EU Cybersecurity Act - Directory Listing...EU Cybersecurity Act ETSI Security Week 2019 18 June 2019...
Transcript of EU Cybersecurity Act - Directory Listing...EU Cybersecurity Act ETSI Security Week 2019 18 June 2019...
EU Cybersecurity ActETSI Security Week 2019
18 June 2019ETSI, Sophia Antipolis
Ioannis AskoxylakisCybersecurity Policy OfficerUnit H1: Cybersecurity Technology & Capacity Building Directorate H: Digital Society, Trust and CybersecurityDirectorate General for Communication Networks, Content & Technology DG CONNECTEuropean Commission
The EU Cybersecurity Certification Framework
Agenda
Context
Introduction
Cybersecurity Certification Schemes
Certification and Conformity self-assessment
The lifecycle of a European Cybersecurity Certification Scheme Plan, Request, Prepare, Implement, Review
Important Policy Aspects
State of Play
Building EU Resilience to cyber attacks
Reformed ENISA
EU Cybersecurity Certification Framework
NIS Directive Implementation
Rapid emergency response –Blueprint & Cybersecurity Emergency
Response Fund
Cybersecurity competence network with a European Cybersecurity
Research and Competence Centre
Building strong EU cyber skills base, improving cyber hygiene and
awareness
Creating effective EU cyber deterrence
Identifying malicious actors
Stepping up the law enforcement response
Stepping up public‐private cooperation against cybercrime
Stepping up political and diplomatic response
Building cybersecurity deterrence through the Member States' defence
capabilities
Strengthening international cooperation on
cybersecurity
Promoting global cyber stability and contributing to Europe's strategic
autonomy in cyberspace
Advancing EU cyber dialogues
Modernising export controls, including for critical cyber‐surveillance technologies
Continue rights‐based capacity building model
Deepen EU‐NATO cooperation on cybersecurity, hybrid threats
and defence
The EU Cybersecurity Certification Framework in context
Cybersecurity Act
Joint Communication on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”, JOIN/2017/0450
What's new with the Cybersecurity Act?
Adequate Resources Permanent Status
Focused Mandate
The EU Cybersecurity Certification Framework
Introduction
The digitalisation of our society leads to greater need for cyber secure products and services.
Cybersecurity certification plays an important role in increasing trust in digital products and services.
A common European approach to cybersecurity certification is an important part of the Digital Single Market.
The Cybersecurity Act establishes the European cybersecurity certification framework.
The Framework enables the creation of tailored, voluntary European Cybersecurity Certification Schemes for ICT products, services and processes. One Framework, many schemes.
Benefits… for citizens/end users
Difficult to distinguish between more and less secure products/services
more information on the security properties of product/services ahead of purchase
Co-existence of schemes makes comparison difficult…
…end-users (OES) refrain from buying certified products/services
NOW FUTURE
Greater incentive for OES to buy certified products/service
Increased cyber resilience of critical infrastructures
…As end-users of digital solutions, governments would rely on an institutional framework to identify and express priority areas needing ICT security certification.
…For vendors/providers
• The possibility to obtain cybersecurity certificates that are valid across the EU would:
– Generate higher incentive to certify and enhance the quality of digital products/services
– Enhance competitiveness through reduced time and cost of certification
– Help gain access to market segments where certification is required
– Contribute to promote a chain of trust between vendors and end-users
• For SMEs and new business…
– Elimination of a potential market-entry barrier
The EU Cybersecurity Certification Framework
Introduction - Key features
One Framework, many schemes. Tailored and Risk based schemes
Open, inclusive and transparent
Builds on EU acquis on accreditation and market surveillance, standardization
Reinforcing an EU-wide approach and building trust with peer reviews
A modern cybersecurity certification framework Certification of ICT processes (e.g. secure development lifecycle,
vulnerability handling and disclosure, provision of updates); Supplementary information such as guidance on secure configuration
and use, security contact points for security researchers;
International best practices in certification scheme structure
The EU Cybersecurity Certification Framework
Cybersecurity Certification Schemes
Security Objectives
Assurance levels: Basic, Substantial, High
Elements of a cybersecurity certification scheme include:
Scope - product/service or category(ies) thereof
references to the international, European or national standards and to technical specifications
one or more assurance levels
conditions for the mutual recognition of certification schemes with third countries;
National Cybersecurity Certification
Authority
Conformity Assessment
Body (Eval. Facility)
National Accreditation
Body
Product
an EU Certification
Scheme
International, EU, national Standards/tech specs
Specifies
Evaluation process
Accredits
By reference to
Authorises & Notifies
1. Evaluates (applies evaluation process to assess product's conformity with requirements)
2. Certifies conformity
Assess conformity to
Scheme Governance
Certification Procedure
Product Requirements
Applies
EU
Member State
4. Certificate is recognised in the EU
European Cybersecurity Certification Scheme (Basic, Substantial) Elements of the Scheme
(incl. prod category, assurance level)
National Cybersecurity Certification
Authority
National Accreditation
Body
Product
an EU Certification
Scheme
International, EU, national Standards/tech specs
Specifies
Evaluation process
Accredits
By reference to
1. Evaluates (applies evaluation process to assess product's conformity with requirements)
2. Certifies conformity
Assess conformity to
Scheme Governance
Certification Procedure
Product Requirements
Applies
EU
Member State
4. Certificate is recognised in the EU
European Cybersecurity Certification Scheme (High) Elements of the Scheme
(incl. prod category, assurance level)
The EU Cybersecurity Certification Framework
Certification
The cybersecurity certification shall be voluntary, unless otherwisespecified by Union law or Member State law.
Conformity assessment bodies shall issue European cybersecuritycertificates referring to assurance level 'basic' or 'substantial'.
Where a European cybersecurity certification scheme requires anassurance level 'high', the European cybersecurity certificate under thatscheme is to be issued only* by a national cybersecurity certificationauthority.
A European cybersecurity certificate issued pursuant to this Article shall berecognised in all Member States.
Manufacturer
Product
an EU Certification
Scheme
International, EU, national Standards/tech specs
Specifies
Evaluation process By reference
to
1. Evaluates (applies evaluation process to assess product's conformity with requirements)
2. Attests conformity
Assess conformity to
Scheme Governance
Attestation Procedure
Product Requirements
Applies
EU
Member State
4. Statement of Conformity is recognised in the EU
Conformity self-assessment (AL Basic only) Elements of the Scheme
(incl. prod category, assurance level)
The EU Cybersecurity Certification Framework
The lifecycle of a European Cybersecurity Certification Scheme
Union Rolling Work Programmeon Cybersecurity Certification
ENISA Prepares candidate
scheme
ENISAConsults Industry, StandardisationBodies, other stakeholders
European Commission
Adopts* Candidate Scheme
European Commission
Requests ENISA to prepare Candidate
Scheme
European Cybersecurity Certification Group (MSs)
Advises ENISA and may propose the preparation of a candidate scheme to
ENISA
ENISA Ad hoc Working Group for each
scheme
Stakeholder Cybersecurity Certification Group
Advises Commission on strategic priorities and Union Rolling Work Programme on
Certification
The EU Cybersecurity Certification Framework
Plan
Union Rolling Work Programmeon Cybersecurity Certification
ENISA Prepares candidate
scheme
ENISAConsults Industry, StandardisationBodies, other stakeholders
European Commission
Adopts* Candidate Scheme
European Commission
Requests ENISA to prepare Candidate
Scheme
European Cybersecurity Certification Group
Advises ENISA and may propose the preparation of a candidate scheme to
ENISA
ENISA Ad hoc Working Group for each
scheme
Stakeholder Cybersecurity Certification Group
Advises Commission on strategic priorities and Union Rolling Work Programme on
Certification
The EU Cybersecurity Certification Framework
Request
Union Rolling Work Programmeon Cybersecurity Certification
ENISA Prepares candidate
scheme
ENISAConsults Industry, StandardisationBodies, other stakeholders
European Commission
Adopts* Candidate Scheme
European Commission
Requests ENISA to prepare Candidate
Scheme
European Cybersecurity Certification Group
Advises ENISA and may propose the preparation of a candidate scheme to
ENISA
ENISA Ad hoc Working Group for each
scheme
Stakeholder Cybersecurity Certification Group
Advises Commission on strategic priorities and Union Rolling Work Programme on
Certification
The EU Cybersecurity Certification Framework
Prepare
Union Rolling Work Programmeon Cybersecurity Certification
ENISA Prepares candidate
scheme
ENISAConsults Industry, StandardisationBodies, other stakeholders
European Commission
Adopts* Candidate Scheme
European Commission
Requests ENISA to prepare Candidate
Scheme
European Cybersecurity Certification Group
Advises ENISA and may propose the preparation of a candidate scheme to
ENISA
ENISA Ad hoc Working Group for each
scheme
Stakeholder Cybersecurity Certification Group
Advises Commission on strategic priorities and Union Rolling Work Programme on
Certification
The EU Cybersecurity Certification Framework
Implement and Review
Annual Union Rolling Work Programme on Cybersecurity Certification
ENISA Prepares candidate
scheme
ENISAConsults Industry, StandardisationBodies, other stakeholders
European Commission
Adopts* Candidate Scheme
European Commission
Requests ENISA to prepare Candidate
Scheme
European Cybersecurity Certification Group
Advises ENISA and may propose the preparation of a candidate scheme to
ENISA
ENISA Ad hoc Working Group for each
scheme
Stakeholder Cybersecurity Certification Group
Advises Commission on strategic priorities and Union Rolling Work Programme on
Certification
The EU Cybersecurity Certification Framework
Important Policy Aspects
Standardisation
Cybersecurity Certification and Regulation
International aspects and Trade
Strong Preference for International Standards
Technical specifications developed by US-domiciled standards development organisations, may be taken into consideration
Respect for WTO rules
The EU Cybersecurity Certification Framework
State of Play
Entry into force June 2019, followed by:
First request to ENISA
Establishment of the ECCG (invitation to Member States) and the SCCG (call for experts)
Launch public consultation on the URWP on Cybersecurity Certification
A voluntary European cybersecurity certification framework….
…to enable the creation of tailoredEU cybersecurity certification schemes for ICT products, services and processes…
…that are valid across the EU
Cybersecurity Act in a nutshell
Thank you for your attention!