Security certification and labelling – Inception impact assessment unveiled

11 July 2017
On 7 July, the Commission released an inception impact assessment on a proposal for a Regulation revising ENISA Regulation (No 526/2013) and laying down a European ICT security certification and labelling framework. This inception impact assessment concerns both the review of ENISA’s mandate and the creation of a European ICT security certification framework. A thorough impact assessment is currently being prepared to support the preparation of this initiative.
As a preliminary statement, the Commission notes that the lack of EU-wide approach with regard to ICT certification and the proliferation of national initiatives generate significant burdens for ICT vendors, which might need to undergo several certification processes across the Member States. This problem constitutes a barrier to the internal market and undermines cross border trust. The Commission concludes that a greater coordination and cooperation at EU level is essential to effectively respond to cyber risks and reduce certification costs.
Regarding the review of ENISA’s mandate, the Commission is considering a few options from non-intervention to the expansion of ENISA's mandate in order to convert ENISA into an EU cybersecurity agency with full operational capabilities.
Regarding security certification and labelling, the Commission deems that if it does not intervene, the market will keep fragmenting. The Commission laid out different options in order to improve trust in the EU:
• Option 1: encourage more Member States to support voluntary sector-specific industry-led initiatives and to encourage more Member States to join Senior Officials Group – Information Systems Security.
• Option 2: propose a European institutional framework for ICT certification and labelling through legislative instrument, without however introducing new ICT security requirements for specific products and services. The European framework would be composed of multiple schemes that, once approved by the Board, becomes “European” and thus valid across the EU.
• Option 3: Propose the adoption of a new legislative instrument setting out mandatory harmonised requirements and conformity assessment mechanisms to ensure ICT security of specific products and services. ENISA would develop these standards in cooperation with standardisation bodies.
The Commission is expected to publish the proposal on September 2017.