16 Apr ENISA – EU Cybersecurity certification framework
The European agency ENISA is in charge of preparing the convergence of all members’ national Cybersecurity certification system. Having a unique certification throughout the EU would of course be major progress, as so far a Cybersecurity product certified in one country is often not automatically recognized as such in another member country.
On the way to this objective, ENISA has recently issued a preliminary report on what methodology should be used to consider lessons of market surveys and what can be derived of them to ground certifications.
The report can be found on https://www.enisa.europa.eu/publications/cybersecurity-certification-market-study
Though this report is purely methodological and rather dense (see extract here below *), we would like to encourage Cybersecurity companies to take a look, and not hesitate to give their own advice based on their perception of market issues.
The ECA fully supports ENISA in its objective to protect consumers and make sure Cybersecurity products are delivering proper, sure, and measurable protection. At the same time, we also think certification should contribute to achieving the independence of the EU when its vital interests are at stake, and therefore to giving ground to a solid and prosperous European Cybersecurity industry. With respect to such goals, a certification system should encompass elements as :
- Supply chain: Origin of Software and Hardware components, the capability of Cybersecurity companies to resist a shortage and to avoid long-haul dependencies
- Data protection: No backdoor, no possibilities of a data leak, no hidden captation of customer’s data
- Transparency: the system does what it says it does.
- Reliability: the company has solid debugging and maintenance capabilities.
In our opinion, companies seeking certification should also be sure of its business impact. The EU has now defined a category of organizations, private or public, which are deemed to be of vital importance. – among others, Utilities, Telecom operators, health facilities … Buyers of these organizations should be strongly encouraged, not only to have protection against Cyberattacks but to refer to European certifications when selecting their products (at least when such certifications will become available).
Finally, for Cybersecurity companies, the certification process should be made easier to undertake, less expensive, and the results should be delivered quicker.
(*) One of the main objectives of the EU cybersecurity certification framework is to increase trust and the cybersecurity reliability of the in ICT products, ICT services and ICT processes and to address the needs of the EU cybersecurity market. This study aims to provide a set of methodological steps to identify, gather, analyze and understand these needs. They can relate to emerging cybersecurity certification needs but also to existing certification schemes under the CSA. It aims to support an analysis on how schemes are adopted by the market, at defined moments, and if further adaptations are needed by the involved stakeholders. Analysing the cybersecurity market is complex due to the number of security vectors or ICT products, ICT processes and ICT services, as well as the complex nature of supply chains that become larger due to increasing connectivity and the number of components that may be part of large systems.
This proposed set of methodological steps attempts to create a structured and step-by-step approach to identity cybersecurity needs in a complex environment. It aims to provide a practical guidance to analyse the market, without though creating a textbook on how to conduct particular types of economic analyses. These proposed steps are divided into four parts and cover the identification of the context of the market analysis and the scope of the target of analysis, assessing the impact of a cybersecurity certification initiative, identification of the available options and possible initiatives. The goal is to be able to identify gaps in the market – from a cybersecurity certification perspective – without relying solely on input of stakeholders, but to provide evidence both from the supply and demand sides while factoring societal and economic aspects.