A new certification framework for connected devices, together with a stronger role for the EU Cybersecurity Agency, were backed by Industry Committee MEPs on Tuesday.
The EU cybersecurity scheme will certify that an ICT product, process or service has no known vulnerabilities at the time of the certification’s release and that it complies with international standards and technical specifications.
Cybersecurity certification framework
Certification will be voluntary and, where appropriate, mandatory and will prove:
- confidentiality, integrity, availability and privacy of services, functions and data,
- that services, functions and data can be accessed and used only by authorised persons and/or authorised systems and programmes,
- that processes are in place to identify all known vulnerabilities and deal with any new ones,
- that products, processes or services are designed to be secure and that they are fitted with up-to-date software without any known vulnerabilities,
- that other risks linked to cyber incidents, such as risks to life or health, are minimised.
The certification scheme will specify three risk-based assurance levels:
- basic, meaning the appliance or device is protected from the known basic risks of cyber incidents,
- substantial, meaning known risks of cyber incidents are prevented and there is also capability to resist cyber-attacks with limited resources and
- high, meaning risks of cyber incidents are prevented and the appliance or device is able to resist state-of-the-art cyber-attacks with significant resources.
A stronger mandate for ENISA
The new draft rules will give a larger budget, more staff and a permanent mandate to the existing European Agency for Network and Information Security (ENISA), with its headquarters in Heraklion and offices in Athens.
In addition, ENISA will become the reference point on the cybersecurity certification scheme, in order to:
- avoid fragmentation of certification schemes in the European Union,
- draft candidate EU certification schemes for specific products, under the request of the European Commission,
- maintain a dedicated website with all relevant information on certification schemes, including that on withdrawn and expired certificates.
Rapporteur Angelika Niebler (EPP, DE) “Today’s vote is a very important step towards a long-term vision of cybersecurity in the EU for two reasons. Firstly, from the perspective of consumers, it is important that users have trust and confidence in IT solutions. Secondly, I strongly believe that Europe can become a leading player in cybersecurity. We have a strong industrial base and it is vital to continue working on improving cybersecurity for consumer goods, industrial applications and critical infrastructure.”
The draft report, approved by 56 votes to 5 with 1 abstention, will constitute the EP’s position for the negotiations with the Council, if it is approved by the full house during September’s plenary session.