Cybersecurity is constantly evolving. As the industry matures, thousands of developments are occurring simultaneously and in different areas. One significant development with far-reaching potential is the introduction of the EU Cybersecurity Act of 2019. This regulation paves the way for new certification schemes to be introduced in Europe.
IT developers may wonder what this will mean for their business. Manufacturers based in other continents, for example, may wonder how they will be able to sell their products in Europe in the future.The introduction of the CSA creates interesting topics for conversation in the areas of cybersecurity, regulations and the impact they have on the industry worldwide.
Protecting the ecosystem
Regulations exist to protect the ecosystems. In our increasingly digital world, it’s important that consumers feel safe and comfortable using products and services. Trusted services must be supported by trusted processes and delivered by trusted devices. Certification plays a key role in building this chain of trust and increasing the resilience of IT products and services.
The EU Cybersecurity Act
Different security certification schemes, standards and regulations exist around the world to encourage IT developers to demonstrate that their products are sufficiently secure. Europe has been looking for ways to increase its cyber resilience. One of the mechanisms it came up with is the introduction of a "label" that shows that products, processes and services can be trusted. This "label" concept has evolved into a piece of legislation called the Cybersecurity Act (CSA). It came into force in June 2019, establishing an EU-wide certification framework to ensure an adequate level of security for IT products, services and processes. This allows tailored and risk-based certification schemes to be created, each with their own requirements.
While the nature of this certification framework is voluntary, its enforcement will be implemented through complementary pieces of legislation. For example, one can expect that security requirements in the energy, financial and transportation sectors will rely on certification frameworks for demonstrating conformance and compliance with those requirements. This is particularly relevant for applications in the high-risk security domain.
Developing certification schemes
ENISA, the European Union Agency for Cybersecurity, is currently coordinating the efforts in collaboration with the experts group, developing the very first scheme under the CSA framework: the EUCC scheme. This scheme is about certifying IT product security based on the Common Criteria standard, one of the best-known certification schemes for the evaluation of IT products today. The first version of EUCC is expected to be released in the summer of 2021.
A second scheme is currently in the making for the certification of cloud services (EUCS). This scheme is also expected to be released this year. Meanwhile, the 2020 Union Rolling Work Programme lists priorities for standardisation with a wide impact such as 5G, the Internet of Things (IoT) and industrial automation control systems (IACS). More certification programmes and schemes are expected to follow as the EU begins to shape its digital future in earnest.
Although the EU Cybersecurity Act is specific to EU member states, it represents a global trend. The US introduced its own cybersecurity law for federal agencies, H.R.1668 - IoT Cybersecurity Improvement Act in December 2020. Various other countries, for example in Southeast Asia, are looking to Europe and keeping a close eye on the developments outlined here. Much like the General Data Protection Regulation (GDPR) had a significant impact on data protection policy and enforcement worldwide, the EU is now serving as a blueprint for best practices in cybersecurity regulations across the globe.
Would you like to have your product security evaluations performed by a trusted partner that is always up to date with the latest regulations and requirements? Brightsight, the largest independent security evaluation lab in the world, is here to support you every step of the way. With over 35 years of experience in evaluating IT products in different industries and an extensive list of accreditations, Brightsight has a short evaluation and certification timeline to get your products to market in time.