The European Commission proposal for common EU-wide cybersecurity certification is an essential step towards safeguarding consumers and businesses as we become increasingly connected in the digital age, write Hanane Taidi and Drewin Nieuwenhuis.
Hanane Taidi is Director General of the International Federation of Inspection Agencies (IFIA). IFIA represents around 60 of the world’s leading international testing, inspection and certification bodies representing over 300,000 employees. Drewin Nieuwenhuis is the Secretary General of CEOC, the International Confederation of Inspection and Certification Organisations. CEOC is the European sister organisation of IFIA, representing 29 organisations from 19 countries, employing over 111,000 people.
Rapid digitalisation has personalised cybersecurity. It is no longer only critical infrastructure or business data that is under threat, personal data and safety in general are also at stake.
While the need to protect critical infrastructure remains vital, cybersecurity has become intrinsically linked to everything we do. Whether using fitness or dating apps, controlling home temperatures from mobile devices, banking or shopping online, or using connected and autonomous cars – cyber-attacks can and will increasingly impact our daily lives.
In this context, the European Commission’s proposal for a Cybersecurity Act is a fundamental step in the right direction. The proposal for common EU-wide cybersecurity certification for products and services will raise the level of trust and security within the connected society. Governments and citizens must be able to trust in the security of their critical infrastructure, systems, components and devices, while businesses need clarity on security requirements and certification for products.
As it stands, there is a broad set of fragmented security certification schemes that already exist or are being proposed across Europe and around the world and in some cases there is an absence of standards. The varying degrees of certification requirements, coupled with differing standards, can be costly and difficult to navigate, limiting industry’s ability to meet the highest standards for cybersecurity. Creating a common certification framework recognised across all Member States, will not only create greater efficiencies but will encourage investment in higher levels of security and enable consumers to confidently choose the right level of cybersecurity.
Business will benefit too. For a single product to access multiple markets today, a company may need to undergo several certification procedures across the Member States. Creating a one-stop-shop certification framework will make it easier for businesses to trade across borders by reducing the resources required to test and certify for security measures, this would also enable industry to divert greater resources into investment in security research and development.
A harmonised approach to testing and certification will build consumer confidence in the security of the products they purchase and help them understand the security features of the product or service. This in turn will make the cybersecurity certification more attractive for businesses as an effective means to communicate the level of cybersecurity assurance of ICT products or services to their customers.
Getting the Cybersecurity Act right is vital. However the devil is in the details with regard to ensuring it is effective, and truly contributes to cybersecurity.
The European Commission’s proposed certification framework is voluntary, and includes varying degrees of assurance (basic, substantial and high) for certifying ICT products and services. Currently, the European Parliament is discussing whether certification should be mandatory for the “high assurance” level and whether self-assessment by the manufacturer should be introduced. Both will have their advantages and disadvantages if not designed properly, but what remains central is that connected products must come with a strong guarantee that they are safe and meet necessary minimum-security requirements.
Certification and independent third party conformity assessment can protect against attacks and ensure the highest level of cybersecurity and trust. Independent third party conformity should be the basis for the substantial- and high-assurance levels, where the consequences of cyber-attacks are the greatest. It serves as a highly regulated yet cost-effective solution, providing the highest level of confidence while helping government and business – particularly small and medium size enterprises (SMEs) – save resources. While major multinationals may be able to carry out rigorous conformity assessment, many SMEs simply do not have the resources to do so.
Many products found in the European marketplace today are the result of complex supply chains stretched across the globe and manufactured by both European and non-European companies. As cybersecurity levels cannot be tested and checked by the end user or the consumer, reliance on third party certification combined with strong market surveillance for those products not covered by certification empowers the consumer to have confidence in the security of their products and services.
The risk potential of the ICT product and service needs to be taken into account when determining the applicable assurance level (basic, substantial, high) and conformity assessment procedure. The higher the risk, the higher the required assurance level, and the more strict and comprehensive the conformity assessment procedure should be. Furthermore, manufacturers who produce connected products may not always be aware of the changing risks associated with connecting a product, updating software, or the rapidly changing cybersecurity landscape. This should be taken into account when carrying out risk assessment.
While some stakeholders may be calling for products and services with low assurance level to be subject only to self-assessment it is important to a) classify what type of products and services are covered and b) ensure that self-assessment is subject to the same rigorous vetting process as independent third-party conformity assessment bodies
As the discussions in the European Parliament on the Cybersecurity Act approach a critical point, it is imperative that MEPs get behind the Commission’s proposal and focus on the fact that in the digitalised world, there is no safety without security. Strong certification and independent third party conformity assessment that protects consumers, while providing business with a one-stop-shop solution, will be key in creating a digital single market for cybersecurity and digital products in general.