|
Panel 1: Role of standardisation to support the certification framework
Cinzia Missiroli (Director for standardisation and digital solutions - CEN-CENELEC) introduced the event. She underlined the need for clear priorities and consistency as there are multiple work programmes on standardisation (ICT standardisation rolling plan, Union work programme for standardisation, cybersecurity certification rolling work programme). Cinzia Missiroli also asked for clarification on the role of the Cybersecurity Act for verticals.
Luis Romero (Director General – ETSI) mentioned a new coordinated vulnerability disclosure programme. In the future, it will be possible to securely contact ETSI to report vulnerabilities in ETSI standards.
Andreas Mitrakas (Head of Unit for data security and standardisation – ENISA) explained that CEN-CENELEC and ETSI will support ENISA in the preparation of the schemes. The work on cybersecurity certification schemes is already at full speed. The ad hoc working group on SOG-IS ISO/IEC 15408, chaired by Philippe Blot, is already in place. The ad hoc working group on cloud services, to be chaired by Eric Vétillard, will be launched soon. ENISA is still defining its scope. A certification scheme on 5G will be prepared, schemes on verticals will most likely come as well.
Jakub Boratynski (Head of Unit for cybersecurity and digital privacy – DG CNECT, European Commission) highlighted that certification is key to create a single market for cybersecurity. The Cybersecurity Act is a path towards mandatory certification. DG CNECT is building on the New Legislative Framework with its colleagues from DG GROW, for instance regarding the accreditation process. He underlined that the key question remains horizontal vs vertical. Jakub Boratynski mentioned discussions on the automotive sector during meetings of the European Cybersecurity Certification Group (ECCG).
The Union rolling work programme for cybersecurity certificationis being prepared, a public consultation on the matter will be launched by end Q1. This consultation is an opportunity to set out priority schemes. [NB: the final version of the rolling work programme is expected for June]
In Radek Maly’s views (Head of Unit for standardisation – DG GROW, European Commission), standards must be used wherever possible and wherever relevant in schemes. He reminded the audience that the EU spends around 20 million euros per year to support standardisation. He encouraged the European Standardisation Organisations to work together.
Panel 2: Achievements of cybersecurity standardisation and rolling plan of standardisation bodies
Alex Leadbeater (ETSI TC CYBER) stressed the need to avoid the one-size-fits-all approach, for instance Common Criteria are not suitable for SMEs but adequate for critical infrastructures.
According to Jean-Pierre Quémard (CEN-CENELEC JTC 13), horizontal standards and transparent schemes need to be developed. He deplored the lack of experts in standardisation bodies.
Emilio Davila Gonzalez (Head of Sector ICT Standardisation – DG CNECT, European Commission) explained that standardisation is not only a technical tool but also a strategic one. He stressed that the new European Commission will focus on using standardisation as a strategic tool.
Panel 3: First scheme – difficulties and success stories
Philippe Blot (Lead expert certification – ENISA) announced that the SOG-IS candidate scheme should be presented to the European Commission by the end of June. He listed the problematic points to be addressed: how to handle a vulnerability after a product is certified? How to transpose the levels of the SOG-IS? The question of the governance of the scheme also needs to be tackled. The governance will be defined in the sub-group of the ECCG.
Common Criteria are no silver bullet, complementary schemes will be needed, for instance the cloud scheme to complement the product scheme. Certifications schemes will be a success if sectorial domains take up these schemes.
Philippe Blot explained that there are lessons to learn from the eIDAS Regulation, as eIDAS built on protection profiles and standardisation bodies.
Claire Loiseaux (Internet of Trust) presented Internet of Trust’s activities in the certification area.
Willem Strabing (European association of smart meters, ESMIG) foresees mandatory certification for energy supply. Therefore, ESMIG members plan to certify their meters. ESMIG took the common criteria as a basis for its certification approach and created a protection profile for smart meters.
Aristotelis Tzafalias (Policy Assistant – DG CNECT, European Commission) underlined that the challenge is to get the governance right. The European Commission wants to have a smooth transition from the SOG-IS to the European scheme. This is a voluntary scheme, but the obligations will be elsewhere, for instance in future procurements and legislations (which could refer to this scheme).
Panel 4: Next prospective schemes – way ahead
Jose Ruiz (JTSEC) explained that there is a need for a worldwide recognition of the schemes. He mentioned light weight certification (qualification) as a suitable option in many cases. He pointed out that surveillance is an issue in the case of self-assessment schemes.
Sylvie Wuidart (STM) stressed that there should be a scheme between the SOG-IS and the “just trust me”. It must be a time and cost-effective scheme, which must rely on an already certified part (hardware). For the highest levels, Common Criteria are suitable.
Maika Fohrenbach (Policy Advisor, Unit Cloud and Software – DG CNECT, European Commission) underlined the importance of the certification scheme on cloud services in the context of the free flow of non-personal data (a recent Regulation removes obstacles to the free movement of data, such as obligations to store data in a specific country). There needs to be a guarantee that data will be stored in a secure way. The European Commission hopes that the scheme will be recognised as a trusted brand by users. The European Commission is looking at how general requirements from the scheme can be translated into sectorial requirements.
For any questions on this issue, do not hesitate to contact Camille Dornier: camille.dornier@eurosmart.com |
