As part of the State of the Union speech delivered by the President of the European Commission, Jean-Claude Juncker, on 13 September 2017, the European Commission presented extensive and far-reaching proposals to improve cyber security in Europe. The overall package consists of legislative proposals, recommendations, strategy papers and accompanying reports.

The European Union’s cyber-security strategy adopted in 2013 has not been revised. The strategic superstructure of the current Commission proposals is a Joint Communication “Resilience, Deterrence and Defense: Building Strong Cyber Security for the EU” by the Commission and the External Action Service. In essence, the measures proposed include the following:

• Expansion of the European Network and Information Security Agency (ENISA) to become the EU Cybersecurity Agency with extended range of tasks
• Introduction of a European cybersecurity certification framework for ICT products and services
• support for the implementation of the NIS Directive on digital services (by submitting the draft of the Commission’s outstanding implementation act)
• Strengthening of cybersecurity emergency response in the EU by broadening the EU’s crisis response processes (“blueprint” presented as a Commission proposal)
• Networking of EU cybersecurity research by establishing an EU Cybersecurity Research and Competence Centre

New proposals are also being made in the area of cyber defense and law enforcement, such as stronger European cooperation to identify malicious actors, the strengthening of Europol’s work in forensics and observation of dark net, intensified diplomatic cooperation in cyber attacks and a new directive to combat cashless payments.

At the heart of the dozens of documents and 1200-page Commission proposals is the draft EU Cybersecurity Act. The adoption of this Regulation is primarily intended to strengthen ENISA and introduce a certification scheme.

(1) EU Cybersecurity Agency

The mandate of the EU IT security authority ENISA, which is based in Greece, is currently limited in time. In addition, ENSIA has limited effectiveness with only 84 employees and essentially advisory tasks. The proposal to transform ENISA into an EU Cybersecurity Agency aims to make the agency a central EU body for all cyber security issues. With the NIS Directive, coordinating and standardizing tasks had already been added, as well as operational tasks such as collecting reports of cyber attacks. These functions of ENISA will be further expanded with the proposal. ENISA will be involved in the formulation and implementation of all strategic and regulatory issues related to cyber security. At the same time, the agency is to become an information hub where operational information on threats and attacks is collected, analyzed and evaluated within the EU and – via the CSIRT network – also between member states. ENISA should also be involved in operative cyber situations and build up its own analytical skills. In addition, the agency will also receive a stronger mandate to monitor the market, including a safety assessment of products and services and to warn the public about safety risks in products, such as those already implemented by the German BSI, for example.

The considerable expansion of the Agency’s tasks will also entail an increase of 40 employees and a doubling of the budget to €23 million. The approach of a comprehensive establishment of an EU Cybersecurity Agency makes sense. It seems questionable whether the extensive expansion of the tasks – in just one step – will be manageable at all. 40 additional employees are hardly enough for the full range of tasks. By way of comparison: The BSI has just been expanded by 180 employees to a staff of 850.

(2) EU Cybersecurity Certification Framework

The certification of ICT products and services with regard to their security is still in its infancy. Only a fraction of the products is certified. Certification procedures take too long, are too expensive and have a very limited validity. Especially in the booming and safety-critical IoT sector, IT security certification plays no noteworthy role. The Commission intends to remedy this situation with its proposal, but is acting very cautiously in the first instance.

The existing national certification procedures are to be gradually replaced by a European framework. The Commission itself intends to be empowered to make the ENISA certification schemes binding for product groups on the basis of preliminary work. The present draft regulation does not provide for the content of such a certification, but leaves it to the individual schemes. If a European cybersecurity certification scheme has been defined for a product group, the member states should be prevented from defining their own schemes for this product group. At the same time, the Commission also wants to be able to use its implementing act to determine whether the existing national schemes lose their validity at a given time. In this way, a European regime could gradually replace national rules.

The certification itself would be organized into certification and accreditation bodies established by national law. Certificates should be completely voluntary. Each company can then decide whether and where to apply for a European Cybersecurity Certificate. Certificates issued shall be valid for three years. The Commission proposes three different security levels (basic, substantial, high) without specifying exactly what these levels mean. This would also have to be determined on a product group-specific basis.

Overall, this proposal is a step in the right direction towards a uniform European assessment of the security of IT products. Nonetheless, the voluntary approach, which also ties in very strongly with traditional IT security certification, falls short of expectations. The Commission has not put forward any proposals on how the responsibility (and also liability) of manufacturers and service providers for the safety of their products can be increased. Their proposal does not even indicate how to overcome the current problems of safety certification – speed, cost, low “lifetime”. In addition, the member states will hardly be able to accept a Commission-exclusive decision on the security requirements for ICT products.

All Commission proposals are published. The legislative proposals are currently in a public consultation process. Parliament and the Council, too, will now have to deal with the numerous proposals. It remains to be seen which of the proposals will prevail.

Press release with links to the documents: http://europa.eu/rapid/press-release_IP-17-3193_en.htm

Martin Schallbruch, 25.09.2017