Explanatory Memorandum to COM(2017)477 - ENISA, the "EU Cybersecurity Agency", and Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') - EU monitor

EU monitor
Friday, September 25, 2020
calendar

Explanatory Memorandum to COM(2017)477 - ENISA, the "EU Cybersecurity Agency", and Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

The European Union has taken a number of actions to increase resilience and enhance its cybersecurity preparedness. The first EU Cybersecurity Strategy1 adopted in 2013 set out strategic objectives and concrete actions to achieve resilience, reduce cybercrime, develop cyberdefence policy and capabilities, develop industrial and technological resources and establish a coherent international cyberspace policy for the EU. In that context, important developments have taken place since then, including in particular the second mandate for the European Union Agency for Network and Information Security (ENISA)2 and the adoption of the Directive on security of network and information systems3 (the NIS Directive), which form the basis for the present proposal.

Furthermore, in 2016 the European Commission adopted a Communication on Strengthening Europe's Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry4, in which further measures were announced to step-up cooperation, information and knowledge sharing and to increase the EU’s resilience and preparedness, also taking into account the prospect of large scale incidents and a possible pan-European cybersecurity crisis. In this context, the Commission announced that it would bring forward the evaluation and review of Regulation (EU) No 526/2013 of the European Parliament and of the Council concerning ENISA and repealing Regulation (EC) No 460/2004 ("ENISA Regulation"). The evaluation process could lead to a possible reform of the Agency and an enhancement of its capabilities and capacities to support Member States in a sustainable manner. It would therefore give it a more operational and central role in achieving cybersecurity resilience and would acknowledge in its new mandate the Agency’s new responsibilities under the NIS Directive.

The NIS Directive is a first essential step with a view to promoting a culture of risk management, by introducing security requirements as legal obligations for the key economic actors, notably operators providing essential services (Operators of Essential Services – OES) and suppliers of some key digital services (Digital Service Providers – DSPs). With security requirements being seen as essential to safeguard the benefits of the evolving digitalisation of society, and given the rapid proliferation of connected devices (the Internet of Things – IoT), the 2016 Communication also put forward the idea of establishing a framework for security certification for ICT products and services in order to increase trust and security in the digital single market. ICT cybersecurity certification becomes particularly relevant in view of the increased use of technologies which require a high level of cybersecurity, such as connected and automated cars, electronic health or industrial automation control systems (IACS).

These policy measures and announcements were further reinforced by the 2016 Council Conclusions, which acknowledged that 'cyber threats and vulnerabilities continue to evolve and intensify which will require continued and closer cooperation, especially in handling large-scale cross-border cybersecurity incidents'. The conclusions reaffirmed that 'the ENISA Regulation is one of the core elements of an EU cyber resilience framework'5 and called upon the Commission to take further steps to address issue of certification at the European level.

The establishment of a certification system would require the setting-up of an appropriate governance system at EU level, including thorough expertise provided by an independent EU agency. In this respect, the present proposal identifies ENISA as the natural EU-level body competent on cybersecurity matters which should take up such role to bring together, and coordinate the work of, national competent bodies in the field of certification.

In its Communication on the DSM Strategy Mid-term Review of May 2017, the Commission further specified that by September 2017 it would review the mandate of ENISA. This in order to define its role in the changed cybersecurity ecosystem and develop measures on cybersecurity standards, certification and labelling to make ICT-based systems, including connected objects, more cyber-secure.6 The European Council conclusions in June 20177 welcomed the Commission's intention to review the Cybersecurity Strategy in September and to propose further targeted actions before the end of 2017.

1.

The proposed Regulation provides for a comprehensive set of measures that build on previous actions and fosters mutually reinforcing specific objectives:


- Increasing capabilities and preparedness of Member States and businesses;

- Improving cooperation and coordination across Member States and EU institutions, agencies and bodies;

- Increasing EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises;

- Increasing awareness of citizens and businesses on cybersecurity issues;

- Increasing the overall transparency of cybersecurity assurance8 of ICT products and services to strengthen trust in the digital single market and in digital innovation; and

- Avoiding fragmentation of certification schemes in the EU and related security requirements and evaluation criteria across Member States and sectors.


The following part of the Explanatory Memorandum explains the rationale for the initiative with respect to the proposed actions for ENISA and cybersecurity certification in more detail.


ENISA

ENISA acts as a centre of expertise dedicated to enhancing network and information security in the Union and supporting capacity building of Members States.

ENISA was set up in 20049 to contribute to the overall goal of ensuring a high level of network and information security within the EU. In 2013, Regulation (EU) No 526/2013 established the new mandate of the Agency for a period of seven years, until 2020. The Agency has its offices in Greece, notably the administrative seat in Heraklion (Crete) and the core operations in Athens.

ENISA is a small agency with a low budget and number of staff compared to all EU agencies. It has a fixed-term mandate.

ENISA supports the European institutions, the Member States and the business community in addressing, responding and especially in preventing network and information security problems. It does so through a series of activities across five areas identified in its strategy10:

- Expertise: provision of information and expertise on key network and information security issues.

- Policy: support to policy making and implementation in the Union.

- Capacity: support for capacity building across the Union (e.g. through trainings, recommendations, awareness raising activities).

- Community: foster the network and information security community (e.g. support to the Computer Emergency Response Teams (CERTs), coordination of pan-European cyber exercises).

- Enabling (e.g. engagement with the stakeholders and international relations).


In the course of the negotiations of the NIS Directive, the EU co-legislators decided to attribute important roles to ENISA in the implementation of this Directive. In particular, the Agency provides the secretariat to the CSIRTs Network (established to promote swift and effective operational cooperation between Member States on specific cybersecurity incidents and sharing information about risks), and it is also called on to assist the Cooperation Group in the execution of its tasks. In addition, the Directive requires ENISA to assist Member States and the Commission by providing expertise and advice and by facilitating the exchange of best practices.

In accordance with the ENISA Regulation, the Commission has carried out an evaluation of the Agency which includes an independent study as well as a public consultation. The evaluation assessed the relevance, impact, effectiveness, efficiency, coherence and EU added value of the Agency with regard to its performance, governance, internal organisational structure and working practices during the period 2013-2016.

The overall performance of ENISA was positively assessed by a majority of respondents11 (74%) in the public consultation. A majority of respondents furthermore considered ENISA to be achieving its different objectives (at least 63% for each of the objectives). ENISA’s services and products are regularly (monthly or more often) used by almost half of the respondents (46%) and are appreciated for the fact that they stem from an EU-level body (83%) and for their quality (62%).

However, a large majority (88%) of respondents considered the current instruments and mechanisms available at EU level to be insufficient or only partially adequate in addressing the current cybersecurity challenges. A large majority of respondents (98%) indicated that an EU body should address these needs, and among them ENISA was considered to be the right organisation to do so by 99% of the respondents. In addition, 67.5 % of respondents expressed the view that ENISA could play a role in establishing a harmonized framework for security certification of IT products and services.

2.

The overall evaluation (based not only on the public consultation but also on a number of individual interviews, additional targeted surveys and workshops) reached the following conclusions:


- ENISA's objectives remain relevant today. In a context of fast technological developments and evolving threats and in view of the growing global cybersecurity risks, there is a clear need in the EU for fostering and further reinforcing high-level technical expertise on cybersecurity issues. Capacities need to be built in the Member States to understand and respond to threats and stakeholders need to cooperate across thematic fields and across institutions.

- Despite its small budget, the Agency has been operationally efficient in the use of its resources and in the implementation of its tasks. The location split between Athens and Heraklion has, however, also generated further administrative costs.

- In terms of effectiveness, ENISA partially met its objectives. The Agency successfully contributed to improving network and information security in Europe by offering capacity building in 28 Member States12, enhancing cooperation between Member States and network and information security stakeholders, and by providing expertise, community building and support to the development of policies. Overall, ENISA diligently focused on the implementation of its work programme and acted as a trusted partner for its stakeholders, in a field which has only recently been recognised to have such strong cross-border relevance.

- ENISA managed to make an impact, at least to some extent, in the vast field of network and information security, but it has not fully succeeded in developing a strong brand name and gaining sufficient visibility to become recognised as 'the' centre of expertise in Europe. The explanation for this lies in the broad mandate of ENISA, which was not equipped with proportionally sufficient resources. Furthermore, ENISA remains the only EU agency with a fixed-term mandate, thus limiting its ability to develop a long-term vision and support its stakeholders in a sustainable manner. This also contrasts with the provisions of the NIS Directive, which entrust ENISA with tasks with no end date. Finally, the assessment found that this limited effectiveness can partly be explained by the high reliance on external expertise over in-house expertise, and by the difficulties in recruiting and retaining specialised staff.

- Last but not least, the evaluation concluded that ENISA’s added value lies primarily in the Agency’s ability to enhance cooperation mainly between Member States, and especially with related network and information security communities (in particular between CSIRTs). There is no other actor at EU level that supports such broad scope of network and information security stakeholders. However, due to the need to strictly prioritise its activities, ENISA’s work programme is mostly guided by the needs of Member States. As a result, it does not sufficiently address the needs of other stakeholders, in particular the industry. It also made the Agency reactive to fulfilling the needs of its key stakeholders, preventing it from achieving a bigger impact. Therefore, the added value provided by the Agency varied according to the diverging needs of its stakeholders and to the extent to which the Agency was able to respond to them (e.g. large versus small Member States; Member States versus industry).

In summary, the results of the stakeholders' consultations and evaluation suggested that ENISA's resources and mandate need to be adapted so that it can play an adequate role in responding to present and future challenges.

In view of these findings, the present proposal reviews the current mandate of ENISA and lays down a renewed set of tasks and functions, with a view to effectively and efficiently supporting Member States, EU institutions and other stakeholders' efforts to ensure a secure cyberspace in the European Union. The new proposed mandate seeks to give the Agency a stronger and more central role, in particular by also supporting Member States in implementing the NIS Directive and to counter particular threats more actively (operational capacity) and by becoming a centre of expertise supporting Member States and the Commission on cybersecurity certification. Under this proposal:

- ENISA would be granted a permanent mandate and thus be put on a stable footing for the future. The mandate, objectives and tasks should still be subject to regular review.

- The proposed mandate further clarifies the role of ENISA as the EU agency for cybersecurity and as the reference point in the EU cybersecurity ecosystem, acting in close cooperation with all the other relevant bodies of such an ecosystem.

- The organisation and the governance of the Agency, which were positively judged in the course of the evaluation, would be moderately reviewed, in particular to make sure that the needs of the wider stakeholders' community are better reflected in the work of the Agency.

- The suggested scope of the mandate is delineated, strengthening those areas where the agency has shown clear added value and adding those new areas where support is needed in view of the new policy priorities and instruments, in particular the NIS Directive, the review of the EU Cybersecurity Strategy, the upcoming EU Cybersecurity Blueprint for cyber crisis cooperation and ICT security certification:

- EU policy development and implementation: ENISA would be tasked with proactively contributing to the development of policy in the area of network information security, as well as to other policy initiatives with cybersecurity elements in different sectors (e.g. energy, transport, finance). To this end, it would have a strong advisory role, which it could fulfil by providing independent opinions and preparatory work for the development and the update of policy and law. ENISA would also support the EU policy and law in the areas of electronic communications, electronic identity and trust services, with a view to promoting an enhanced level of cybersecurity. In the implementation phase, in particular in the context of the NIS Cooperation Group, ENISA would assist Member States in achieving a consistent approach on the implementation of the NIS Directive across borders and sectors, as well as in other relevant policies and laws. In order to support the regular review of policies and laws in the area of cybersecurity, ENISA would also provide regular reporting on the state of implementation of the EU legal framework.

- Capacity building: ENISA would be contributing to the improvement of EU and national public authorities' capabilities and expertise, including on incident response and on the supervision of cybersecurity related regulatory measures. The Agency would also be required to contribute to the establishment of Information Sharing and Analysis Centres (ISACS) in various sectors by providing best practices and guidance on available tools and procedures, as well as by appropriately addressing regulatory issues related to information sharing.

- Knowledge and information, awareness raising: ENISA would become the information hub of the EU. This would imply the promotion and sharing of best practices and initiatives across the EU by pooling information on cybersecurity deriving from the EU and national institutions, agencies and bodies. The Agency would also make available advice, guidance and best practices on the security of critical infrastructures. In the aftermath of significant cross-border cybersecurity incidents, ENISA would furthermore compile reports with a view of providing guidance to businesses and citizens across the EU. This stream of work would also involve the regular organisation of awareness raising activities in coordination with Member States authorities.

- Market related tasks (standardisation, cybersecurity certification): ENISA would perform a number of functions specifically supporting the internal market and cover a cybersecurity market observatory, by analysing relevant trends in the cybersecurity market to better match demand and supply, and by supporting the EU policy development in the ICT standardisation and ICT cybersecurity certification areas. With regard to standardisation in particular, it would facilitate the establishment and uptake of cybersecurity standards. ENISA would also execute the tasks foreseen in the context of the future framework for certification (see below section).

- Research and innovation: ENISA would contribute its expertise by advising EU and national authorities on priority-setting in research and development, including in the context of the contractual public-private partnership on cybersecurity (cPPP). ENISA's advice on research would feed into the new European Cybersecurity Research and Competence Centre under the next multi-annual financial framework. ENISA would also be involved, when asked to do so by the Commission, in the implementation of research and innovation EU funding programmes.

- Operational cooperation and crisis management: this stream of work should build on strengthening the existing preventive operational capabilities, in particular upgrading the pan-European cybersecurity exercises (Cyber Europe) by having them on a yearly basis, and on a supporting role in operational cooperation as secretariat of the CSIRTs Network (as per NIS Directive provisions) by ensuring, among others, the well-functioning of the CSIRTs Network IT infrastructure and communication channels. In this context, a structured cooperation with CERT-EU, European Cybercrime Centre (EC3) and other relevant EU bodies would be required. Furthermore, a structured cooperation with CERT-EU, in close physical proximity, should result in a function to provide technical assistance in case of significant incidents and to support incident analysis. Member States that would request it would receive assistance to handle incidents and support for the analysis of vulnerabilities, artefacts and incidents in order to strengthen their own preventive and response capability.

- ENISA would also play a role in the EU cybersecurity blueprint presented as part of this package and setting the Commission's recommendation to Member States for a coordinated response to large-scale cross-border cybersecurity incidents and crises at the EU level13. ENISA would facilitate the cooperation between individual Member States in dealing with emergency response by analysing and aggregating national situational reports based on information made available to the Agency on a voluntary basis by Member States and other entities.


- Cybersecurity certification of ICT products and services

In order to establish and preserve trust and security, ICT products and services need to directly incorporate security features in the early stages of their technical design and development (security by design). Moreover, customers and users need to be able to ascertain the level of security assurance of the products and services they procure or purchase.

Certification, which consists of the formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance, plays an important role in increasing trust and security in products and services. While security evaluations are quite a technical area, certification serves the purpose to inform and reassure purchasers and users about the security properties of the ICT products and services that they buy or use. As mentioned above, this is particularly relevant for new systems that make extensive use of digital technologies and which require a high level of security, such as e.g. connected and automated cars, electronic health, industrial automation control systems (IACS)14 or smart grids.

Currently, the landscape of cybersecurity certification of ICT products and services in the EU is quite patchy. There are a number of international initiatives, such as the so-called Common Criteria (CC) for Information Technology Security Evaluation (ISO 15408), which is an international standard for computer security evaluation. It is based on third party evaluation and envisages seven Evaluation Assurance Levels (EAL). The CC and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that CC certificates are recognized by all the signatories of the CCRA. However, within the current version of the CCRA only evaluations up to EAL 2 are mutually recognized. Moreover, only 13 Member States have signed the Arrangement.

The certification authorities from 12 Member States have concluded a mutual recognition agreement regarding the certificates issued in conformity with the agreement on the basis of the Common Criteria15. Moreover, a number of ICT certification initiatives currently exist or are being established in Member States. Even if important, these initiatives bear the risk of creating market fragmentation and interoperability issues. As a consequence, a company may need to undergo several certification procedures in various Member States to be able to offer its product on multiple markets. For example, a smart meter manufacturer who wants to sell its products in three Member States, e.g. Germany, France and UK, currently needs to comply with three different certification schemes. These are the Commercial Product Assurance (CPA) in the UK, Certification de Sécurité de Premier Niveau in France (CSPN) and a specific protection profile based on Common Criteria in Germany.

This situation leads to higher costs and constitutes a considerable administrative burden for companies operating in several Member States. While the cost of certification may vary significantly depending on the product/service concerned, the evaluation assurance level sought and/or other components, in general this tends to be quite considerable for businesses. For the BSI “Smart Meter Gateway” certificate, for example, the cost is more than EUR one million (highest level of test and assurance, concerns not only one product but the whole infrastructure around it as well). The cost for smart meters certification in the UK is almost EUR 150 000. In France, the cost is similar to the UK, about EUR 150 000 or more.

Key public and private stakeholders recognised that in the absence of an EU-wide cybersecurity certification scheme, companies in many circumstances have to be certified individually in each Member State, thus leading to market fragmentation. Most importantly, in the absence of EU harmonisation legislation for ICT products and services, differences in cybersecurity certification standards and practices in Member States are liable to create 28 separate security markets in the EU in practice, each one with its own technical requirements, testing methodologies and cybersecurity certification procedures. These divergent approaches at national level are liable to cause – should no adequate action be taken at EU level – a significant setback in the achievement of the digital single market, slowing down or preventing the connected positive effects in terms of growth and jobs.

Building on the above developments, the proposed Regulation establishes a European Cybersecurity Certification Framework (the "Framework") for ICT products and services and specifies the essential functions and tasks of ENISA in the field of cybersecurity certification. The present proposal lays down an overall framework of rules governing European cybersecurity certification schemes. The proposal does not introduce directly operational certification schemes, but rather create a system (framework) for the establishment of specific certification schemes for specific ICT products/services (the 'European cybersecurity certification schemes'). The creation of European cybersecurity certification schemes in accordance with the Framework will allow certificates issued under those schemes to be valid and recognised across all Member States and to address the current market fragmentation.

The general purpose of a European cybersecurity certification scheme is to attest that the ICT products and services that have been certified in accordance with such scheme comply with specified cybersecurity requirements. This for instance would include their ability to protect data (whether stored, transmitted or otherwise processed) against accidental or unauthorised storage, processing, access, disclosure, destruction, accidental loss or alteration. EU cybersecurity certification schemes would make use of existing standards in relation to the technical requirements and evaluation procedures that the products need to comply with and would not develop the technical standards themselves16. For instance, an EU-wide certification for products such as smart cards, which are currently tested against international CC standards under the multilateral SOG-IS scheme (and described previously), would mean making this scheme valid throughout the EU.

In addition to outlining a specific set of security objectives to be taken into account in the design of a specific European cybersecurity certification scheme, the proposal provides what the minimum content of such schemes should be. Such schemes will have to define, among others, a number of specific elements setting out the scope and object of the cybersecurity certification. This includes the identification of the categories of products and services covered, the detailed specification of the cybersecurity requirements (for example by reference to the relevant standards or technical specifications), the specific evaluation criteria and methods, and the level of assurance they are intended to ensure (i.e. basic, substantial or high).

European cybersecurity certification schemes will be prepared by ENISA, with the assistance, expert advice and close cooperation of the European Cybersecurity Certification Group (see below), and adopted by the Commission by means of implementing acts. When the need for a cybersecurity certification scheme is identified, the Commission will request ENISA to prepare a scheme for specific ICT products or services. ENISA will work on the scheme in close cooperation with national certification supervisory authorities represented in the Group. Member States and the Group may propose to the Commission that it requests ENISA to prepare a particular scheme.

Certification can be a very expensive process, which in turn could lead to higher prices for customers and consumers. The need to certify may also vary significantly according to the specific context of use of the products and services and fast pace of technological change. Recourse to European cybersecurity certification should therefore remain voluntary, unless otherwise provided in Union legislation laying down security requirements of ICT products and services.

In order to ensure harmonisation and avoid fragmentation, national cybersecurity certification schemes or procedures for the ICT products and services covered by a European cybersecurity certification scheme will cease to apply from the date established in the implementing act adopting the scheme. Member States should furthermore not introduce new national cybersecurity certification schemes for the ICT products and services covered by an existing European cybersecurity certification scheme.

Once a European cybersecurity certification scheme is adopted, manufacturers of ICT products or providers of ICT services will be able to submit an application for certification of their products or services to a conformity assessment body of their choice. Conformity assessment bodies should be accredited by an accreditation body if they comply with certain specified requirements. Accreditation will be issued for a maximum of five years and may be renewed on the same conditions provided that the conformity assessment body meets the requirements. Accreditation bodies will revoke an accreditation of a conformity assessment body where the conditions for the accreditation are not, or are no longer, met, or where actions taken by a conformity assessment body infringe this Regulation.

Under the proposal, the monitoring, supervisory and enforcement tasks lie with the Member States. Member States will have to provide for one certification supervisory authority. This authority will be tasked with supervising the compliance of conformity assessment bodies, as well as of certificates issued by conformity assessment bodies established in their territory, with the requirements of this Regulation and the relevant European cybersecurity certification schemes. National certification supervisory authorities will be competent to handle complaints lodged by natural or legal persons in relation to certificates issued by conformity assessment bodies established in their territories. To the appropriate extent, they will investigate the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable time period. Moreover, they will cooperate with other certification supervisory authorities or other public authorities, for instance by sharing information on possible non-compliance of ICT products and services with the requirements of this Regulation or with the specific European cybersecurity certification schemes.

Finally, the proposal establishes the European Cybersecurity Certification Group (the Group), consisting of national certification supervisory authorities of all Member States. The main task of the Group is to advise the Commission on issues concerning cybersecurity certification policy and to work with ENISA on the development of draft European cybersecurity certification schemes. ENISA will assist the Commission in providing the secretariat of the Group and maintain an updated public inventory of schemes approved under the European Cybersecurity Certification Framework. ENISA would also liaise with standardisation bodies to ensure the appropriateness of standards used in approved schemes and to identify areas in need of cybersecurity standards.

3.

The European Cybersecurity Certification Framework ('Framework') will provide several benefits for citizens and for undertakings. In particular:


- The creation of EU-wide cybersecurity certification schemes for specific products or services will provide companies with a 'one-stop-shop' for cybersecurity certification in the EU. Such companies will be able to certify their product only once and obtain a certificate valid in all Member States. They will not be obliged to re-certify their products under different national certification bodies. This will significantly reduce costs for companies, facilitate cross-border operations and ultimately reduce and avoid a fragmentation of the internal market for the products concerned.

- The Framework establishes the primacy of European cybersecurity certification schemes over national schemes: under this rule, the adoption of a European cybersecurity certification scheme will supersede all existing parallel national schemes for the same ICT products or services at a given level of assurance. This will bring further clarity, reducing the current proliferation of overlapping and possibly conflicting national cybersecurity certification schemes.

- The proposal supports and complements the implementation of the NIS Directive by providing the undertakings subject to the Directive with a very useful tool to demonstrate compliance with the NIS requirements in the whole Union. In developing new cybersecurity certification schemes, the Commission and ENISA will pay particular attention to the need to ensure that the NIS requirements are reflected in the cybersecurity certification schemes.

- The proposal will support and facilitate the development of a European cybersecurity policy, by harmonising the conditions and substantive requirements for the cybersecurity certification of ICT products and services in the EU. European cybersecurity certification schemes will refer to common standards or criteria of evaluation and testing methodologies. This will contribute significantly, albeit indirectly, to the take-up of common security solutions in the EU, thereby also removing barriers to the internal market.

- The Framework is designed in such a way to ensure the necessary flexibility for cybersecurity certification schemes. Depending on the specific cybersecurity needs, a product or service may be certified against higher or lower levels of security. European cybersecurity certification schemes will be designed with this flexibility in mind and will therefore provide for different levels of assurance (i.e. basic, substantial or high) so that they may be used for different purposes or in different contexts.

- All the above elements will make the cybersecurity certification more attractive for businesses as an effective means to communicate the level of cybersecurity assurance of ICT products or services. To the extent that cybersecurity certification becomes less expensive, more effective and commercially attractive, businesses will have greater incentives to certify their products against cybersecurity risks, thereby contributing to the spread of better cybersecurity practices in the design of ICT products and services (cybersecurity by design).


Consistency with existing policy provisions in the policy area

Under the NIS Directive, operators in sectors which are vital for our economy and society, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure, as well as digital service providers (i.e. search engines, cloud computing services and online marketplaces) are required to take measures to appropriately manage security risks. The new rules of this proposal complement, and ensure consistency with the provisions of the NIS Directive, in order to pursue still further the cyber resilience of the EU through enhanced capabilities, cooperation, risk management and cyber awareness.

Moreover, the rules on cybersecurity certification provide an essential tool for companies subject to the NIS Directive, as they will be able to certify their ICT products and services against cybersecurity risks on the basis of cybersecurity certification schemes valid and recognised throughout the EU. They will also be complementary to security requirements mentioned in the eIDAS Regulation17 and the Radio Equipment Directive18.


Consistency with other Union policies

The Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR")19 lays down provisions to establish certification mechanisms and data protection seals and marks for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The present Regulation is without prejudice to the certification of data processing operations, including when such operations are embedded in products and services, under the GDPR.

The proposed Regulation will ensure compatibility with Regulation 765/2008 on accreditation and market surveillance requirements20 by referring to the rules of that framework on national accreditation bodies and conformity assessment bodies. As far as supervisory authorities are concerned, the proposed Regulation will require Member States to designate national certification supervisory authorities with responsibilities for supervision, monitoring and enforcement of the rules. Those bodies will remain separate from conformity assessment bodies, as prescribed by Regulation 765/2008.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The legal basis for EU action is Article 114 of the Treaty on the Functioning of the European Union (TFEU), which deals with the approximation of laws of the Member States in order to achieve the objectives of Article 26 TFEU, namely, the proper functioning of the internal market.

The internal market legal basis for establishing ENISA has been upheld by the Court of Justice (in case C-217/04 United Kingdom vs. European Parliament and Council) and was further confirmed by the 2013 Regulation which set the current mandate of the Agency. In addition, activities that would reflect the objectives to increase cooperation and coordination among Member States and those adding EU level capabilities to complement the action of Member States would fall under the category of 'operational cooperation'. This is specifically identified by the NIS Directive (for which Article 114 TFEU is the legal basis) as an objective to be pursued in the context of the CSIRTs Network where 'ENISA shall provide the secretariat and shall actively support the cooperation' (Article 12(1)). In particular, Article 12(f) further outlines the identification of further forms of operational cooperation as task of the CSIRTs Network, including in relation to: (i) categories of risks and incidents; (ii) early warnings; (iii) mutual assistance; and (iv) principles and modalities for coordination, when Member States respond to cross-border risks and incidents.

- The current fragmentation of the certification schemes for ICT products and services is also a result of the lack of a common legally binding and effective framework process applicable to the Member States. This hinders the creation of an internal market for ICT products and services and hampers the competitiveness of the European industry in this sector. The present proposal aims to address the existing fragmentation and the related obstacles to the internal market by providing a common framework for the establishment of cybersecurity certification schemes valid across the EU.


Subsidiarity (for non-exclusive competence)

The subsidiarity principle requires the assessment of the necessity and the added value of the EU action. The respect of subsidiarity in this area was already recognised when adopting the current ENISA Regulation21.

Cybersecurity is an issue of common interest of the Union. The interdependencies between networks and information systems are such that individual actors (public and private, including citizens) very often cannot face the threats, manage the risks and the possible impacts of cyber incidents in isolation. On the one hand, the interdependencies across Member States, including with regard to the operation of critical infrastructures (energy, transport, water, just to name a few) make public intervention at the European level not only beneficial, but also needed. On the other hand, EU intervention can bring a positive 'spill over' effect due to the sharing of good practices across Member States, which can result in an enhanced cybersecurity of the Union.

In summary, in the current context and looking at the future scenarios, it appears that to increase collective cyber-resilience of the Union individual actions by EU Member States and a fragmented approach to cybersecurity will not be sufficient.

EU action is also deemed necessary to address the fragmentation of the current cybersecurity certification schemes. It would allow manufacturers to fully benefit from an internal market, with significant savings regarding testing and redesign costs. While the current Senior Officials Group – Information Systems Security (SOG-IS) Mutual Recognition Agreement (MRA) has for instance achieved important results in this respect, it has also shown important limitations which stand in the way of its suitability in being able to provide a longer term sustainable solutions in fulfilling the full potential of the internal market.

The added value of acting at EU level, in particular to enhance cooperation between Member States, but also between network and information security communities, has been recognised by the 2016 Council Conclusions22 and it also clearly emerges from the evaluation of ENISA.


Proportionality

The proposed measures do not go beyond what is necessary to achieve its policy objectives. Furthermore, the scope of EU intervention does not impede any further national actions in the field of national security matters. EU action is therefore justified on grounds of subsidiarity and proportionality.


Choice of the instrument

The present proposal reviews Regulation (EU) No 526/2013 which sets the current mandate and tasks for ENISA. Furthermore, given ENISA's important role in the setting up and management of an EU cybersecurity certification framework, ENISA's new mandate and the said Framework are best established under one single legal instrument, using the instrument of a Regulation.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

The Commission, according to the evaluation roadmap23, assessed the relevance, impact, effectiveness, efficiency, coherence and the added value of the Agency with regard to its performance, governance, internal organisational structure and working practices in the period 2013-2016. The main findings can be summarised as follows (for more see the Staff Working Document on the subject, accompanying the impact assessment).

- Relevance: In a context of technological developments and evolving threats and considering the significant need for increased cybersecurity in the EU, ENISA's objectives proved to be relevant. Indeed, Member States and EU bodies rely on its substantial expertise on cybersecurity matters. Moreover, capacities need to be built in the Member States to better understand and respond to threats, and stakeholders need to cooperate across thematic fields and across institutions. Cybersecurity continues to be a key political priority of the EU to which ENISA is expected to respond; however, ENISA’s design as EU agency with a fixed-term mandate: (i) does not allow for long-term planning and sustainable support to Member States and EU institutions; (ii) may lead to a legal vacuum as the provisions of the NIS Directive entrusting ENISA with tasks are of a permanent nature24; (iii) lacks coherence with a vision linking ENISA to an enhanced EU cybersecurity ecosystem.

- Effectiveness: ENISA overall met its objectives and implemented its tasks. It made a contribution to increased network and information security in Europe through its main activities (capacity building, provision of expertise, community building, and support to policy). It, however, showed potential for improvement in relation to each. The evaluation concluded that ENISA has effectively created strong and trustful relationships with some of its stakeholders, notably with the Member States and the CSIRTs community. Interventions in the area of capacity building were perceived as effective in particular for less resourced Member States. Stimulating broad cooperation has been one of the highlights, with stakeholders widely agreeing on the positive role ENISA plays in bringing people together. However, ENISA faced difficulties to make a big impact in the vast field of network and information security. This was also due to the fact it had fairly limited human and financial resources to meet a very broad mandate. The evaluation also concluded that ENISA partially met the objective of providing expertise, linked to the problems in recruiting experts (see also below in the efficiency section).

- Efficiency: Despite its small budget – among the lowest compared to other EU agencies – the Agency has been able to contribute to targeted objectives, showing overall efficiency in the use of its resources. The evaluation concluded that processes generally were efficient and a clear delineation of responsibilities within the organisation led to a good execution of the work. One of the main challenges to the Agency’s efficiency relates to ENISA’s difficulties in recruiting and retaining highly qualified experts. The findings show that this can be explained by a combination of factors, including the general difficulties across the public sector to compete with the private sector when trying to hire highly specialised experts, the type of contracts (fixed term) that the Agency could mostly offer and the somewhat low level of attractiveness related to ENISA's location, for example linked to difficulties encountered by spouses to find work. A location split between Athens and Heraklion required additional efforts of coordination and generated additional costs, but the move to Athens in 2013 of the core operations department increased the Agency's operational efficiency.

- Coherence: ENISA’s activities have been generally coherent with the policies and activities of its stakeholders, at national and EU level, but there is a need for a more coordinated approach to cybersecurity at EU level. The potential for cooperation between ENISA and other EU bodies has not been fully utilised. The evolution in the EU legal and policy landscape make the current mandate less coherent today.

- EU-added value: ENISA’s added value lies primarily in the Agency’s ability to enhance cooperation, mainly between Member States but also with related network and information security communities. There is no other actor at EU level that supports the cooperation of the same variety of stakeholders on network and information security. The added value provided by the Agency varied according to the diverging needs and resources of its stakeholders (e.g. large versus small Member States; Member States versus industry) and the need for the Agency to prioritise its activities according to the work programme. The evaluation concluded that a potential discontinuation of ENISA would be a lost opportunity for all Member States. It will not be possible to ensure the same degree of community building and cooperation across the Member States in the field of cybersecurity. Without a more centralised EU agency the picture would be more fragmented, with bilateral or regional cooperation stepping in to fill a void left by ENISA.

With specific regard to ENISA’s past performances and future, the main trends emerging from the 2017 consultation are the following25:

- The overall performance of ENISA during the period 2013 to 2016 was positively assessed by a majority of respondents (74%). A majority of respondents furthermore considered ENISA to be achieving its different objectives (at least 63% for each of the objectives). ENISA’s services and products are regularly (monthly or more often) used by almost half of the respondents (46%) and are appreciated for the fact that they stem from an EU-level body (83%) and for their quality (62%).

- Respondents identified a number of gaps and challenges for the future of cybersecurity in the EU, in particular the top five (in a list of 16) were: cooperation across Member States; capacity to prevent, detect and resolve large scale cyber-attacks; cooperation across Member States in matters related to cyber security; cooperation and information sharing between different stakeholders, including public-private cooperation; protection of critical infrastructure from cyber-attacks.

- A large majority (88%) of respondents considered the current instruments and mechanisms available at EU level to be insufficient or only partially adequate to address these. A large majority of respondents (98%) indicated that an EU body should respond to these needs and among them ENISA was considered to be the right organisation to do so by 99%.


Stakeholder consultations

- The Commission organised a public consultation for the review of ENISA between 12 April and 5 July, 2016 and received 421 replies26. According to the results, 67.5 % of respondents expressed the view that ENISA could play a role in establishing a harmonised framework for security certification of IT products and services.

The results from the 2016 consultation on cybersecurity cPPP27 on the section on certification show that:

- 50,4% (e.g. 121 out of 240) of respondents do not know whether national certification schemes are mutually recognised across EU Member States. 25.8% (62 out of 240) replied No, while 23.8% (57 out of 240) replied Yes.

- 37,9% of respondents (91 out of 240) think that existing certification schemes do not support the needs of Europe's industry. On the other hand, 17, 5% (42 out of 240) – mainly global companies operating on the European market - expressed the opposite view.

- 49.6% (119 out of 240) of respondents says that it is not easy to demonstrate equivalence between standards, certification schemes, and labels. 37.9% (91 out of 240) replied I do not know, while only 12,5% (30 out of 240) replied ‘Yes’.


Collection and use of expertise

4.

The Commission relied on the following external expert advice:


- Study on the Evaluation of ENISA (Ramboll/Carsa 2017; SMART no. 2016/0077),

- Study on ICT Security Certification and Labelling – Evidence gathering and impact assessment (PriceWaterhouseCoopers 2017; SMART no. 2016/0029).


Impact assessment

5.

- The Impact Assessment report on this initiative identified the following main problems to be addressed:


- Fragmentation of policies and approaches to cybersecurity across Member States;

6.

- Dispersed resources and fragmentation of approaches to cybersecurity across EU institutions, agencies and bodies; and


- Insufficient awareness and information of citizens and companies, coupled with the growing emergence of multiple national and sectoral certification schemes.

7.

The report assessed the following possible options with regard to ENISA's mandate:


- preservation of the status quo, meaning an extended mandate still limited in time (baseline option);

- expiry of ENISA’s current mandate without renewal and termination of ENISA (no policy intervention);

- a reformed ENISA; and

- an EU cybersecurity agency with full operational capabilities.

8.

The report assessed the following possible options with regard to cybersecurity certification:


- no policy intervention (baseline option);

- non-legislative ("soft law") measures;

9.

- an EU legislative act to create a mandatory system for all Member States based on the SOG-IS system; and


- an EU general ICT cybersecurity security certification framework.

The analysis led to the conclusion that a 'reformed ENISA' in combination with an EU general ICT cybersecurity certification framework is the preferred option.

The preferred option has been assessed as the most effective for the EU to reach the identified objectives of: increasing cybersecurity capabilities, preparedness, cooperation, awareness, transparency and avoiding market fragmentation. It has also been assessed as the most coherent with policy priorities of the EU Cybersecurity Strategy and related policies (e.g. NIS Directive), and the Digital Single Market Strategy. In addition, from the consultation process, it emerged that the preferred option enjoys the support of the majority of stakeholders. Furthermore, the analysis conducted in the impact assessment showed that the preferred option would reach the objectives through a reasonable employment of resources.

The Commission’s Regulatory Scrutiny Board delivered initially a negative opinion on 24 July, then a positive opinion on 25 August 2017 upon resubmission. The amended Impact Assessment report included additional supporting evidence, the final conclusions of the evaluation of ENISA and additional explanations on the policy options and their impact. Annex 1 to the final Impact Assessment report summarizes how the comments of the Board in the second opinion have been addressed. In particular, the report was updated to present in greater detail the EU cybersecurity context, including the measures that are included in the Joint Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU', (JOIN(2017) 450) and have a special relevance for ENISA: the EU cybersecurity blueprint and the European Cybersecurity Research and Competence Centre, to which the Agency would link its advisories on EU research needs.

The report explains how the reform of the Agency, including the new tasks, the better conditions of employment and the structural cooperation with EU bodies in the field, would improve its attractiveness as employer and help tackle problems related to the recruitment of experts. Annex 6 to the report also presents a revised estimate of costs associated to the policy options for ENISA. With regard to the topic of certification, the report has been revised to provide a more detailed explanation, including graphic presentation, of the preferred option, as well as to provide estimates on the costs for Member States and the Commission related to the new certification framework. The rationale for the choice of ENISA as key actor in the framework has been further explained based on its expertise in the field and the fact that it is only EU level agency on cybersecurity. Finally, the sections on certification were reviewed to clarify aspects related to the difference between the current SOG-IS system, the benefits associated to the different policy options and explain that fact that the type of ICT product and service covered by a European certification scheme will be defined in the approved scheme itself.


Regulatory fitness and simplification

Not applicable


Impact on fundamental rights

Cybersecurity has an essential role in protecting the privacy and personal data of individuals in accordance with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. In case of cyber incidents the privacy and the protection of our personal data are clearly exposed. Cybersecurity is thus a necessary condition for the respect of privacy and confidentiality of our personal data. Under this perspective, by aiming to reinforce cybersecurity in Europe, the proposal provides an important complement to the existing legislation protecting the fundamental right to privacy and personal data. Cybersecurity is also essential for protecting the confidentiality of our electronic communications and thus for exercising the freedom of expression and information and other related rights, such as the freedom of thought, conscience and religion.

4. BUDGETARY IMPLICATIONS

See financial fiche

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The Commission will monitor the application of the Regulation and submit a report on its evaluation to the European Parliament and to the Council and the European Economic and Social Committee every five years. These reports will be public and detail the effective application and enforcement of this Regulation.

Detailed explanation of the specific provisions of the proposal

Title I of the Regulation contains the general provisions: the subject matter (Article 1), the definitions (Article 2), including references to relevant definitions from other EU instruments, such as the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), Regulation (EC) No 765/2008 of the European Parliament and of the Council setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93, and Regulation (EU) No 1025/2012 of the European Parliament and of the Council on European standardisation.

Title II of the Regulation contains the key provisions related to the ENISA, the EU Cybersecurity Agency.

Chapter I under this Title outlines the mandate (Article 3), objectives (Article 4) and tasks of the Agency (Articles 5 to 11).

Chapter II outlines the organisation of ENISA and includes key provisions on its structure (Article 12). It addresses the composition, voting rules and functions of the Management Board (Section 1, Articles 13 to 17), Executive Board (Section 2, Article 18) and Executive Director (Section 3, Article 19). It also includes provisions on the composition and role of the Permanent Stakeholders' Group (Section 4, Article 20). Last but not least, Section 5 under this Chapter details the operational rules for the Agency, including in relation to programming its operations, conflict of interest, transparency, confidentiality and access to documents (Articles 21-25).

Chapter III concerns the establishment and structure of the Agency's budget (Articles 26 and 27), as well as rules guiding its implementation (Articles 28 and 29). It also includes the provisions facilitating the combating of fraud, corruption and other unlawful activities (Article 30).

Chapter IV relates to the staffing of the Agency. It includes general provisions on the Staff Regulations and the Conditions of Employment and rules guiding privileges and immunity (Article 31 and 32). It also details the rules of engagement and appointment of the Executive Director of the Agency (Article 33). Last but not least, it includes the provisions guiding the use of seconded national experts or other staff not employed by the Agency (Article 34).

Finally, Chapter V contains the general provisions related to the Agency. It outlines the legal status (Article 35) and includes provisions regulating the issues of liability, language arrangements, protection of personal data (Articles 36-38), as well as the security rules on the protection of classified and sensitive non-classified information (Article 40). It describes the rules guiding the Agency's cooperation with third countries and international organisations (Article 39). Last but not least, it also contains provisions regarding the Agency's headquarters and operating conditions, as well as administrative control by the Ombudsman (Articles 41 and 42).

Title III of the Regulation establishes the European cybersecurity certification framework (the "Framework") for ICT products and services as lex generalis (Article 1). It defines the general purpose of European cybersecurity certification schemes, i.e. to ensure that ICT products and services comply with specified cybersecurity requirements as regards their ability to resist, at a given level of assurance, action that compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or the related functions or of services (Article 43). Moreover, it lists the security objectives that European cybersecurity certification schemes shall aim to address (Article 45), such as among others the ability to protect data against accidental or unauthorised access or disclosure, destruction or alteration, and the content (i.e. elements) of European cybersecurity certification schemes, such as the detailed specification of their scope, the security objectives, evaluation criteria etc. (Article 47).

Title III also establishes the main legal effects of European cybersecurity certification schemes, namely (i) the obligation to implement the scheme at national level and the voluntary nature of certification; (ii) the invalidating effect of European cybersecurity certification schemes on national schemes for the same products or services (Articles 48 and 49).

This Title further lays down the procedure for the adoption of European cybersecurity certification schemes and the respective roles of the Commission, ENISA and the European Cybersecurity Certification Group – the Group - (Article 44). Finally, this Title lays down the provisions governing conformity assessment bodies, including their requirements, powers and tasks, national certification supervisory authorities, as well as penalties.

The Group is also established in this Title as an essential body consisting of representatives of national certification supervisory authorities whose main function is to work with ENISA on the preparation of European cybersecurity certification schemes and to advise the Commission on general or specific issues concerning cybersecurity certification policy.

Title IV of the Regulation includes the final provisions describing the exercise of delegation, evaluation requirements, repeal and succession, as well as the entry into force.