On 9 January, the European Economic and Social Committee (EESC) held a public hearing on the Cybersecurity Act. Its conclusions will feed into the EESC opinion being drafted by Alberto Mazzola (bio) and Antonio Longo (bio) of the Section for Transport, Energy, Infrastructure and the Information Society (TEN). The opinion on the Cybersecurity Act will be discussed and adopted at the EESC plenary session in February 2018.
The EESC broadly supports the cybersecurity package set out in the European Commission proposal submitted to the Council in September 2017 and flags up the following measures.
ENISA's Executive Director Prof. Dr. Udo Helmbrecht took the opportunity to make a speech on the new role of the agency. He underlined the crucial role that ENISA will play in the near future and its important contribution to a high level of cybersecurity: "We believe that the proposal for a permanent mandate will facilitate the delivery of better results in the long term. The proposed increase of financial and human resources, as well as the opportunity to carry out new tasks will enhance our work in the implementation of the NIS Directive.”
Cannes, 28th November 2017 – At the opening of TRUSTECH 2017, Eurosmart, the Voice of the Digital Security Industry, announced its annual forecast of worldwide secure element shipments. Stefane Mouille, President of Eurosmart, stated: “The secure element market continues to increase in volume to reach exceptional figures worldwide, passing in 2018 the threshold of 10 billion shipments. We forecast a steady growth for 2017 (+3.3%) and the market will keep growing in 2018. These results confirm that our industry remains an area for business growth in Europe and worldwide”.
Our secure element technology is continuously evolving and thus embracing new form factors, markets and usages. Major device manufacturers rely on Eurosmart members’ technology to secure transactions and identification methods, such as biometrics storage and matching on secure element. Certification is also evolving and contributes to keep our technology not only convenient but secure for organizations and individuals alike.
Biometrics is being incorporated into our everyday lives and consumers embrace it as an attractive method of identification. “Apple created momentum making biometrics just “cool”. Users favour biometrics over PIN and password for commercial applications since it provides a seamless and secure experience. Eurosmart members have been leading this biometrics wave for the last 20 years in a wide range of applications such as payment and banking, identification, travel documents and border management or access management. Currently, we are at the forefront providing both biometric technologies and solutions designed to protect and ensure privacy of biometric data. Eurosmart has drawn on this expertise creating the Biometrics committee”, said Mouille.
“Overall, combining quick and easy access to transactions with robust security is of great importance for our industry”, continued Mouille. The call for combined security and convenience continues to spur the growth of Mobile & IOT embedded secure products, reaching more than 600 million shipments in 2018 (+14%). This double-digit growth is especially driven by the IoT deployment in many verticals, such as automotive, smart grids, smart cities or Industry 4.0, where cybersecurity is imperative to protect both private and public data. Another growth driver is the sustained demand for secure elements designed to ensure the cybersecurity of critical infrastructures as per the NIS Directive in Europe and the US Cyber act in the US. Furthermore, consumer wearables with embedded secure elements are increasingly being used in sensitive applications such as contactless payments or connectivity.
Whereas 4G migration continues across most regions, the Digital Security Industry forecasts confirm the upward trend for 2017 and 2018 in the telecom sector. “Whilst mature markets reach saturation, local regulation for user registration in several countries and strong subscriber growth in emerging markets contribute to this positive performance”, explained Mouille.
Contactless technology improves speed, convenience and security in payment transactions. In 2017, the contactless solutions have gained momentum in many established markets (+7%). They have stimulated the outstanding growth of the financial services sector, for which Eurosmart forecasts a growth of 5% in 2018, with an estimate of around 3.1 billion units shipped next year. “While the credit card market is still growing in China, EMV migration in India, supported by the Reserve Bank of India, will boost demand in 2018. In the US, we expect that the process of replacing the unsecure magnetic stripe cards with EMV cards will carry on after the first wave of migration”, clarified Mouille.
A double-digit yearly increase forecasted for 2017 (+11%) will confirm the strong performance of the government and healthcare markets, accounting for 510 million secure elements to be shipped this year. “Even though ePassport is considered as a mature segment in established markets, the continued adoption of eID projects in emerging regions, including Africa and Asia, will be one the main growth drivers. The roll out of national eID cards integrating eTravel functionalities across several European countries, and an even wider range of online public services requiring digital identities management, have an impact on the market. The Digital Security Industry also reports sustained demand for technologies that enable secured borders while reducing waiting times and improving travel experience”, Mouille pointed out.
“In a nutshell, Eurosmart members, composed of all major European digital security companies, are significant and competitive players on the global scene. We are working on new areas and trends to extend our market coverage, such as Mobile Passport, Mobile Driving License, and other forms of digital security for the Internet of Things. In this context, we strongly believe that setting up an EU cybersecurity certification framework is the right way forward in order to support the growth of our industry”, concluded Mouille.
The proposal for a Cybersecurity Act is a matter of European industrial policy and economic growth as well as being of importance for European digital sovereignty and societal choices.
The level of resistance to potential attacks on European encryption solutions will be key to the technical transposition of articles 7 and 8 of the European Union Charter of Fundamental Rights.
The Cybersecurity Act is part of the new social contract for the digital age. Therefore, we will bear the responsibility for drawing up fair provisions which uphold the interests of European citizens, Member States, European industry, the European Institutions and the digital single market. We must make sure that the process of establishing confidence in products through a new ENISA-led certification framework is beneficial, first and foremost, to European citizens.
With this vision in mind, Eurosmart invites both co-legislators to take 5 critical points into account when considering the initial proposal from the European Commission.
· Firstly, clear legal definitions of essential terms referring to IT and security ecosystems (aka “cybersecurity”).
· Secondly, fair and open European governance during the preparation phase of candidate European certification schemes.
· Thirdly, a well-defined European certification objective that is apt for each level of certification. Above all, the co-legislators should ensure that the ‘substantial’ and ‘high’ levels require mandatory penetration testing (“pentest” or “ethical hacking”) of the product by Conformity Assessment bodies (CABs) whilst a product is being evaluated.
· Fourthly, European standards must be the basisfor the preparation of a new candidate European certification scheme.
· And finally ENISA’s “Intellectual Property Rights” (IPR policy) should be spelled out in the Cybersecurity act.
Radio Equipment Directive (RED) 2014/53/EU impacts the way in which the RFID products are placed on the European market. Eurosmart issued on 6th November a position paper to present its understanding of the Directive. Besides, in order to clarify the scope of the directive, Eurosmart addressed a list of questions and recommendations.
The Radio and Telecommunication Terminal Equipment (R&TTE) Directive 1999/5/EC establishes a regulatory framework for placing and putting into service radio and telecommunications terminal equipment on the free market. It was repealed by the Radio Equipment Directive (RED) 2014/53/EU that has been applicable since 13 June 2016. After a transitional period, equipment covered by the Radio Equipment Directive must be brought into conformity by 13 June 2017.
The new RED guide issued by the European commission in 19 May 2017, specifies that “Non-radio products (e.g. passports, credit cards) which are tagged are not radio equipment and do not require CE marking and contact details for the purposes of RED.”
According to our understanding, the guide is not refined enough, therefore national authorities could interpret the provisions of the directive in several ways (see below).
Exemples of passive RFID products which do not fall under the Radio Equipment Directive (RED) 2014/53/EU