On 9 December 2020, EIF organised a virtual debate on ‘Cybersecurity priorities in Europe’. The event, hosted by MEP and EIF Steering Committee member Marina Kaljurand, was moderated by EIF Director General Maria Rosa Gibellini and discussed about EU priorities and challenges in the context of cybersecurity certifications and response to cyberattacks together with the following policymakers and industry representatives:
- Philippe Blot, Lead Expert on Certification, ENISA
- Dr Claire Vishik, Intel Fellow and Chief Technology Officer, Government Markets and Trade group, Intel Corporation
- Bernardo Costa Pereira, Cyber Attaché, Portuguese Permanent Representation
- Tomas Jakimavicius, Senior Director of Public Policy - Europe, GSMA
- Alexandra Maniati, Director, Cybersecurity & Innovation, European Banking Federation
Marina Kaljurand MEP opened the debate reflecting on how unexpectedly tragic, challenging but also digital 2020 has been. The COVID-19 crisis, in fact, accelerated all the digital topics and, according to the MEP, we have to pay much more attention to cybersecurity and to all its aspects.
Ms. Kaljurand praised the fact that cybersecurity has gained much political attention lately, being much more discussed in the capitals and in the different institutions and organisations, and underlined the importance of a multi-stakeholder approach for cybersecurity policy making, able to insure effectiveness and protection during the digitalisation process. This is also why cybersecurity must be a priority.
Philippe Blot presented ENISA’s main activities and, in particular, the state of play of the development of two certification schemes: the candidate EUCC scheme on ICT products on common criteria for products – whose Implementing act by the European Commission is expected by end of spring 2021 – and the candidate EUCS scheme on Cloud services representing an opportunity for the European Cloud market as a European reference reusable for other cybersecurity certification schemes, and which may be combined with the European Cloud Framework Gaia-X.
ENISA is also developing a new Union Rolling Work Programme, to be available by the end of this year or very beginning of 2021, which is a sort of certification strategy giving a list of potential schemes for which ENISA could receive a request. There is a dedicated stakeholder group that takes care of establishing the best programme.
Claire Vishik took a broader view on certifications and their connection to technology, focussing on the current unanswered questions with regard to security and trustworthiness. Dr. Vishik affirmed that the extremely integrated and complex computing ecosystem we have today, with multiple domains under which agencies certify separately, brings certain limitations to the certification schemes. Moreover, with the proliferation of intelligent systems and the advent of cyber physical systems, the main problem is the set of different approaches and metrics that are being used.
If we want to improve our approaches to certification, according to Dr. Vishik, we need to establish harmonisation in the recognition mechanisms that work across different types of assessments and make research in this area more attractive to increase the flow of ideas. “Even if we do not have a solution yet for different types of assessments and certifications, at least we know what questions to ask and this is the first step towards achieving progress.”
Bernardo Costa Pereira, who will be chairing the horizontal working party on cyber issues during the upcoming Portuguese Presidency, clarified that cybersecurity will be a top priority. The presentation of the cyber package by the Commission to the Council in mid-December will be a crucial point as it will contain the updated cybersecurity strategy and the review of the NIS Directive.
At the same time, Mr. Costa Pereira assured that the Presidency will continue to amplify the European voice on the international stage and ongoing efforts in cyber diplomacy in different international fora, especially in the UN context, where EU’s contribution will be key not only in terms of promoting cybersecurity worldwide and capacity building, but also in terms of strategic autonomy of the Union and the geopolitical role that the EU seeks to assume on the international stage.
Tomas Jakimavicius brought to the stage the mobile communications industry perspective in the context of the upcoming revision of the EU cybersecurity legal framework. The mobile communications industry plays a great role in providing a robust and secure connectivity to all, essential in those times challenged by the pandemic. For GSMA’s members, the future legal framework should (1) address all relevant actors to achieve a more robust, secure and resilient digital value chain, (2) ensure coherence and consistency between different legal instruments and (3) reduce fragmentation within single market through legislation that provides for a harmonised implementation across the member states.
Moreover, the certification framework introduced by the Cybersecurity Act should be used as an additional means to close the gaps of the NIS Directive. In this context, the GSMA has already achieved significant progress when developing the Network Equipment Security Assurance (NESAS) scheme, a great example of how industry can contribute with its best practice to achieving a robust certification for the ecosystem players. It would be also useful to keep in mind, stressed Mr. Jakimavicius, that the telecom sector, if weakened by overregulation, could be exposed to greater foreign control.
Alexandra Maniati presented the point of view of the banking sector and how its current approach is to address digital transformation in a holistic way to provide innovative services and ensure security and resilience. The priorities of the European Banking Federation focus on shaping (1) a technology neutral and innovation-friendly European framework for financial services (2) a fair competition in the digital market, characterised by a level playing field with proportionate regulation and innovation-balanced with proper protection for investors and consumers and (3) a resilient financial ecosystem with common security requirements.
The EBF considers cybersecurity to be the absolute necessary foundation for successful and sustainable digital transformation. For this reason, they engage a lot in policy making and currently work extensively with the proposal for the Digital Operational Resilience Act (DORA) and the NIS Directive review. EBF’s priorities on certification include schemes for cloud computing, Internet of Things and third-party providers.