The EU Cybersecurity Act: what is it and what does it mean for Europe?
July 2019 by Gil Bernabeu, GlobalPlatform’s Technical Director
The European Union’s Cybersecurity Act is a key step in establishing the regulatory frameworks and certification schemes necessary for developing cyber-resilience.
The Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA.
In his 2017 State of the Union Address, President Jean-Claude Juncker said:
“In the past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyber-attacks. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks.”
In an increasingly connected world, however, it can be difficult for device manufacturers and service providers to identify the necessary levels of protection required for their products, and for consumers to verify the security of the devices and services they are using. This creates trust issues that limit widespread IoT adoption and innovation, as well as putting consumers and businesses at risk of security breaches.
So, what is the European Cybersecurity Act?
Fast forward to June 2019, the Act has come into force and aims to better support Member States with tackling cybersecurity threats and attacks.
As part of this support, the Act establishes an EU framework for cybersecurity certification. This allows for the certification of products, processes and services that will be valid throughout the bloc, boosting the security of online services and consumer devices.
The European Commission supported the Act saying, “This is a ground-breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates.”
The importance of certification
The world is becoming increasingly ‘digitally dependent’, with connectivity spanning from our edge devices, through the ‘fog’ and into the cloud, helping us to manage every aspect of our personal, business and industrial lives.
Ensuring the security of connected devices and services therefore is a critical priority for all stakeholders, not least device manufacturers, who must ensure that the devices they build are secure enough to protect from immediate threats and consider how risks may change throughout the device’s lifecycle.
That is why an impartial and standardized certification platform, supported by accredited laboratories, is necessary to enable device manufacturers and service providers to verify the security of devices, as well as categorize and select the most appropriate type of protection for their product.
The security benefits of certification and standardization are particularly notable, but they exist for businesses also. By establishing one set of rules, device manufacturers around the world will find it easier to demonstrate to the European market that their products are secure, and prove the trustworthy nature of their merchandise.
In addition, the act gives service providers the peace of mind that data, intellectual property and other valuable information is safely secured within a certified device.
To answer to new international security risks, GlobalPlatform has standardized secure technologies and services that, today, are adopted and deployed globally, to provide privacy protection and lay the foundation for cyber-resilience. It is doing this by developing new evaluation methodologies to accelerate product creation and achieve a faster route to market, while ensuring security and data privacy is maintained.
GlobalPlatform has also developed protection profiles and new security frameworks, that provide a reference point for identifying, categorizing and protecting against known and future security threats. The organization’s vision is to provide different levels of security to answer different market requirements.
In addition, it is the organization’s intention to work with ENISA to help facilitate future implementations of the Act.
These security assurances and certification schemes – in addition to the Act – will be key in enabling device manufacturers and service providers to ensure the right services are provided to the European market.