News & Publications

Latest news

  • 12 January 2018 - News

    European Economic and Social Committee consults civil society on cybersecurity

    On 9 January, the European Economic and Social Committee (EESC) held a public hearing on the Cybersecurity Act. Its conclusions will feed into the EESC opinion being drafted by Alberto Mazzola (bio) and Antonio Longo (bio) of the Section for Transport, Energy, Infrastructure and the Information Society (TEN). The opinion on the Cybersecurity Act will be discussed and adopted at the EESC plenary session in February 2018.

    The EESC broadly supports the cybersecurity package set out in the European Commission proposal submitted to the Council in September 2017 and flags up the following measures.

    • A European cybersecurity model: the EESC is encouraging the EU to take the necessary steps and agree on a model of resilience against such attacks at European level.
    • A stronger EU cybersecurity agency: the EESC believes the European Union Agency for Network and Information Security (ENISA) should be developed, made permanent and endowed with more resources. It should focus on e‑government and universal services (e-health) as well as preventing and combating ID theft and online fraud.
    • A European cybersecurity certification : the EESC recommends establishing an EU cybersecurity certification framework, based on commonly defined cybersecurity and ICT standards at European level. Online services and products could then be certified with a proper labelling system, with a view to improving consumer confidence.

    ENISA's Executive Director Prof. Dr. Udo Helmbrecht took the opportunity to make a speech on the new role of the agency. He underlined the crucial role that ENISA will play in the near future and its important contribution to a high level of cybersecurity: "We believe that the proposal for a permanent mandate will facilitate the delivery of better results in the long term. The proposed increase of financial and human resources, as well as the opportunity to carry out new tasks will enhance our work in the implementation of the NIS Directive.”

     

    Read more
  • 07 December 2017 - Press releases

    Security Certification Meta-framework unanimously approved by the ECSO Board

    On 5 December, the European Cyber Security Organization (ECSO) Board unanimously approved the Security Certification Meta-framework for the single European IoT-market and the digital transformation in Europe. This framework was prepared by the ECSO Working Group 1 (WG1).
     
    “This vote confirms the excellent work realised by the ECSO WG1 under the technical supervision of Martin Schaffer (representing Eurosmart as Co-Chair of the ECSO WG1)” said Stéfane Mouille, President of Eurosmart, who wished to congratulate them. “This is a tremendous example of fruitful collaboration between many different actors, such as the European Cyber Security industry, National Security Agencies and European CAB.”
     
    Eurosmart now hopes that the approach outlined in the Security Certification Meta-framework will be taken into account in the Cybersecurity Act process of the European Commission, when establishing new certification schemes. “I am glad that we start having the right tools to deal with cyber threats” underlined Stéfane Mouille. “Eurosmart will gladly carry on its strong contribution to the technical work at ECSO, just as it has been building the SOG-IS principles for more than 20 years”.
    Read more
  • 27 November 2017 - Press releases

    Digital Security Industry To Pass The 10 Billion Mark In 2018 For Worldwide Shipments Of Secure Elements

    Digital Security Industry To Pass The 10 Billion Mark In 2018 For Worldwide Shipments Of Secure Elements

    Eurosmart expects steady business growth in 2017 and 2018 for the Digital Security Industry

    Cannes, 28th November 2017 – At the opening of TRUSTECH 2017, Eurosmart, the Voice of the Digital Security Industry, announced its annual forecast of worldwide secure element shipments. Stefane Mouille, President of Eurosmart, stated: “The secure element market continues to increase in volume to reach exceptional figures worldwide, passing in 2018 the threshold of 10 billion shipments. We forecast a steady growth for 2017 (+3.3%) and the market will keep growing in 2018. These results confirm that our industry remains an area for business growth in Europe and worldwide”.

    Our secure element technology is continuously evolving and thus embracing new form factors, markets and usages. Major device manufacturers rely on Eurosmart members’ technology to secure transactions and identification methods, such as biometrics storage and matching on secure element. Certification is also evolving and contributes to keep our technology not only convenient but secure for organizations and individuals alike.

    Biometrics is being incorporated into our everyday lives and consumers embrace it as an attractive method of identification. “Apple created momentum making biometrics just “cool”. Users favour biometrics over PIN and password for commercial applications since it provides a seamless and secure experience. Eurosmart members have been leading this biometrics wave for the last 20 years in a wide range of applications such as payment and banking, identification, travel documents and border management or access management. Currently, we are at the forefront providing both biometric technologies and solutions designed to protect and ensure privacy of biometric data. Eurosmart has drawn on this expertise creating the Biometrics committee”, said Mouille.

    “Overall, combining quick and easy access to transactions with robust security is of great importance for our industry”, continued Mouille. The call for combined security and convenience continues to spur the growth of Mobile & IOT embedded secure products, reaching more than 600 million shipments in 2018 (+14%). This double-digit growth is especially driven by the IoT deployment in many verticals, such as automotive, smart grids, smart cities or Industry 4.0, where cybersecurity is imperative to protect both private and public data. Another growth driver is the sustained demand for secure elements designed to ensure the cybersecurity of critical infrastructures as per the NIS Directive in Europe and the US Cyber act in the US. Furthermore, consumer wearables with embedded secure elements are increasingly being used in sensitive applications such as contactless payments or connectivity.

    Whereas 4G migration continues across most regions, the Digital Security Industry forecasts confirm the upward trend for 2017 and 2018 in the telecom sector. “Whilst mature markets reach saturation, local regulation for user registration in several countries and strong subscriber growth in emerging markets contribute to this positive performance”, explained Mouille.

    Contactless technology improves speed, convenience and security in payment transactions. In 2017, the contactless solutions have gained momentum in many established markets (+7%). They have stimulated the outstanding growth of the financial services sector, for which Eurosmart forecasts a growth of 5% in 2018, with an estimate of around 3.1 billion units shipped next year. “While the credit card market is still growing in China, EMV migration in India, supported by the Reserve Bank of India, will boost demand in 2018. In the US, we expect that the process of replacing the unsecure magnetic stripe cards with EMV cards will carry on after the first wave of migration”, clarified Mouille.

    A double-digit yearly increase forecasted for 2017 (+11%) will confirm the strong performance of the government and healthcare markets, accounting for 510 million secure elements to be shipped this year. “Even though ePassport is considered as a mature segment in established markets, the continued adoption of eID projects in emerging regions, including Africa and Asia, will be one the main growth drivers. The roll out of national eID cards integrating eTravel functionalities across several European countries, and an even wider range of online public services requiring digital identities management, have an impact on the market. The Digital Security Industry also reports sustained demand for technologies that enable secured borders while reducing waiting times and improving travel experience”, Mouille pointed out.

    “In a nutshell, Eurosmart members, composed of all major European digital security companies, are significant and competitive players on the global scene. We are working on new areas and trends to extend our market coverage, such as Mobile Passport, Mobile Driving License, and other forms of digital security for the Internet of Things. In this context, we strongly believe that setting up an EU cybersecurity certification framework is the right way forward in order to support the growth of our industry”, concluded Mouille.

     

    DOWNLOAD PRESS RELEASE (EN)

    DOWNLOAD PRESS RELEASE (FR)

    DOWNLOAD PRESS RELEASE (DE)

    DOWNLOAD INFOGRAPHICS

     

     

     

     



    Read more

Latest publications

  • 07 February 2018- Position papers

    Cybersecurity Act: Five outcome-based principles from the digital security industry

    Download the whole position paper

    The proposal for a Cybersecurity Act is a matter of European industrial policy and economic growth as well as being of importance for European digital sovereignty and societal choices.

    The level of resistance to potential attacks on European encryption solutions will be key to the technical transposition of articles 7 and 8 of the European Union Charter of Fundamental Rights.

    The Cybersecurity Act is part of the new social contract for the digital age. Therefore, we will bear the responsibility for drawing up fair provisions which uphold the interests of European citizens, Member States, European industry, the European Institutions and the digital single market. We must make sure that the process of establishing confidence in products through a new ENISA-led certification framework is beneficial, first and foremost, to European citizens.

     

    With this vision in mind, Eurosmart invites both co-legislators to take 5 critical points into account when considering the initial proposal from the European Commission.

    · Firstly, clear legal definitions of essential terms referring to IT and security ecosystems (aka “cybersecurity”).

    · Secondly, fair and open European governance during the preparation phase of candidate European certification schemes.

    · Thirdly, a well-defined European certification objective that is apt for each level of certification. Above all, the co-legislators should ensure that the ‘substantial’ and ‘high’ levels require mandatory penetration testing (“pentest” or “ethical hacking”) of the product by Conformity Assessment bodies (CABs) whilst a product is being evaluated.

    · Fourthly, European standards must be the basisfor the preparation of a new candidate European certification scheme.

    · And finally ENISA’s “Intellectual Property Rights” (IPR policy) should be spelled out in the Cybersecurity act.

     

    Read more
  • 06 December 2017- Technical document

    Cybersecurity Package: Comments on the PwC Study

    Download
  • 06 November 2017- Technical document

    Radio Equipment directive and passive RFID products

    Radio Equipment Directive (RED) 2014/53/EU impacts the way in which the RFID products are placed on the European market. Eurosmart issued on 6th November a position paper to present its understanding of the Directive. Besides, in order to clarify the scope of the directive, Eurosmart addressed a list of questions and recommendations.

     

    Eurosmart position paper

    Radio Equipment Directive 2014/53/EU

    The Radio and Telecommunication Terminal Equipment (R&TTE) Directive 1999/5/EC establishes a regulatory framework for placing and putting into service radio and telecommunications terminal equipment on the free market. It was repealed by the Radio Equipment Directive (RED) 2014/53/EU that has been applicable since 13 June 2016. After a transitional period, equipment covered by the Radio Equipment Directive must be brought into conformity by 13 June 2017.

    The new RED guide issued by the European commission in 19 May 2017, specifies that “Non-radio products (e.g. passports, credit cards) which are tagged are not radio equipment and do not require CE marking and contact details for the purposes of RED.”

    Eurosmart’s understanding of the new Radio equipment directive 2014/53/EU

    1. As mentioned in the guide, credit cards, passports are examples of products that do not fall under the radio equipment directive;
    2. All passive RFID products are the same objects in the meaning of the Directive (see attachment). Such passive RFID products do not use any battery. Therefore, passive RFID products are not radio equipment and administrative provisions such as CE marking, class specification, serial number and identity of the manufacturer do not apply.
    3. However, administrative provisions of the directive 2014/53/EU apply to active RFID products using a battery or an active antenna.

    According to our understanding, the guide is not refined enough, therefore national authorities could interpret the provisions of the directive in several ways (see below).

    Eurosmart enjoins the European Commission to confirm the followings:

    1. Since passive RFID products do not fall under the RED, out of consistency reasons the respective supply parts shall not fall under the directive either.
    2. For active RFID products is the notion of “placeing on the market” in our view too vague. As stated by TCAM 20, the correct application of the RED must focus on the identification of the end user of the active RFID product when the product is placed on the market. Eurosmart recommends to precise (e.g. in the RED-Guide) at which stage in the value chain the product must be compliant and the conditions under which the product fall under the RED.
    3. As long as a new firmware does not change neither the behavior of the contactless interface nor the safety or security aspects of the product, it cannot be considered as a new product in the meaning of the directive.

    ANNEX I:

    Exemples of passive RFID products which do not fall under the Radio Equipment Directive (RED) 2014/53/EU

    1. Public sector cards

    2. Financial sector cards

    • Credit cards
    • Debit cards

    3. Private sector cards

    a) Commercial cards
    • Company cards
    • Loyalty cards
    • Ski pass
    b) Web Access cards
    • FIDO token
    c) Transport cards
    • Transport contactless tokens
    d) Building access cards
    Read more