You need only to look around you to see that the number of connected devices is increasing exponentially. Watches, TVs, fridges, coffee machines, speakers… If they are not “smart” and connected to some type of network, there is a greater chance of finding them in an antique store than in the average Western household.
Greater connectivity comes with greater cybersecurity risk, which threatens not only the functionality and availability of the connected services but, more importantly, the confidentiality and security of the underlying data.
It is against this backdrop that the European General Data Protection Regulation (GDPR) became applicable in May 2018. With possible fines of up to 4 percent of an organization’s global revenue, this legislation has forced a reassessment of the risks emanating from the processing of personal data.
But when is the technology used to process this data “safe enough”? Many companies struggle to find objective standards to determine the level of security of Information and Communication Technology (ICT) products, services or processes – standards that will justify their use of the technology in the event something goes wrong.
This uncertainty is one of the problems that the European Union wanted to solve with its recent Cybersecurity Act. This legislation, which entered into force on June 27 and which is directly applicable in all EU Member States, creates an EU-wide cybersecurity certification scheme for ICT products, services, and processes. Furthermore, it renews and reinforces the mandate of the EU’s Cybersecurity Agency ENISA and determines its specific role and tasks.
While the GDPR focuses on Data Protection by Design, which has both privacy and security components, the EU Cybersecurity Act focuses on Security by Design. These are focus area that we also see in the United States, where guidance for managing IoT cybersecurity and privacy risks was recently published by the National Institute of Standards and Technology (NIST).
The cybersecurity certification framework is in line with the European Union’s Cybersecurity Strategy and the Commission’s Digital Agenda. These aim to harmonize the EU’s digital ecosystem so as to better exploit the potential of ICT in order to foster smart, sustainable, and inclusive innovation, economic growth and progress in Europe.
ICT designers and manufacturers now have the opportunity to benefit from an EU-wide cybersecurity certification that could significantly increase trust in their products, services and processes. The certification is voluntary, unless otherwise specified by EU or Member State law, and it is explicitly stipulated that the European Commission should assess, at least every 2 years, whether a particular certification should be made mandatory (with December 31, 2023 as the deadline for a first assessment).
The EU Cybersecurity Act introduces three levels of assurance: basic, substantial, or high. These levels reflect the risk associated with the intended use of the ICT product service or process in terms of the probability and impact of an incident. Each assurance level determines the security functionalities to be assessed and the corresponding rigor and depth of the assessment.
Manufacturers or providers of ICT products, services and processes that present a low risk, corresponding to the ‘basic’ assurance level, may issue a statement of conformity based on a self-assessment. Where there is no such self-assessment, or the assurance level is ‘substantial’ or ‘high’, the certification procedure is carried out by an independent third party. The certification scheme should indicate whether that third party should be a private or public conformity assessment body or a national cybersecurity certification authority.
Will the cybersecurity certification make the ICT product, service or process absolutely secure? No, obviously and unfortunately not. The conformity assessment will attest that they have been tested, and that they comply with certain cybersecurity requirements (e.g., technical standards).
But cyber attacks continue and cyber risks evolve, which is presumably why certificates will be issued only for a specific period. Furthermore, the authority or body issuing the certification should be notified of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, service, or process that may have an impact on its compliance with the requirements related to the certification. Such information is to be forwarded without undue delay to the national cybersecurity certification authority concerned.
To give this legislation teeth, EU Member States are expected to impose penalties for infringing the European cybersecurity certification schemes as from mid-2021. Such penalties should be “effective, proportionate, and dissuasive”.
It remains to be seen whether the ICT market will react favorably to this initiative, which is intended to ensure and increase trust in their products and services. Even in cyberspace, the proof of the pudding is in the eating…