Is an EU-wide IT security certification program on its way?
Measures for cybersecurity are to be regulated at the European level in the future, according to the mandate of the European Commission. IT products and services may pass through a voluntary certification scheme in future under the aegis of the European IT security agency ENISA. At the beginning of this year, ENISA applied to the European Commission to extend its remit, including introducing an EU-wide program for certifying the security of IT products. This ranges from simple certification for IoT devices to complex evaluations of high-security systems such as banking applications. The significant cost differences in national certification schemes was named as an important consideration for establishing a centralized certification program. The financial cost of obtaining certification for a smart meter in Germany for billing household electricity consumption is about one million euros, whereas companies in France and the UK only have to pay about 150,000 euros.
However, smart meters are unlikely to be affected by the proposed certification program. Smart meter certification is mandatory, whereas the ENISA certification scheme will only be introduced as a voluntary measure. Nevertheless, standardized criteria for IT product security in Europe could be useful. As EU President Claude Juncker said recently, cyber attacks know no bounds and spare no one. At the moment there are practically no formal requirements for IT product security or legal consequences for poor security. It is doubtful, however, whether voluntary certification will change this. The aim of the certification program is primarily to make the protection level of IT products and services comparable internationally. This is far from the legally binding certification system that ENISA Director Udo Helmbrecht has called for in the past. The Green Party in the European Parliament would also like to see more legal powers for manufacturers to be held liable for product defects, calling for the extension of European product liability law to software products. Under such changes, manufacturers could no longer rule liability for consequential damages of a cyber attack.
However, this may be very difficult to prove. Juncker also said that there are more than 4000 ransomware attacks per day and 80% of European companies last year had a cybersecurity incident. Although the figures add up, it’s important to note that ransomware usually spreads through the recipient’s actions. It is hard to argue that the manufacturers of anti-virus software are liable for their product because it did not stop a trojan before it reached a recipient's inbox. Nevertheless, certification is a good idea. At least in terms of private use, the most common security lapses such as user accounts without passwords, unsecured management ports and the use of legacy operating systems without security updates could be addressed by a certification program. ENISA is now drafting certification guidelines which will apply throughout the EU. The European Commission will support ENISA in a fast-track process so that the directives can be incorporated into EU law as quickly as possible. How the system will work in practice, especially when it comes to products which are manufactured outside the EU, remains to be seen in the coming months.