Is certification the answer to cyber risk mitigation in Europe?

Speakers: Junger Jean-François, Mitchell Chris, France Jon, Chetali Boutheina, Tafra Tamara
Moderator: Grassia Paolo

We are most pleased to invite you to participate in an evening of discussion on the question of EU cybersecurity certification as a primary tool to mitigate cyber risks in Europe with our distinguished speakers

  • Mr Jean-François Junger, Deputy Head of Unit, Cybersecurity Technology and Capacity Building, European Commission,
  • Ms Tamara Tafra, Counsellor, Cyber Issues, Permanent Representation of Croatia,
  • Mr Jon France, Head of Industry Security, Technology, GSMA and
  • Professor Chris Mitchell, Department of Information Security, Royal Holloway, University of London.

Dr Boutheina Chetali, Security and Certification Senior Expert, Huawei, will hold an introductory speech.

The debate will be moderated by Mr Paolo Grassia, Director of Public Policy, ETNO.

This event was kindly sponsored by

Promoting ongoing awareness of the

About the debate

Over the last three years, EU institutions have incrementally increased their focus on the question of cybersecurity and cybersecurity requirements. This process culminated this year with the adoption of the Cybersecurity Act. This piece of legislation aimed at further empowering ENISA as the EU Cybersecurity Agency, and at starting the process of establishing a risk-based cybersecurity framework which would enable the creation of EU certification schemes. The Commission consequently adopted a Recommendation which identified a number of actions to ensure an EU-wide approach to 5G networks and resulted in a report released by the NIS Cooperation Group, composed by EU member states’ cybersecurity experts, in cooperation with the European Commission and ENISA. This report identifies the main cyber threats and actors, the most sensitive assets, as well as key vulnerabilities and strategic risks and it will be used as a basis to create an EU toolbox of possible measures for risk mitigation.

The reasons behind this regulatory and policy dash are multiple and encompass several overarching features of cybersecurity. First of all, the speed of innovation, as well as its scope and expected impacts at the European and international level have valuably increased, with special regard to the prospect of a mass use of 5G technologies. In addition, the very nature of information and communication technology is evolving swiftly, as 5G will not only increase the speed and responsiveness of wireless networks, but it will also mark a further shift from a hardware to a software-centred technology with multiple layers of possible patching and interaction. Moreover, European Institutions have been concerned with both the recent evolutions of the international arena and the European industry struggle to keep pace with the innovation of mobile network operators and their suppliers worldwide, as well as with manufacturers of connected devices and related service providers.

Against this background, the debate at a European level is increasingly focused on the question of cybersecurity certification as a primary tool of cyber-risk mitigation. Indeed, in accordance with the Cybersecurity Act, the related Commission’s recommendation indicates “third-party certification for hardware, software or services, formal hardware and software tests or conformity checks, processes to ensure access controls exist and are enforced, identifying products, services or suppliers that are considered potentially not secure” as primary measures to secure the EU cyberspace. Experts and commentators are divided about the very issue as while some have pointed at certification as an effective measure to bring about high-level common standards both across the EU and internationally, others have highlighted the risks of adopting a policy approach which would not allow to keep the pace of innovation. Furthermore, other concerns were raised regarding the continuation of fragmentation, as member states are, according to the current legal setting, ultimately responsible for national security and cybersecurity information exchange, as well as regarding the lack of diplomatic willingness to reach a global consensus on cybersecurity requirements.


This event will be held under the Chatham House Rule. Participants are free to use the information received but neither the identity nor the affiliation of the attendees may be revealed. For this reason, unless explicitly authorised by PubAffairs Bruxelles, the filming and/or the recording of the event by any means are strictly forbidden.

The event will commence with a welcome drink at 7.00 pm, followed by a panel debate at 7.30 pm. After the panel debate there will be an opportunity for questions and discussions.

We look forward to seeing you at 7.00 pm on the 19th of November 2019 at The Office, rue d’Arlon, 80, Brussels.

All our debates are followed by a drink in a convivial atmosphere.

Follow the discussion on Twitter

#Cybersecurity, #DigitalEU, #ENISA, #CybersecurityAct, #NISdirective