Proposal on ENISA and on ICT cybersecurity certification

15 September 2017

On 13 September, the Commission published its proposal for a Regulation on ENISA and on ICT cybersecurity certification. This Regulation is part of a new cybersecurity package, which also includes two communications on cybersecurity and a detailed impact assessment.

The proposal lays a down a cybersecurity certification framework composed of EU certification schemes. Three levels of assurance are defined: basic, substantial or high. EU schemes have supremacy over national schemes, but certification remains voluntary.

The adoption of an EU scheme would take place in the following way:

1) The Commission emits a request for a European cybersecurity certification scheme. Member States or the European Cybersecurity Certification Group (Group) may propose the preparation of a candidate European cybersecurity certification scheme to the Commission;

2) ENISA prepares a candidate European cybersecurity certification scheme which meets the requirements defined by the regulation;

3) ENISA shall cooperate with the European Cybersecurity certification group which provides assistance expert advise and may issue an opinion, when preparing the scheme;

4) ENISA consults all relevant stakeholders when preparing the scheme;

5) ENISA transmits the candidate European certification scheme to the Commission;

6) The Commission, based on the scheme proposed by ENISA, may adopt implementing acts providing for a European certification scheme;

7) ENISA maintains a dedicated website providing information on, and publicly of, European cybersecurity certification schemes.

In addition, the proposal gives ENISA a permanent mandate, with a key role in this new certification framework (see above and the graphic on the adoption of EU schemes).

This proposal is now examined by the European Parliament and the Council. On the side of the Parliament, the Committee for Industry, Research and Energy (ITRE) is the leading Committee for this file. However, the Committee for Internal Market and Consumer Protection (IMCO) could be joint or associated Committee for the part on certification.