News & Publications

Latest news

  • 19 December 2018 - Press releases

    About EU Cybersecurity Competence Centre: Eurosmart expresses its satisfaction with Julia Reda’s ITRE Draft Report

    Download the Press Release

    Eurosmart recommends a consistent EU cybersecurity policy and a fair and transparent functioning of the Competence Centre

    Eurosmart is committed to proposing secure solutions during the Digital Age. On the 13rd of September, the proposal adopted by European Commission was warmly welcomed by the Eurosmart community. The EU competence center (ECCC) and its related European network, like the 660 cybersecurity lab’s should capitalize on existing initiatives such as the four Cybersecurity pilot projects within H2020, which aim at increasing the European Economic Area (EEA) resilience. Eurosmart wish co-legislators to provide an approach even more consistent with the other EU Cybersecurity activities i.e. NIS-directive, Cybersecurity Act, Digital Europe and Horizon Europe programmes, ePrivacy, GPDR etc.

    In this sense, Eurosmart endorses the Reda’s draft report tabled in ITRE Committee last week. The association and its members paid a particular attention to the proposals made by the Rapporteur on the ECCC mission: some of its objectives shall be financed through dedicated programmes and cascading funding (i.e. Digital Europe and Horizon Europe). According to the Eurosmart vision, the Competence Center should not be only a mean of redistributing the European public funds: a more holistic setting must be supported. The ECCC should be therefore the place encouraging EU stakeholders to get involved in defining an efficient EU industrial cybersecurity policy. Eurosmart sponsors the following proposals:

    Promoting the “State-of-the-Art” and “Security by default and by design” principles

    The EU cybersecurity policy in Europe is unique: the respect of private life and security in the digital world are the most advanced principles in Europe than elsewhere. This is a real asset for the European citizens who can benefit from a reliable technology. Within the European industry and the research community, it represents also a golden opportunity to demonstrate and improve its know-how. Eurosmart is convinced that the ECCC and its community will help the Research Technologie Organisations (RTOs)[HD(DS1] , industry, public authorities, regions, citizens and all relevant actors to make the European Cybersecurity Single Market a great success. It could be the right way to finally develop Europe-based solutions rather than relying on non-EU technologies.

     

    For these reasons, Eurosmart welcomes the proposal to push for the “State-of-the-Art” and “Security by default and by design” when developing the EU standardisation approach. Nevertheless, more attention should be given to the standardisation and certification aspects as envisaged in Arndt Kohn’s draft report, adopted in IMCO Committee. Members of Eurosmart urge co-legislators to consider the development of candidate certification Schemes in the framework of the Cybersecurity Act. The upcoming scheme must include such a level of quality and robustness to reduce the exposure of EU market’s products to potential attack.

    ECCC and the collaboration with the 660 cybersecurity lab´s in the Member States

    The future competence Center cannot be an additional layer to the European Cybersecurity policy, an integrated approach is expected from the stakeholders. Several initiatives already exist at the EU level, the European Competence Center can become the meeting point for stakeholders to better collaborate. For instance,Eurosmart expects a intenseive collaboration between the ECCC and the 660 cybersecurity lab´s in the European Economic Area, as well as a deep cooperation with other institutions, like EUCCG, ENISA, PSG, JRC, EU-CERT and others. In addition to that a better approach can be proposed in terms of defining the future of the European Standards. This work could be backed by the ECCC in close collaboration with CEN/CENELEC, ENISA and the MSP for standardisation.

    A better inclusion of SMEs in Security Market: they represent a strong suit of the European cybersecurity ecosystem

    Their mention since the beginning of the legislative text make the cybersecurity actors understand their importance. SMEs hold a big part of the industrial Cybersecurity know-how by gathering a large community of experts. The entire industrial cybersecurity value chain relies on this community that deserves to be fostered. Their inclusion among the direct beneficiaries of financial support by the Competence Centre will make the community benefit from their knowledge.

    On the other side, we see innovative start-ups often lacking resources to correctly implement the cybersecurity “State-of-the-Art” requirements. The should have easy access to qualitative EU cybersecurity certificates and benefit from cascading funding. We strongly encourage co-legislators to include this dimension into the current regulatory process.

    The presence of associations of SMEs and European Standardisation Organisations - as laid down in the IMCO Draft Report- represent an added value for the Centre.

    Accountability and fair representativeness within ECCC bodies.

    Eurosmart supports a fair representativeness of stakeholders in the Industrial and Advisory Board. In this regard, we particularly welcomed the proposal from the rapporteur Reda to achieve a balanced and a fair representation of stakeholders. Eurosmart commends to go beyond, and to put the emphasis on the transparency in the governing rules of the Competence Center. This future instrument will manage important EU findings and cannot suffer from any conflict of interest or privatization of the financial earmarking to the benefit of certain providers.

    In this context, we recommend that “European entities” are clearly defined, including criteria for accreditation within the ECCC Community as well as those to join the Industrial advisory board. We call on the European Parliament to back the amendment describing what a “European entity” is, as introduced by MEP Arndt Kohn in his IMCO draft opinion. Eurosmart urges members of the Parliament to go further and establish clear thresholds regarding categories represented in the Scientific Advisory board. Amongst the 16 appointed members, a fair representation must be ensured for experts coming from RTOs, SMEs, Public authorities, Region and Industry. We recommend that governance of the Multi Stakeholder Platform on ICT standardization can be used as model. Its members are exclusively experts from NGOs and professional organizations to avoid any kind of ‘bargains’ or advantages for its members.

    Lastly, when it comes to accountability, Eurosmart suggests appointing the Director of ECCC upon the European Parliament’s advisory opinion and organizing an annual public hearing in a joint ITRE-IMCO Committee where the director would present ECCC outputs and its annual roadmap.

     

     

     

    Read more
  • 27 November 2018 - Press releases

    Eurosmart confirms its forecasts on trends and growth drivers in all main market sectors

    Trustech | Cannes, 27th November 2019

    Eurosmart, the Voice of the Digital Security Industry, announced the 2018 figures for worldwide secure element shipments and the 2019 forecasts. The overall growth trend is confirmed in 2018 (+2,2 %) while the 2019 forecasts exceed 10 billion units (10, 360).

    Financial services

    In this sector, the overall growth of payment cards is estimated to touch + 3,2 % in 2019, which means 100 million new cards compared with those in 2018.

    This will be driven by regional mandates for chip-based payment cards and firstly by the demand for contactless cards. This segment is seeing a strong momentum. 2018 is the first year where contactless shipments cards surpassed the contact part with a total share of + 51,4%.

    Supported by additional countrywide mandates, the growth of contactless segment is expected to nearly reach double-digit in 2019.

    Telecom

    In an overall stable telecom market reaching 5,6 billion units in 2018, we see a continuing growth for the M2M market, driven by a push for connectivity in the automotive sector and other industrial segments.

    In the consumer side, we also forecast an accelerated adoption of embedded SIM technology following the launch made on top selling products by some leading OEM manufacturers. This adoption opens new opportunities for additional services.

    Despite the stability, the telecom market has seen a significant migration to the 4G/LTE technology thus ensuring the smooth transition to the upcoming 5G network technology.

    Device Manufacturers

    The embedded secure element is foreseen to register a double-digit growth in 2018 due to an increased demand for wearables and new generation smartphones. This is expected to continue in 2019 (+10%).

    Lastly, we are expecting the share of the NFC and SE to reach 8% of the total secure element forecast in 2019.

    Government – Healthcare

    It is also noteworthy that in the current year, emerging regions such as Africa, Middle-East and Asia are stimulating the demand as well.

    The sector pursues a steady buildout driven by new identity projects around the globe, as well as product renewals. The contactless interface continues to be the dominant choice from governments reaching 60% of share in 2018.

    “There has been a steady growth, except for telecom, in each segment of the sector. In 2018, this earned an increase of +2% with a total amount exceeding the 10 billion thresholds and has proved to be mainly driven by the EMV adoption and the secure elements for device manufacturers.”- said Stéfane Mouille, President of Eurosmart.

     

     

    Read more
  • 13 September 2018 - Press releases

    Eurosmart welcomes the European Commission proposal to boost the EU cybersecurity industry by the creation of a Cybersecurity Industrial, Technology and Research Competence Centre

Latest publications

  • 11 February 2019- Position papers

    On cooperative intelligent transport systems (C-ITS)

    Download the document

    EUROSMART feedback on Draft Delegated Regulation on deployment and operational use of cooperative intelligent transport systems (C-ITS)

    Foreword

    Cooperate Intelligent Transport Systems (C-ITS) are an important area of development for many market players such as the automotive, telecommunication and digital security industries. The upgrade of the EU road infrastructures and all their surrounding intelligent systems is a key challenge that will enable a wide and fast development of vehicle-to-infrastructure (V2I), vehicle-to-vehicule (V2V), infrastructure-to-infrastructure (I2I) communications, as well as increasing interactions with the whole road environment and traffic: pedestrians, cyclists etc. (vehicule-to-everything; V2X);

    C-ITS undeniably leads to a hybrid communication approach which processes a wide range of data in a very short time. For these reasons, Eurosmart pays a particular attention to the way data will be transmitted and handled. Good practices from the e-call regulation should inspired all the upcoming C-ITS regulatory approaches.

    Eurosmart particularly welcomes the involvement of the Joint Research Centre (JRC) when it comes to the design of PKI to support the placing on the EU market of interoperable and compatible ITS stations. JRC has long track of records in developing PKI, for instance in the definition of “Smart Tachograph - European Root Certificate Policy and Symmetric Key Infrastructure Policy”.

     

    Main points

    Eurosmart is looking forward to the definitive proposal of the European Commission for an act regulating cooperative transport systems C-ITS in the European Union.

    The Draft Delegated Regulation paves the way for a complete and better-defined framework governing ITS in the Member States, by clarifying the requirements needed to implement technologies falling into the scope of the ITS Directive 2010/40/EU.

    Eurosmart focuses on following points:

    · Interoperability: clear and coherent communication between roads and vehicles. C-ITS market fragmentation is an impediment to road safety.

    · Solid Public Key Infrastructure allowing certified companies to securely exchange data;

     

    · Compatibility:
    investment in C-ITS is long-term, as vehicles and road-side equipment have long life cycles.
    Future technologies have to operate with deployed equipment preventing road safety disruption.

    · Security: resilience of the C-ITS system against information security incidents throughout the life cycle. C-ITS requires a cybersecurity infrastructure that ensures C-ITS stations can check if other C-ITS stations send truthful messages. This system shall cover vehicles and roads, no matter the country, no matter the vehicle brand, no matter the communication technology used.

    · High security on the road needs the approach of ISO/IEC 15498, concrete CC, at least EAL4+.

    · Better synergies between transport and telecom infrastructure: TEN-T Policy and CEF II 2021-2027 shall be the main contributors to trigger a joint strategy in the two sectors;

    · Harmonization: C-ITS shall not causing radio interference to electronic road charging systems already deployed in Europe and the digital tachograph, that is mandatory in trucks in the EU

    · A new protection profile (PP) should be deployed, to capture a uniform and long-lasting security level in the European Economic Area. A possible reference in this field could be the EU tachograph, in respect to the Regulation (EC) 2135/1998 and being used today in 52 states

    · Electrification and influence on the Smart Grid with reference to the Smart Meter Gateways in all Member States (e.g. with link to European roll-out plan), including expected secure interoperability between the Grid, SMGW, charging stations and vehicles.

    Eurosmart appreciates the Delegated Act following the hybrid communication approach outlined in the 5G Action Plan COM (2016) 588, where mature ITS-G5 short-range communication for safety critical messages is complemented with existing 4G and in the future 5G long-range communication.

    Eurosmart is also pleased that European Standardization Organisations (ESOs) have been participating in development of the European C-ITS infrastructure.

    Eurosmart undertakes to collaborate with other companies on security implementation requirements of ITS stations in the draft Delegated Act and the role of Common Criteria therein, within industrial platforms like the Car 2 Car Forum Communication, so that both security and market conditions will be met.

     

     

    Read more
  • 04 February 2019- Position papers

    On Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence (AI HLEG)

    Download the document

    Introduction: Rationale and Foresight of the Guidelines

    On the 25th April 2018, the Commission defined in its Communication an European approach for Artificial Intelligence.

    This Communication sets out a European initiative based on a triple approach:

    1. Boost the EU technological and industrial AI uptake across the economy through investments in research and innovation and better access to data;

    2. Prepare for socio-economic changes;

    3. Ensure an appropriate ethical and legal framework.

     

    The Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence (AI HLEG) contributes to raise the awareness on the close relationship between ethics and technological choices in the digital age. When it comes to the development and implementation of AI, the deep interrelation between ethics and technology modify the way we usually think about technological advances by bringing together deferent disciplines: Ethics, Law, Technology, Industry and Cybersecurity.

    Eurosmart welcomes the European Commission initiative and the creation of the High-Level Expert Group on Artificial Intelligence. This initiative plays a key role when defining a common understanding of what the challenges brought by AI are. Organisations, value chain, their related threats and opportunities will be impressively impacted, AI’s incidence on the cyber-resilience of our continent must be conscientiously analysed. AI is also challenging both the values and the governance of the European Union.

    Definition of AI

    Eurosmart supports the provided definition of what the Artificial Intelligence is. This first achievement of the High-level Expert Group on Artificial Intelligence is a milestone to define common rules to make citizens, governments and businesses benefit from trustworthy AI.

    “Artificial intelligence (AI) refers to systems designed by humans that, given a complex goal, act in the physical or digital world by perceiving their environment, interpreting the collected structured or unstructured data, reasoning on the knowledge derived from this data and deciding the best action(s) to take (according to pre-defined parameters) to achieve the given goal. AI systems can also be designed to learn to adapt their behavior by analysing how the environment is affected by their previous actions.

    As a scientific discipline, AI includes several approaches and techniques, such as machine learning (of which deep learning and reinforcement learning are specific examples), machine reasoning (which includes planning, scheduling, knowledge, representation and reasoning, search, and optimization), and robotics (which includes control, perception, sensors and actuators, as well as the integration of all other techniques into cyber-physical systems”

    Based on this definition, the European legislator and the industrial and scientific community must nurture an ambitious approach to develop reliable AI based on the European technical know-how and on our common values in reference to the Charter of Fundamental Rights of the European Union.

    Can AI be considered as a product placed on the market?

    The accompanying document to the Draft AI Ethics Guidelines entitled “A definition for AI” describes what AI is made of. (figure2). Even if the provided elements are a very crude oversimplification of the state of the art, it does have the merit of once highlighting several essential technologies which underlie AI.

    - Machine learning is composed by data and their processing.

    - Robotics is manly hardware oriented

    - Reasoning involved embedder softwares.

    From the industrial point of view and regarding the future market evolutions, Eurosmart wonders if AI could be considered as a product in the meaning of the EU Single Market related legislations. As a product, the 1985 Product liability Directive 85/374/EEC would apply.

    The benefit of this directive lies in its balanced approach between the free movement of goods within the Union, the protection of citizen’s safety and the empowerment of the economic actors. For a given product, the full liability is placed on the producer, the importer or the distributor of products. The same approach could apply to AI and thus, with the support of International and European standards.

     

    Chapter I: Respecting Fundamental Rights, Principles and Values - Ethical Purpose

    Is AI a Dual use?

    Eurosmart underlines that a technology cannot inherently be ethical. It the way the technological application will be developed and implemented which defines its ethical aspect. Considering that this technology could be used at both civilian and military levels, for peaceful and military aims, AI could be a Dual Use in the sense of the Wassenaar Arrangement. Deep competences and full mastery of the AI technology is very crucial for the digital sovereignty of our continent. Eurosmart enjoins the High-level Expert Group on Artificial Intelligence and the Commission to further analyse this issue. By the way, the dual use can be also seen from attacker for cyberattacks in the combination of human and computer as well as from the defender of cyberattacks, for example in industry and in governments. Two examples: Intrusion Detection Systems (IDS) with learning function in industry and Chabot’s in public services.

    Protection of Personal Data is a major ethical aspect

    Eurosmart supports the approach adopted by the AI HLEG which is underpinned by the European values and the Charter of Fundamental Rights. These common values have inspired all the data privacy and all the Digital single market legislation. We recommend working on a more comprehensive statement based on the article 8 “Protection of Personal Data”. This article allows the citizen to benefit from its personal data as an inalienable freedom and places the respect of this rule of law under the protection of an independent authority. We recommend that both ethical and technical aspects should carefully be monitored and guaranteed by an independent and trustworthy Third party. It shall be a key principle while designing and placing on the market any AI solutions.

    Chapter II: Realising Trustworthy AI

    Standards

    The document mentioned technical and non-technical methods to achieve Trustworthy AI. Standards are put forward to ensure that qualitative and trustworthy solutions are indicated to the consumers actors and governments.

    Due to the sensitive nature of AI, standards must be carefully handled. The European Union should not enshrine in law any “private” standards or unilaterally business-driven initiatives which could lead to an imbalanced power relationship. It must be considered that AI technologies will fast growing, such an approach would deter innovation. Eurosmart enjoins the AI HLEG to rely on European and International standards to support the AI take-off. European Standardisation Organisations’ (ESOs) work should be recognised as the primary reference for a trustworthy AI development. Eurosmart recommends referring to the Mustistakeholder Platform (MSP) for Standardisation while developing priorities for AI in the Annual standardisation rolling-plan. Both AI HLEG and the European Commission must pay attention to international standards for AI which are under development (ISO/IEC WD 22989) and standards resulting from ongoing work in ISO/IEC JTC 1, SC 42 on Artificial intelligence, as suggested and highlighted by CEN-CENELEC in their response to this consultation.

    Data processing and anonymization

    Anonymisation of data must be effective and of non-temporary nature. The anonymisation mechanisms should not be “deconstructed” by AI.

    Personal data should be strictly anonymised once they are merged into a large data set. This process should also apply to meta-data, since they are blended with traditional personal records. AI has the capability to de-anonymize the same information based on inferences from other devices. Therefore, voice recognition and facial recognition could potentially compromise anonymity in the public sphere. In this regard, the distinction between personal and non-personal data should be clearly define in the draft guideline and shall comply with the rules enacted in the regulation (EU) 2018/1807 on the free flow of non-personal data when it comes to anonymized and scrubbed data. The draft AI guideline should provide at least some insights to better understand how to handle data processing with such a requirement level.

    The European Data Protection Board (EDPB) should also issue a concrete contribution through Guidelines on AI compliance with the GDPR. Moreover, as foreseen by GDPR, certification schemes for IA should be prepared. It is deemed necessary for producers and importers of AI solutions in the European Union.

     

    Chapter III: Assessing Trustworthy AI

    A Cybersecure approach is more than necessary

    Assessing Trustworthy AI cannot dispense with the definition of security requirements. The guidelines mentioned mainly safety driven concepts and requirements, which is not enough to protect assets of AI solutions and devices. Cybersecurity is key to prevent from potential attacks and manage the protection of critical assets. AI cannot be assessed against safety concept whose targets of evaluation are static. Therefore, we strongly recommend penetration tests by Humans as a fundamental component for assessing AI, to verify and stabilize robustness of the most critical AI applications.

    Moreover, robustness of IA implies resilience as well as reliability and reproducibility.
    Eurosmart supports the promotion of a cyber-resilient network in the Union to guarantee security by design and a functional assessment for edge-computing devices.

    Third party certification

    The international and European standards mentioned in the second chapter can be used to performed 3rd party certification. The European Cybersecurity Certification framework should be mentioned as the primary reference to assess trustworthy AI, the European Commission shall make it a priority in the upcoming Union rolling work programme for cybersecurity certification scheme.

    General Comments

    Eurosmart strongly supports AI-HLEG’s big step forward to define a common understanding for trustworthy AI. This initiative paves the way to AI development in respect of the European values in terms of data protection, privacy and cybersecurity.

    Eurosmart highlights the need to mention and to recognise the work on ESOs for a real EU added-value in terms of AI standardisation.

    Based on these standards, a real effort shall be made to assess the upcoming AI solutions. The European Union is currently deploying trustworthy certification mechanism through the Cybersecurity Act and the GDPR and should rely on it.

    Read more
  • 06 December 2018- Position papers

    European Cybersecurity Competence Centers and its related Community - Proposal on primary missions

    Download the document

    Eurosmart welcomes the European Commission proposal on creating a European Cybersecurity Competence center (ECCC) which would be backed by a dedicated network and a Community of accredited stakeholders. This initiative will enable the creation of a Community of expertise in Cybersecurity which will encompass the European industry, public authorities and research organisations. This initiative is more than necessary to consolidate the European Cybersecurity Digital Single Market and to develop the already well recognized European expertise and know-how in this area.

    Even if the European Cybersecurity is globally recognized for its excellence, its attached ecosystem remains extremely weak compared to the 600 billion EUR global cybersecurity market. This situation put the European Digital Sovereignty at risks and for this reason, Eurosmart and its members expect from this initiative to help to increase the weight of this ecosystem both in qualitative and in quantitative terms. The European Union must be able to take advantage of its own digital assets and to make it (cyber)secure.

    Eurosmart proposes the European Commission and the policy makers to take into consideration the following points as primary missions to be undertaken within the ECCC Community:

     

    1. On certification: Promote the benefits and encourage adoption of European Cybersecurity certifications amongst the Community members.

    2. Disseminate the cybersecurity knowledge through dedicated formations to help the traditional European industry to take advantage of Cybersecurity innovations.

    3. Nurture the SMEs’ expertise in the European Cybersecurity landscape.

    4. Support the European standardisation strategy through the involvement of the Community and give a true consistency to the European Cybersecurity industrial policy.

     

    1. On the European Cybersecurity Certification approach

    The European cybersecurity certification group contributes to the robustness of European cybersecurity products, services and processes. This certification framework coupled with the European Competence Center initiative constitute a real asset for the Union to make its cybersecurity products, services and processes at the forefront of the global market. This combined strategy will reverse the current tendency where, despite of its cybersecurity industrial capabilities, Europe largely depends on non-European providers.

    Eurosmart expects from the policy maker to enhance the consistency between its qualitative certification approach as laid down in the Cybersecurity act and the expected increasing number of European actors who need to gain access to the cybersecurity certification process. Some initiatives are necessary to make the European Cybersecurity certification framework a real asset for the Cybersecurity industrial policy, Eurosmart recommend as follows:

    1.1. Support the definition of Protection Profiles (PP) and high-level certification approaches

    It is expected from the upcoming Cybersecurity Act and its related initiatives, to ensure a smooth transition of the current certification frameworks and more precisely of the SOG-IS to the new European one. The European Cybersecurity Competence Center and its Community could facilitate this transition and make the new SOG-IS 2.0 available to new actors. The ECCC could more specifically contribute to the definition of protection profiles for critical infrastructures which tackles domains as defined by the NIS Directive:energy, transport, banking, financial, health, water and digital infrastructures. These domains are the ones to be primarily concerned by the high-level certifications. The ECCC is the right place to host and support the definition of PPs by involving concerned stakeholders, expert from the industry, research and national security agencies.

    The level “high” deserves a specific approach due to its sensitive nature. The ECCC could initiate a close and continuous cooperation amongst the Community Members involved in certification processes at level “high” (i.e. the EUCCG, PSG group, ENISA, EDPS, CERT-EU at EU level, the CERTs, the national authorities, industry and RTOs). The work undertaken by the Community shall pay attention to the way the CABs are accredited in order to ensure a homogeneous functioning of the certification process at this critical level.

    1.2. Facilitate the definition of qualitative candidate schemes for the traditional European Industry at the level “Substantial”

    To address the substantial level of cybersecurity certification, the ECCC community could design innovative certification approaches as a common ground for sectorial legislations such as electronic appliances, toys, cars and the current verticals currently which are usually covered by the Safety compliance, but which will be concerned by Cybersecurity issues. This strategy supported by the ECCC through relevant grants (Digital Europe, Horizon Europe programs) could bring together RTOs, Industry, experts. This community of various actors could take benefit from the innovative outcomes of the research in matter of certification, and thus, before the placing of new products and services on the European market. The supported and granted tasks could include:

    - The definition of innovative candidate schemes according to the needs expressed by the Community with a sectorial approach;

    - The definition of new evaluation methodologies by involving European CABs, industry and national agencies. This approach could help the Community members to take advantage of the know-how on pentesting to increase the quality of the developed candidate schemes while tackling substantial level methodologies. The security level “substantial” should manly concern B2B context in Europe, which can address in the meantime critical infrastructures.

    1.3. 1.3 EU Cybersecurity level “basic”

    The European Competence Center could be the right place to commonly define the basic requirement for the security level “basis”. This level will be an entry point for many market players which are not familiar with security requirements.

    Some basic principles must be disseminated through the community to ensure that even the level “basic” provides a minimum of robustness for products, services and process.

    In this field, Eurosmart advocates for including minimal cybersecurity features to prevent any unauthorised access, modification, or information disclosure. This basic assurance level should be usable as minimum requirements for all connected electronic devices, consumer electronics, or applications.

     

    2. Dissemination of the European cybersecurity know-how to the traditional European industry and to the SMEs

    Cybersecurity is everywhere and profoundly impact the way new products and services are designed. Currently, when developing a new product, traditional manufacturers are to deal with functional specifications, standards and conformity to demonstrate that products, services, or process comply with relevant EU safety legislations. With the increasing development of the IoT and IoTT (Internet of Thinking Things) market, cybersecurity is sometimes considered as an additional layer to the current question of safety and conformity.

    The ECCC and the Cybersecurity funding programs could help the EU actors and especially the SMEs that lack of resources, to take the path of cybersecurity. The ECCC Community could create synergies through dedicated working groups and programs to better understanding cybersecurity issues when it comes to the development of new product and services. Eurosmart identified several missions that should be conferred to the ECCC:

    2.1. Formation in Cybersecurity to companies

    Concreate actions should be undertaken to train and inform all the EU market players about cybersecurity certifications when developing products and services. The goal is to span the gap between the safety and cybersecurity “mindsets”.

    Within the companies, quality departments manage traditional safety issues (conformity against functional specifications) but they are not able to deal with cybersecurity certification approach. Europe is about to face an alike GDPR issue which required to create new DPO-positions and to train people within the organisations. Similarly, the deployment of cybersecurity certification schemes will require the training of departments and employees to understand and to manage security certification needs. The ECCC and the Community could help to develop such training sessions, identify good practices and develop guidelines and recommendations according to the specific sectorial needs.

    2.2. Increase the number of experts, develop the skills of the community

    TheECCC shall aim at facilitating the quick adoption of the European Cybersecurity Certification Framework, to succeed in this task it shallcapture experts with IoT vertical knowledge and IT-security expertise. Several initiatives are expected to attract these profiles within the Community and to increase their number and disseminate their knowledge.

    For instance, when it comes to hardware attacks penetration testing and certification approach, the whole European industry relies on a very small ecosystem which encompass about 600 peoples. These people are extremely rare resources and are necessary to enable high-quality cybersecurity certification processes. More specifically it is the role played by community of expects such as the JHAS group under the JIL and operated by Eurosmart and the ISCI WG-1. Certification in cybersecurity cannot overlook the pentesting approach and its community, cybersecurity is a matter of human intelligence when the safety approach is restricted to automated process.

    The ECCC could support both the training of the next generations of pentesters and the dissemination of their work to support the increase in quality and efficiency of the European cybersecurity resilience.

    3. Support the expertise and the sufficient representativeness of the European SMEs

    Similarly, mechanisms must be added to ensure a sufficient representativeness of SMEs, their involvement in the ecosystem is obviously needed as they are concentrated a significant part of the EU know-how in matter of cybersecurity. The whole European industry relies on this expertise as most of the current SOG-IS CABs being able to perform pentests are SMEs. The know-how developed in this companies must benefit to all the value-chain. Eurosmart recommend dedicate at least €100bn to European cascading funding to the benefit of the cybersecurity SMEs. This European cascading funding can be managed by the evolution of the current cPPP infrastructure.

    4. Link the European Standardisation approach with the European Cybersecurity Certification Framework

    The European standardisation harmonisation is supported by a well-defined regulatory approach where CEN and CENELEC are playing a key role. The newly created CEN JTC13 shall be the converging point between safety and cybersecurity works on standardisation. It is nevertheless necessary to renew the current work of pre-standardisation that is undertaken by stakeholders. Eurosmart is convinced that Europe must take example on the good practices from the non-EU and US fora and consortia in terms of governance.

    The accreditation of genuine “European” organisations within the ECCC Community is key. Incentives should be put forward to gather and/or transform European group of actors into identified fora and consortia. These European Fora and Consortia would reach the critical mass to be able to initiate new standardisation works items according their sectorial needs. This work could be backed by the ECCC in close collaboration with CEN/CENELEC, ENISA and the MSP for standardisation. Eurosmart put in this perspective the JRC mapping of more than 660 organisations from across the EU as cybersecurity centres of expertise. However, a clear legal definition is a much needed first step toward the consolidation and the identification of relevant EU stakeholders.

    Read more