11 July 2017 -
On 7 July, the Commission released an inception impact assessment
on a proposal for a Regulation revising ENISA Regulation (No 526/2013)
and laying down a European ICT security certification and labelling framework. This inception impact assessment concerns both the review of ENISA’s mandate and the creation of a European ICT security certification framework. A thorough impact assessment is currently being prepared to support the preparation of this initiative.
As a preliminary statement, the Commission notes that the lack of EU-wide approach with regard to ICT certification and the proliferation of national initiatives generate significant burdens for ICT vendors, which might need to undergo several certification processes across the Member States. This problem constitutes a barrier to the internal market and undermines cross border trust. The Commission concludes that a greater coordination and cooperation at EU level is essential to effectively respond to cyber risks and reduce certification costs.
Regarding the review of ENISA’s mandate, the Commission is considering a few options from non-intervention to the expansion of ENISA's mandate in order to convert ENISA into an EU cybersecurity agency with full operational capabilities.
Regarding security certification and labelling, the Commission deems that if it does not intervene, the market will keep fragmenting. The Commission laid out different options in order to improve trust in the EU:
• Option 1: encourage more Member States to support voluntary sector-specific industry-led initiatives and to encourage more Member States to join Senior Officials Group – Information Systems Security.
• Option 2: propose a European institutional framework for ICT certification and labelling through legislative instrument, without however introducing new ICT security requirements for specific products and services. The European framework would be composed of multiple schemes that, once approved by the Board, becomes “European” and thus valid across the EU.
• Option 3: Propose the adoption of a new legislative instrument setting out mandatory harmonised requirements and conformity assessment mechanisms to ensure ICT security of specific products and services. ENISA would develop these standards in cooperation with standardisation bodies.
The Commission is expected to publish the proposal on September 2017.Read more
06 July 2017 -
During last plenary week, an own-initiative report on European Standards for the 21st century
was adopted by the European Parliament. Own-initiative reports are non-binding texts meant to send a political message. This report underlines that common standards are particularly important for the development of the Internet of Things (IoT), as the fragmentation of standards hinders growth in this sector.
Through this report, the European Parliament took a stance in favour of security-by-design and privacy-by-design principles in order to adequately face cyberthreats. It also supports the Commission’s project to create an IoT label and certification system. However, the Parliament highlights that IoT labelling and certification should be developed “where relevant and where IoT devices could have an impact on relevant infrastructure on the basis of the requirements spelled out in the NIS Directive”.
The report will feed into the upcoming Commission’s 2018 work programme, which will be adopted this month.Read more