EU-wide security certification for IT products

The EU reaffirms its objective of issuing a Regulation on cybersecurity with a focus on also improving the protection of IoT devices by means of security certifications. In October 2018, the European Council again called for the timely implementation of EU resolutions to strengthen IT security. In addition to the rapid transposition of the NIS Directive in the Member States, the EU continues to intend in particular to issue a Regulation on cybersecurity. A proposal for a Regulation has been available since May 2018.

In addition to expanding and strengthening the European Network and Information Security Agency (ENISA), the proposed Regulation aims at introducing an EU-wide certification framework for cybersecurity.

Companies in the IT sector will thus have the opportunity to obtain EU-wide security certification for their IT products and services. Currently, the assurance levels of “basic”, “substantial” and “high” are scheduled to be used. IT products with “low” assurance levels would be certified by the manufacturer itself; products with a level of “substantial” or “high” levels of assessment would require certification by a conformity assessment body or the national cybersecurity certification body. The current proposal provides for voluntary, not mandatory, certification.

Details of the Regulation on cybersecurity are to be finalized in the fall of 2018 so that the Regulation may be adopted by the beginning of 2019.