Cybersecurity Act: an initial signal sent by Europe
12 11 2019
With the adoption of the Cybersecurity Act a few months ago, Europe was taking a new step forward in cybersecurity by adopting a common framework. Strengthening the powers of the European Network and Information Security Agency (ENISA), European certification... what can we expect from these regulations?
More restrictive than the existing recognition agreements (Common Criteria Certification (CCRA), SOG-IS agreement or “EU Restricted” Certification), this new framework strengthens the European Union's position on cybersecurity issues. This will enable its Member States to stand united against the cyber-attacks they are undergoing.
Laying the foundations for a common future for security
In addition to the weight given to the European Network and Information Security Agency (ENISA), the Cybersecurity Act will improve the overall level of security across Europe by setting common certification rules. A company that has obtained certification in Italy will now be able to use this "European label" in France, Spain or Germany without taking any further steps in these countries.
These certifications are accompanied by a shared frame of reference with three security levels: basic, substantial and high. These three levels reflect a dimension of trust in IT solutions or services, including connected objects - whether consumer or more technical (such as connected medical devices, for example).
Differentiating between IT and security solutions
In contrast, national certifications - such as ANSSI in France - focus on the level of trust in cybersecurity solutions, such as smart cards, digital certificates or other cybersecurity products. Nuance is paramount when distinguishing between IT solutions and cybersecurity solutions. Since European certifications are designed for a broader scope than cybersecurity alone, their level of requirement is necessarily lower. This is enough to generate some reservations at the present time.
In France, the leading country in terms of digital security, the main concern is that the highest level of European certifications would correspond to the lowest level of French certifications. A blur that could represent a real risk to cybersecurity, favouring less reliable solutions than others. To protect against this, each country of the European Union will be able to maintain sovereign national levels in parallel with European certification. In particular, France, through ANSSI, maintains - beyond certification - its own qualification levels (basic, standard, enhanced), required to operate in national critical infrastructures such as OIVs (Operators of Vital Importance). In short, the solutions already certified by ANSSI - such as those of Stormshield - would therefore already correspond to a level of certification higher than or equal to the European requirement.
While some details related to the implementation of the Cybersecurity Act still need to be refined, this regulation is a good indicator for European cybersecurity. Beyond short-term harmonisation, this legislation will help to shape a more secure digital future.