The European Cyber Security Act contains a proposal for arriving at a European cyber security certificate that qualifies ICT products, processes and services on the basis of a risk analysis. The European Commission’s original proposal has now been amended on a number of points and is with the European Parliament for decision-making. The Netherlands is also busy developing its own quality mark in this area.
The guiding principle behind the current proposal is to arrive at a classification for ICT products, processes and services based on a risk analysis. There are three levels of assurance (basic, substantial and/or high) and they need to be appropriate, given the use that is envisaged for the process, product or service in question. In principle, the corresponding certificate must be awarded by an independent party (third party certification).
Certificate or supplier declaration
Assessment by the supplier itself (conformity self-assessment) is only considered appropriate for simple ICT processes, products and services that represent a low risk to the public interest. Moreover, these may only be processes, products and services with the lowest security level (basic). If this is the case, the supplier must sign an ‘EU statement of conformity’ and lodge it with the national cyber security agency and the European Union Agency for Network and Information Security (ENISA). The issue of a declaration of this kind makes the suppliers responsible for ensuring that the product or service in question meets the requirements of the underlying European certification scheme. A certificate (or supplier declaration) carries an assumption of conformity with requirements of the underlying certification scheme (Art. 48).
Valid throughout Europe; voluntary basis
Certificates issued under a European certification scheme are valid in all member states. The proposal seems to allow for issuing of certificates by private as well as public parties. Supervision of the issuing of certificates is performed by national accreditation bodies, in accordance with EU Regulation No. 765/2008. If a certification scheme requires a high level of assurance, there is a strengthened role for public bodies (Art. 44).
A European cyber security certificate is not mandatory under the Regulation. As there aren’t harmonised European rules in this respect, member states have (within certain limits) the possibility of introducing mandatory certification. A European hotchpotch of mandatory/not mandatory certification might therefore very well still come about.
Every member state must appoint one or more national cyber security authorities. These are responsible for supervision and they play a role in issuing certificates under those European certification schemes that supervise the ‘high’ risk class. Citizens and companies have the right to submit a complaint to them regarding certificates issued by them, or under their supervision (Art. 53a).
Dutch risk model and cyber security quality mark
In parallel to the European developments there have been initiatives to develop a Dutch risk model and cyber security quality mark. The Centre for Crime Prevention and Safety (CCV) has taken the lead in this respect in collaboration with the Dutch Association of Insurers, VNO-NCW, MKB-Nederland, CIO Platform Nederland, Nederland ICT, Cyberveilig Nederland en Partnering Trust. The government (Ministry of Economic Affairs and Climate Policy, Ministry of Justice and Security, and the national police) also support this initiative which is based on the success of the Improved Classification of Risk Class (Verbeterde Risicoklassenindeling, VRKI) for security and insurance of real estate.
The positions of the European and Dutch initiatives vis-à-vis each other are still unclear. The reason for this is partly that concerns about the exact meaning of the proposal, which we described in a previous contribution, have not been addressed yet.