity, lack of mutual recognition). This may lead to fragmentation of the market and new trade barriers, for example because a number of different certificates must be obtained in order to launch a product or service on the market in the EU. This is obviously a very undesirable development for the rapidly growing IoT market.
An important element of the proposed Cyber Security Act is to give a permanent mandate to ENISA, the European Network and Information Security Agency. This should enable ENISA to provide support to Member States, EU institutions and the business community, among other things by implementing the European Network and Information Security Directive (NIS Directive). The purpose of this Directive is to create a more uniform security policy in the EU.
The European Parliament is expected to vote on the proposal at committee level in June. The European Economic and Social Committee (EESC) is also expected to soon deliver its opinion on the Cyber Security Act.