The EU Plans to Adopt a Cybersecurity Certification Framework

At present, there is no EU-wide certification framework that allows suppliers of ICT products to obtain information security certificates valid in all 28 EU countries. For example, if a supplier of software for smart meters obtains a certificate based on the so-called Common Criteria (CC) for Information Technology Security Evaluation (ISO 15408), the certificate will be legally recognized in 13 out of 28 EU countries. Hence, the supplier may need to obtain other certificates in the other 15 EU countries. As a result, the supplier will likely incur significant compliance costs to obtain an EU-wide certification. It is sufficient to note that, if the supplier wishes to obtain the “Smart Meter Gateway” certificate in accordance with the requirements of the German Federal Office for Information Security (BSI), it will need to pay more than EUR 1 million. The costs for obtaining similar certifications in UK and France are also substantial (about EUR 150,000 per country).

To reduce the financial and administrative burden related to obtaining certificates in different regions of the EU, the EU has put forward a proposal for the creation of a legal framework that will lead to the issuance of cybersecurity certificates which are recognized throughout the entire EU. Such certificates will make it easier for businesses to trade within the borders of the largest economy in the world having more than 500 million consumers.

The purpose of this article is to examine the proposed EU cybersecurity certification framework (Section 2) and discuss how other countries can benefit from similar legislative initiatives (Section 3). Finally, a conclusion is drawn (Section 4).

Under the proposed framework, the European Union Agency for Network and Information Security (ENISA) will be responsible for designing a European cybersecurity certification scheme which will need to comply with a number of pre-defined objectives, including, (Read more...)