New EU measures to reduce cyber security risk
Europe is more than ever exposed to cyber security threats. Already in 2016 it was projected that cybercrime will cost the world 6 trillion USD annually by 2021.[2] According to the EU Commission, 80% of European companies experienced at least one cybersecurity incident in 2017, and security incidents across all industries rose by 38%.[3] The numbers are only increasing and several Norwegian businesses have experienced serious cyber-attacks the past years.
Norway’s preliminary position is that the Act is EEA relevant. Norwegian manufacturers, suppliers and relevant procurement departments should thus monitor and prepare for EU-wide cybersecurity certification schemes.
The Cybersecurity Act
The Cybersecurity Act establishes an EU-wide certification framework to ensure a common cybersecurity certification approach in the European internal market.[4] This will ultimately improve cybersecurity in a broad range of digital products (e.g. Internet of Things), services and processes, increase transparency of cybersecurity assurance levels and help end-users make informed choices. The Act will also strengthen the European Union Agency for Cybersecurity (ENISA), by granting the agency a reinforced and permanent mandate.
The certification framework
The overall purpose of the EU-wide framework set out in the Cybersecurity Act is to secure harmonization, to evade fragmentation of and conflicting certifications in the internal market, and to reduce costs.
The framework creates a mechanism and a consistent set of rules for establishing various EU-wide cybersecurity certification schemes for specific groups of ICT products, services and processes. Amongst others, such certification schemes must describe their purpose and define a clear scope, including the ICT products, services and processes that are covered. The Act also requires the schemes to list specific evaluation standards, provide information on supported assurance levels and indicate whether organizations can self-certify.
It is ENISA, with assistance of national experts, which will prepare the technical ground for the certification schemes. According to the Act, the certification schemes should build on existing European or international standards. ENISA is therefore likely to compile and apply current standards, providing additional guidance details, instead of creating new ones. The certification schemes developed by ENISA will be adopted by the European Commission through implementing acts.
The certificates, which will be recognised in all EU member states, will attest that ICT products, services and processes are in accordance with the relevant schemes and thus that they comply with certain cybersecurity requirements.
The Cybersecurity Act does currently not prescribe for the certification schemes to be compulsory. However, the European Commission will assess the possible need for mandatory certification for certain product categories and services. In any case, the certification schemes will make it easier to trade across borders and for businesses and consumers to understand the security features of the products, services and processes.
National certification schemes for ICT products and services that are covered by an existing European certification scheme will cease to produce effects, cf. article 57(1), from the date set by the implementing decision where the scheme has been adopted, cf. article 49(7). Art. 57(2) states that “Member States shall not introduce new national cybersecurity certification schemes for ICT products, ICT services and ICT processes already covered by a European cybersecurity certification scheme that is in force.” Certifications already issued in compliance with national certification schemes, will be valid until their expiry date, cf. article 57(3).
The cybersecurity certification framework might provide certification schemes useful for fulfilling security requirements in the General Data Protection Regulation, cf. art. 32 and art. 42. The certifications schemes may also prove useful when fulfilling security requirements in the EU directive on security of network and information systems (NIS-directive).[5]
ICT products, services and processes
According to the Cybersecurity Act article 2(12), ICT products means an element or a group of elements of a network or information system, such as computers and network elements. ICT services means according to article 2(13) a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems, such as cloud computing and storage services. An ICT process is a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service cf. article 2(14).
In addition to traditional ICT products, such as computers, emerging technologies are also included in the scope of the Act. Both consumer IoT devices, such as smart thermostats, and connected devices used in cars, airplanes, medical devices, power plants and other infrastructure elements are included.
Manufacturers, service providers, businesses and consumers will benefit from the new Act
Even though the EU cybersecurity certification schemes will not be compulsory, the use of certifications will increase the trust and security in products, services and processes and it is thus expected that the schemes will be made use of. Certified products, services and processes should be regarded as a competition advantage for manufacturers, service providers, the industry and consumers alike.
Businesses that develop and sell ICT products will benefit from the certifications as it will be easier to document towards their customers that their products are appropriately secure and have been developed following best practices, not only within its own country, but across the EU.
For the businesses and consumers purchasing ICT products, the certifications will make it easier to choose products that are secure and have been developed in accordance with best practices. ENISA will be a useful source for guidance on safe use, vendor cybersecurity warranties etc.
What are businesses to do now?
The Norwegian Government’s preliminary position is that the regulation is EEA relevant, although it is currently not clear if and when the Cybersecurity Act will be implemented in Norway. However, the Norwegian industry will in any case compete with European businesses that will make use of the certification schemes. Manufacturers, suppliers and relevant procurement departments in Norway should thus monitor the continued development within the EU of the certification schemes. They should also prepare for implementation of the certification schemes in relation to their respective businesses by reviewing their current ICT products, services, and processes against widely accepted international standards and security by design principles.