European Commission Proposes Cybersecurity Certification Framework For Digital Products, Services

European Commission (EC) President Jean-Claude Juncker recently said in his address to the European Parliament that cyber attacks can be “more dangerous to the stability of democracies and economies than guns and tanks.” As such, his Commission is proposing an increase in power and budget for the European Union Agency for Network and Information Security (ENISA), as well as an EU-wide cybersecurity certification framework for Information Communications Technology (ICT) products.

Data Breaches, Ransomware, And Poor IoT Security

Over the past few years, we’ve seen a proliferation of ransomware attacks, as well as destructive attacks that act as ransomware, large data breaches affecting tens and hundreds of millions of user accounts at a time, as well as massive DDoS attacks capable of disrupting some of the largest services providers on the internet powered by non-secure and botnet-controlled IoT devices.

All of these have shown that we can’t just continue as we have, because the more technology we adopt into our lives and in our cities (often due to significant benefits that it provides), the more exposed and vulnerable we become to malicious attacks that steal, destroy, or ransom our data and digital lives.

The EC seems to have noticed these dangers as well, and it’s now willing to take a more proactive role in preventing some of these issues. The first step is giving more operational roles to ENISA, which up until now has been mainly a security advisor to EU institutions.

This would allow ENISA to become a more powerful “cybersecurity agency” in the EU and to have a more active role in preventing cyber attacks against EU member states. One of the main roles of a “new” more powerful ENISA would be to operate the proposed certification system.

Certification System - Security By Design

ENISA has previously recommended that companies and EU institutions adopt a “security by design” mentality for their products and services. It seems that the EC will allow ENISA to start making that a reality through the new certificate system, which will encourage companies to implement strong security from the early stages of product development.

The Commission also believes that customers of electronic products and digital services should be able to ascertain the level of security that is provided by the vendor so they can make educated choices for their purchases.

The EC further thinks that the security standards that will be implemented in products will also increase trust in products, which will presumably lead to more sales for certain categories of products (think IoT or autonomous cars, which may scare off some customers that fear such products are easily hacked).

Unifying Certification Schemes

The Commission also said that a new certification system or framework would also aim to unify other security certifications that are sometimes asked of manufacturers in certain industries and in certain EU member states. However, these create fragmentation and require different levels of security, and they also end up costing companies more money, as they have to pay for the certifications required in multiple countries.

The new certification framework would allow new operational certification schemes to be designed based on the new framework, which would ensure their compatibility across member states. When the need for a new certification scheme arises (such as a certification scheme for IoT devices, autonomous cars, or medical devices), ENISA will be in charge of preparing these schemes in cooperation with the European Cybersecurity Certification Group (ECCG) and the European Commission, which will implement the schemes. The ECCG will be composed of national certification supervisory authorities of member states.

Certifications will be voluntary for companies due to the high costs that some of them may incur. Presumably, the EC believes that even so, some companies will be encouraged to certify their products if it’s ultimately a profitable move for them.

A More Secure European Union

ENISA has shown a real willingness to increase security and privacy through its past proposals, such as its opposition to software backdoors and commitment to security by design and end-to-end encryption. Making ENISA a more powerful agency in the EU as well as by permitting it to create EU-wide security certification programs should lead to more secure products and services within the EU, especially if customers keep voting with their wallets by choosing the certified products over non-certified ones.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • mapesdhs
    The only thing dangerous to democracy is the corrupt EU ignoring the will of those who don't like what it's doing. Thank grud for Brexit.
  • rene13cross
    Whenever I see the EU doing things like this, I can't help but think that there's a hidden agenda behind such power grabs... Call me biased/skeptical/whatever but the fiasco around the Lisbon Treaty in Ireland (where I live) left that imprint on me...