News & Publications

Latest news

  • 26 October 2017 - News

    Council of the EU discussed the cybersecurity package

    On 24 October, the Ministers in charge of telecommunications and digital affairs from all Member States held their first Telecommunications formal meeting under the Estonian Presidency. The meeting was chaired by Urve Palo, Estonian Minister of Entrepreneurship and IT.
     
    This discussion built on the European Council meeting, last week, and on the Tallinn Digital Summit, on 29 September.
    • Digital Single Market
    The Estonian presidency recalled that the Heads of State and Government tasked their Ministers to boost the completion of the Digital Single market files by the end of next year.
     
    The Ministers agreed on three priorities regarding the Digital Single market: abolishing geo-blocking, advancing on the Audio Visual media Services Directive and the Parcel Delivery Regulation.
     
    • Cybersecurity
    The Ministers underlined that “Europe must become the trailblazer for global cybersecurity”. A large number of Ministers advocated for greater resources for cybersecurity. The Estonian Presidency, jointly with the upcoming Bulgarian and Austrian presidencies, will work on an Action Plan to implement this cybersecurity package.
     
    The Estonian IT Minister also mentioned the proposal on ENISA and on cyber certification that Ministers have begun examining during this meeting. The Ministers supported the need for a voluntary certification scheme. However, several delegations highlighted that this system should not hamper innovation.
     
    In addition, the Ministers discussed accelerating the implementation of the NIS Directive, “which needs to be integrated into the legal framework of all EU Member States by May 2018”.
    Read more
  • 24 October 2017 - News

    Certification: Comments from the Director of operations at ENISA

    On 23 October, Euractiv published an interview with Steve Purser, Director of operations at ENISA, in which the EU official comments the recent developments related to certification and labelling at EU level.
     
    Steve Purser believes that current certification schemes are expensive and too slow, a greater scalability and shorter time-to-market constraints are necessary. He observed that binding standards for cybersecurity certification could be beneficial in some areas, for instance critical infrastructure. However, in other areas, binding standards could hamper innovation.
     
    As regards to the internet of things area, Steve Purser deems that lightweight certification is relevant. Labels could also be developed to complement lightweight certification
    Read more
  • 23 October 2017 - News

    Supported Events October 2017

     

    FinTech Connect Live, 6 - 7 December 2017

    Combining the hustle and bustle of an exhibition featuring over 3000 visitors, and 200 exhibitors and partners from over 50 countries, FinTech Connect Live is the UK’s largest fintech event. Playing host to 4 strategic conference sessions with inspirational case studies from around the world, a technology buyers theatre with 50 product demos, 12 educational workshops tackling practical fast growth challenges, and two full days of dedicated mentoring clinics for start up leaders, all brought to you from over 300 of the industries finest speakers, FinTech Connect Live is the ‘must have ticket’ for stakeholders from across the full fintech eco-system.

    FinTech Connect Live provides a platform for all those attending to collaborate, differentiate, form connections, source solution, conduct and generate business with new, existing and upcoming fintech players in the market.

    10 free conference passes are available for Eurosmart's members, please register here and indicate the invite code Eurosmart100 to get your free pass.

    TRUSTECH - Pay, Identify, Connect & Secure
    28-30 November 2017 - Cannes, France

    TRUSTECH is the Largest International Event dedicated to Trust-Based Technologies with unprecedented networking opportunities and not-to-be-missed Keynote Speakers.

    Join the whole industry for three days of Innovation, Business and Networking!

    TRUSTECH will include amongst other things a selection of Startups and Fintechs who will showcase their latest innovations for the Payment and Identification industries.

    TRUSTECH gathers in Cannes (French Riviera):
    •13,000+ Attendees from 125 countries,
    •49% Top Managers
    •350+ Exhibitors & Sponsors
    •250+ Leading International Speakers

    For more information: www.trustech-event.com

    Read more

Latest publications

  • 06 November 2017- Technical document

    Radio Equipment directive and passive RFID products

    Radio Equipment Directive (RED) 2014/53/EU impacts the way in which the RFID products are placed on the European market. Eurosmart issued on 6th November a position paper to present its understanding of the Directive. Besides, in order to clarify the scope of the directive, Eurosmart addressed a list of questions and recommendations.

     

    Eurosmart position paper

    Radio Equipment Directive 2014/53/EU

    The Radio and Telecommunication Terminal Equipment (R&TTE) Directive 1999/5/EC establishes a regulatory framework for placing and putting into service radio and telecommunications terminal equipment on the free market. It was repealed by the Radio Equipment Directive (RED) 2014/53/EU that has been applicable since 13 June 2016. After a transitional period, equipment covered by the Radio Equipment Directive must be brought into conformity by 13 June 2017.

    The new RED guide issued by the European commission in 19 May 2017, specifies that “Non-radio products (e.g. passports, credit cards) which are tagged are not radio equipment and do not require CE marking and contact details for the purposes of RED.”

    Eurosmart’s understanding of the new Radio equipment directive 2014/53/EU

    1. As mentioned in the guide, credit cards, passports are examples of products that do not fall under the radio equipment directive;
    2. All passive RFID products are the same objects in the meaning of the Directive (see attachment). Such passive RFID products do not use any battery. Therefore, passive RFID products are not radio equipment and administrative provisions such as CE marking, class specification, serial number and identity of the manufacturer do not apply.
    3. However, administrative provisions of the directive 2014/53/EU apply to active RFID products using a battery or an active antenna.

    According to our understanding, the guide is not refined enough, therefore national authorities could interpret the provisions of the directive in several ways (see below).

    Eurosmart enjoins the European Commission to confirm the followings:

    1. Since passive RFID products do not fall under the RED, out of consistency reasons the respective supply parts shall not fall under the directive either.
    2. For active RFID products is the notion of “placeing on the market” in our view too vague. As stated by TCAM 20, the correct application of the RED must focus on the identification of the end user of the active RFID product when the product is placed on the market. Eurosmart recommends to precise (e.g. in the RED-Guide) at which stage in the value chain the product must be compliant and the conditions under which the product fall under the RED.
    3. As long as a new firmware does not change neither the behavior of the contactless interface nor the safety or security aspects of the product, it cannot be considered as a new product in the meaning of the directive.

    ANNEX I:

    Exemples of passive RFID products which do not fall under the Radio Equipment Directive (RED) 2014/53/EU

    1. Public sector cards

    2. Financial sector cards

    • Credit cards
    • Debit cards

    3. Private sector cards

    a) Commercial cards
    • Company cards
    • Loyalty cards
    • Ski pass
    b) Web Access cards
    • FIDO token
    c) Transport cards
    • Transport contactless tokens
    d) Building access cards
    Read more
  • 25 October 2017- Position papers

    Cybersecurity Act - Eurosmart Position

    Download the position paper

    Foreword

    The Draft Cyber Act Regulation is a matter of European industrial policy and economic growth as well as being of importance for European digital sovereignty and societal choices.

    The level of resistance to potential attacks on European encryption solutions will be key to the technical transposition of articles 7 and 8 of the European Union Charter of Fundamental Rights, which ensure respect for private and family life and the protection of personal data. This puts the Cyber Act at the heart of the digital democracy.

    The Cyber Act could become a de-facto social contract for the digital age. Therefore, we will bear the responsibility for drawing up fair provisions which uphold the interests of European citizens, Member States, European industry, the European Institutions and the digital single market. We must make sure that the process of establishing confidence in products through a new certification framework driven by ENISA is beneficial to European citizen in the first place.

    Eurosmart’s members are the world’s leading companies in digital security in a wide range of sectors. Our members share common European roots and take pride in their contribution to the achievements of the European Union’s digital single market.

    With over 25 years of experience, our industry has made a huge contribution to European excellence and expertise in the field of cybersecurity and provides robust cryptographic solutions throughout the world.

    Embedded in our Digital Security technology, European security certifications issued under the SOG IS MRA have been requested by more than 120 countries worldwide in order to secure their critical infrastructures such as electronic passports. These SOG IS MRA certifications are also used in highly secured environments by, amongst others, NATO and the European Parliament, with the latter using them for electronic voting systems.

    Whilst Eurosmart supports the creation of a European Cyber Security certification framework, we believe that the existing SOG-IS MRA expertise and principles, the quality of which is unmatched anywhere else in the world, needs to be consolidated and extended. The Cybersecurity Act is a unique opportunity to further develop the European cybersecurity ecosystem, which consists of small and medium-sized enterprises. To make the most of this opportunity, the Act needs to ensure fair and transparent processes.

     

    POSITION PAPER ON THE CYBERSECURITY ACT

    Eurosmart, the association representing the European digital security industry, welcomes the adoption of a new European Cybersecurity Act, which includes a new harmonised security certification and labelling framework.

    Eurosmart fully supports the Commission’s proposal for a cybersecurity act granting ENISA a key role as a cybersecurity agency with full operational capabilities. The creation of a European Cybersecurity Certification Group in the European cybersecurity framework is also welcomed by Eurosmart as it will foster enhanced coordination of existing security certification schemes.

    The European worldwide leadership of digital security industries and associated eco-systems is dependent upon the very high security level ensured by the current SOGIS MRA (“Senior Officials Group Information Systems Security- Mutual Recognition Arrangement”) certification scheme.

    This Digital security technology is a unique European success, more than 120 countries in the world use it for securing their electronic passport, all well-known high-end smart phone manufacturers use it to protect their critical assets, as does the European Parliament with the latter using them for electronic voting systems.

    It should be noted that even the US Department of Defense (DOD) is using European technologies (secure elements) to protect their critical infrastructure and that NATO uses European technologies certified by SOG IS MRA in Europe and FIPS in the USA. Products that are currently in use have both certifications.

    It is of the utmost importance that high performance levels are maintained in order to counter potential attacks on the new European cybersecurity certification scheme and to preserve European leadership via an EU security eco-system which consists of:

    · Providers of secure hardware-based products;

    · Encryption providers (local & cloud based);

    · European High Security Hardware (HSM) providers;

    · European Mobile operators, to securely manage network authentication;

    · Research labs

    · The cryptographic community – a large part of the European cryptographic community is working for European smart industry and its eco-system;

    · Existing pen testing groups;

    · Europe’s existing accredited labs (with some pen-testing capabilities).

    The European Union should build on Europe’s unique worldwide expertise to maintain a high level of encryption resistance and high security levels for electronic identification, electronic authentication, web and cloud electronic services and electronic signatures.

    SOG-IS mutual recognition is operational in the EEA and is processing various security products in a range of IoT domains, such as:

    · Homeland security with secure travel documents and secure border control;

    · Security on the highway with electronic tachographs for lorries and buses and digital driving licenses for citizens;

    · Digital identity documents in the public sector for web and cloud applications with national eID-Cards and residence permit cards for 3rd country nationals.

    · Finance with debit and credit cards;

    · Health with health and professional cards & HSMs;

    · Transport with electronic vehicle registration cards;

    · Secure communication with embedded TPM or secure elements in PCs/laptops/tablets, which are required for MS WINDOWS 10 and higher.

    Eurosmart also wishes to express the following concerns about the current Cyber Act:

    1) Eurosmart highlights the need for vigilance in order to ensure a smooth transition from the existing SOGIS MRA scheme towards the future European schemes that should have the SOGIS MRA principles in a dedicated appendix of the Cyber Act regulation from day one. We should also recognize the strategical role of the existing national security agencies in the past 20 years in creating the best in class temper resistance cryptographic devices and software and services.

    Eurosmart advocates for an evolution of mutual recognition arrangement to all Member States, without jeopardizing the quality of the evaluation’s requirements and methodology.

    2) Certification versus Labelling:
    In the proposed regulation, only cybersecurity certification is described with no mention of the notion of labelling.

    As regards consumers and citizens, and as an additional approach, the creation of a European Union trust label can raise awareness of cybersecurity aspects pertaining to trust, privacy and confidence. Raising consumer awareness of security aspects will enhance confidence and trigger a market demand for connected devices.

    Eurosmart also has some questions for the co-legislator:

    1. In the European Accreditation Agreement (referred to in Regulation (EC) 765/2008) more than 36 countries are full members. How can we limit this to the 28 EU Member States (soon to be 27)?

    a. Does Conformity Assessment Bodies in non-European Countries that are full members of the European Accreditation perform a European Certification on a given product?

    b. Consequently, what would be the definition of a European CAB?

    c. And what about the definition of a European Country?

    d. Would non-EU countries covered by the EA agreement have to create their own National Certification Supervisory Authority (NCSA)?

    e. Would such a National Certification Supervisory Authority have some “power of investigation” vis-a-vis a foreign CAB? And the EU CAB?

    f. How could non-European Standards (e.g. FIPS/USA, GHOST/Russia, SCOSTA/India, OSCCAR/China) be integrated?

    g. How could ENISA ensure the appropriateness of and conformity with international standards used in (already) approved schemes?

    2. The PWC study SMART no 2016 - 0029 that was used to perform the Impact analysis referred to several “errors” in the SOG-IS-MRA whilst the latest study on ENISA (published on the 19th of September 2017) is much more complete:

    a. Why was the ENISA study not published earlier so that it could be used in the impact assessment?

    b. What form will the submission of a list of errors to the Commission, Parliament and Council take? Eurosmart will be preparing and publishing some documents to highlight these “errors” in the coming weeks.

    3. How can a fair & transparent process be ensured during the preparation of the security certification schemes?

    In the proposed governance scheme there is no counter-power to ENISA and the selected sub-contractors would be mainly consultants (as defined in the PWC Impact assessment).

    How can we mitigate the risk of experienced lobbyists seeking to influence the preparation of the security certification schemes whilst showing disregard for the interests of the European SMEs that are at the core of the current EU cyber security expertise in EU Member States?

    4. How can we define a “European Association”?

    5. How can we ensure that ENISA is transparent?

    To ensure transparency in ENISA’s determination of the stakeholders who will review the proposed certification schemes, we should invite the Council & the Commission to certify European stakeholder associations to ensure that they actually represent European industry and thus mitigate the risk of a consultancy firm misrepresenting European interests.

     

     

     

     

    About Eurosmart

    Eurosmart, the Voice of the Digital Security Industry, is an international non-profit association located in Brussels, representing the Digital Security Industry for multisector applications. Founded in 1995, the association is committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.

    Members are manufacturers of smart cards, secure element, semiconductors, secure software, security evaluation laboratories, High Security Hardware, Biometric technology providers, terminals, system integrators, application developers and issuers who work in dedicated working groups (security, electronic identity, communication, Cybersecurity, marketing). Members are largely involved in research and development projects at European and international levels.

    Eurosmart members are companies (Fingerprint Cards, Gemalto, Giesecke & Devrient, GS TAG, Idema, Imprimerie Nationale, Infineon Technologies, Inside Secure, Linxens, Nedcard, NXP Semiconductors, +ID, Real Casa de la Moneda, Samsung, Sanoïa, STMicroelectronics, Toshiba, Trusted Objects, WISekey, Winbond), laboratories (CEA-LETI), research organisations (Fraunhofer AISEC), associations (SCS Innovation cluster, Smart Payment Association, Mobismart, Danish Biometrics).

     

    Read more
  • 11 September 2017- Position papers

    Eurosmart's answer to the Commission's inception impact assessment on certification and labelling

    Download