The EU Cybersecurity Act: Is this the First Tangible Evidence of the Balkanization of Common Criteria? (Y32c)
In September of 2017 the European Commission (EC) published a proposal for a Regulation on Cybersecurity (the Cybersecurity Act). A portion of the act empowers the European Commission to create EU wide Cybersecurity certification schemes for any ICT products or services, potentially creating a bajrrier to market access without industry involvement. While initially motivated by critical infrastructure and concerns over IoT devices, the scope of this new program could easily add a new cybersecurity certification requirement to all of the ICT industry as soon as 2019.
There are three major concerns that stakeholders should have regarding the proposed act and its implementation:
1. By creating regional and/or national certification requirements, industry can no longer take the “high ground” with countries that insist on national certifications (vs internationally recognized standards based certifications like CC)
2. There are three levels of certification assurance – basic, substantial, or high – all requiring a third party (no self-assessment or attestation). At the highest level, the vendor claims ZERO vulnerabilities.
3. Lack of industry involvement/stakeholder input—the commission is working privately and not via any existing standards bodies. So there has been no input from key stakeholders including existing schemes (e.g. Common Criteria)
In this paper, the author will walk through the main points of the proposed act, current status and recommend what stakeholders and industry can do going forward before it becomes law, anticipated for early 2019.