On March 12, 2019 members of the European Parliament approved the Cybersecurity Act. It establishes an EU-wide certification scheme for products, processes and services to guarantee they meet common minimal EU cybersecurity requirements.
The Cybersecurity Act is a fundamental component of the EU Cyber Strategy and complements the European Directive on Network and Information Security (NIS). Differently from the NIS directive, the Cybersecurity Act is a regulation, which means that it is enforced automatically in all EU member states 20 days after its publication in the EU Official Gazette. The regulation proposal has to be approved by the European Council.
While the first part of the regulation addresses the new role of the European Network and Information Security Agency (ENISA), articles from 46 to 65 are the framework for cybersecurity certification.
Many EU member states have already developed and adopted national cybersecurity certification schemes. In the UK the British Standard Institute develops many standards for process and product certification; France has the Certification de Sécurité de Premier Niveau des Produits des Technologies de l’Information (CSPN); Germany has developed the “Cybersecurity Made in Germany” (TeleTrusT) seal. All these schemas are recognized only at national level, thus they have little or no value outside their countries.
The introduction of the Cybersecurity Act will permit the development of European Certification Standards and accreditation schemes for evaluators and certification labs. The framework will not be implemented immediately: a working program will be issued within 12 months.
The act will not define a certification scheme, but just a framework. Certification schema will have to be developed and issued by ENISA over time. We expect many certifications will be released, related to different products, technologies and services. The categories of products and services that might require a certification due to their relevance in cyberspace is potentially very long and the development of certification standards might require a lot of time and effort. We might see some products have a higher priority: medical devices, self-driving cars, cloud services for operators of essential services might be the top priorities for ENISA.
The idea behind the adoption of a certification framework is to promote the concept of security by design. It is a simple concept, so simple that in cybersecurity and digital services it might be a revolution. Over five decades we have been used to thinking about cybersecurity as a separate domain, something to “add” to digital infrastructures and services to make them secure. We identify cybersecurity experts, cybersecurity products, cybersecurity teams, cybersecurity controls and we tend to forget that cybersecurity is just an aspect, a characteristic of digital services and information systems.
As we cannot conceive of an airplane that is not safe, we should not conceive a digital service that is not secure by design. The security of an aircraft is an intrinsic concept: no one will ever start thinking about a new plane that is not safe; it is non-negotiable. Security is not “bolted-on” to the aircraft at the end of the production line, but is built-in, in every component, every wire, every material. The same is true for cybersecurity. The reality is that most IT products and services are designed without considering their cyber risk exposure: making them secure at a later stage is not only very expensive, but very ineffective. A product that has not been designed and developed with cybersecurity as a priority will never be a secure product. The same is true for services, in particular in a period where cloud services are becoming mainstream and widely adopted by citizens and small to medium-sized enterprises.
If we don’t start immediately to design new technologies and services with cybersecurity built-in, the risks to our connected economy and society will become unaffordable, in particular because of the deep penetration of new technologies in every aspect of modern society.
With the proliferation of connected devices and the Internet of Things (IoT), the risk is increasing exponentially. Many companies that are entering the digital market very often add digital features to their products, with limited internal digital capabilities and often no cybersecurity skills.
While the Cybersecurity Act is an important step forward to better protect digital society, it is not enough. It is just the first step of a long journey. Product certification is not mandatory and it is not clear who will be in charge of forcing device manufacturers, software developers, system integrators and service providers to comply with EU standards in order to be certified.
If certification will be voluntary, as it is now, companies will not have an interest in certifying their products. Product certification is expensive and might impact product or service competitiveness. A mandatory certification is the only way to avoid a competitiveness issue, as all companies would be forced to go through the certification process. A wide adoption of certifications will also reduce the cost of tests, also enabling an economy of scale. There will be also an indirect impact, as good cybersecurity practices will become commonly available, therefore cheaper than they are now. A wide adoption is also key to securing complex products or services. A certified self-driving car is the result of the combination and integration of thousands of different components that need to be certified too: a self-driving car cannot be secure if all its components are not secure as well. This is also true for service providers that serve companies, including operators of essential services. Certifying complex products and services will require a certification of the supply chain.
For these reasons it is important not to waste any more time and to start developing product and service certification as soon as possible, making them mandatory for selected devices like medical devices, airplanes and drones, self-driving cars, etc.
In this strategy, a key element is missing: bringing cybersecurity culture into the boards of companies and into the engineering and development departments of European companies. For cybersecurity to be built-in and not bolted-on, we need to provide cybersecurity skills to non-cybersecurity experts. Of course, we need to increase the number of cybersecurity experts, but we also need to increase the cybersecurity skills of engineers, process designers, product developers, managers, CEOs, HR, etc. Without this valuable additional element, the risk is that the Cybersecurity Act will become a good piece of legislation with limited or no impact.