Agreement on The New EU Cybersecurity Act 

December, 2018 - Hans Markus Wulf

I. Introduction

According to a Bitkom study from September 2018, German industry has incurred a total loss of 43 billion euros as a result of cyberattacks over the past two years. Seven out of ten industrial companies have been victims of such attacks during this period. At EU level, there has recently been a growing discussion on how to face this mounting danger.

On December 10, 2018, the European Parliament, the European Council and the European Commission reached a political agreement on a cybersecurity act. The Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (“Cybersecurity Act") is essentially based on two ideas:

  • Henceforth, the EU Security Agency (ENISA - European Union Agency for Network and Information Security) will be given a permanent and stronger mandate (in force beyond 2020) in order to support Member States with tackling cyberattacks.
  • A community cybersecurity certification (European certification framework) of products, processes and services will be established.The following is an overview of the essential content of the Regulation.

II. Essential content of the Regulation

1. Conformity assessment (EU certification framework)The regulation initially provides for a so-called ”conformity assessment“, i.e. an EU-wide European certification framework for the cybersecurity of products, services and procedures, similar to ISO/IEC 17000: 2004. EU citizens are already familiar with this procedure of defined minimum standards and their verification in the areas of general product security. The Regulation also aims to harmonize security standards with the envisaged conformity assessment at its core. In this respect, the objective is the verifiability of compliance with established cybersecurity features with regard to products, services and procedures by the competent authority.

2. Minimum security standards and guidance of ENISA

ENISA now has an important role to play in establishing guidelines to secure a minimum standard for imports and exports of IT products across the European border. In this guidance, ENISA resembles the Federal Office for Information Security (BSI) (Sec. 8 para. 1 Act on the Federal Office for Information Security (BSIG)) with the essential difference that the addressees are not only federal authorities but also companies. The aim is to strengthen the trust of EU citizens in IT products of these companies with a series of measures. For example, the manufacturers of these IT products must make written declarations to the effect that

  • neither the hardware nor software contains known security gaps,
  • no unchangeable or unencryptable passwords or access data are used that cannot undergo an authenticated security update,
  • an appropriate ranking of remedies is provided for the device concerned, and
  • the assistance or support for the end customer ends at an individually notified time.

Inseparable from this set of minimum standards by ENISA is the constant implementation of security aspects when creating software (Security by Design) and the related data protection (Privacy by Design). Not least for this reason, all the IT security requirements of the now European certification system are to be implemented by the involved parties during the various phases from the market launch of an IT product up to its removal from the market (so-called product or service life cycle). It should be noted that the Regulation is the first internal market regulation that will increase the security of networked products using such certificates.

The correct handling of backdoors in ICT products is also important. A backdoor refers to the part of a software that allows users to gain access to the computer or an otherwise protected function of a computer program, bypassing the normal access protection. To prevent these circumventions, ENISA is to work with national certification authorities due to its enhanced capabilities and develop cyber-hygiene practices along its five core principles (i.e. Lowest Privilege, Micro-Segmentation, Encryption, Multi-Factor Authentication and Patching) in order to close possible vulnerabilities.

3. Different IT security levels for ICT products

Driven by the desire to remove the diverging requirements of international and national IT security certifications, ENISA is to create homogeneous levels of security for ICT products and services. For each cybersecurity certification, the individual ICT product or service is assigned to one of these security levels. This implies the possible regrouping or renaming of previous levels. In the future, three security levels are to be used:

  • First level: Functionally secure, implies a reasonable level of trust in IT security (lowest security level)
  • Second level: Essentially secure, means a medium level of trust
  • Third level: Highly secure, implies an increased level of trust in security (highest level of security)Further differentiating the security levels, similar to DIN 66 33 99 with its seven security levels, is conceivable.

Finally, ENISA will maintain checklists and make them publicly available to pre-assess the cyber risk of each ICT product and service.

4. Priority List: In the future, ICT products and services will be prioritized by ENISA

Due to its increasingly central role, ENISA will have the task of prioritizing cybersecurity certification for ICT products and services in the form of a list to be continuously updated (Priority List). This list should make clear which product or service is at the top of a scale of necessity. ENISA will cooperate with the permanent stakeholder dialogue group and the European Cybersecurity Certification Group (which, in turn, consists of the national certification authorities) and other bodies.

5. Joining forces: In future, ENISA will incorporate data protection (EU GDPR)

To date, cybersecurity and data protection have mostly been considered separately. To counter this practice, ENISA’s mandate will initially be extended to the development and implementation of European data protection. The objective is for ENISA to advise the European Data Protection Authority on its development of guidelines, especially in the technical field. These guidelines regulate the necessary use of personal data for IT security purposes and thus a core area that needs to be better coordinated in the light of a common objective. Therefore, in addition to data on cybersecurity attacks, ENISA intends to bundle data on data breaches and make recommendations on both matters in the future. Since security incidents in IT not only result from machine-to-machine communication (M2M), but can also originate from a data protection breach according to the GDPR, major data breaches will also be logged on a separate European portal of ENISA in the future.

III. Conclusion

The new EU Cybersecurity Act, i.e. the Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (“Cybersecurity Act") is an appropriate step towards effectively defending against cyberattacks. In particular, manufacturers of IT products will have to address the matter, as certain areas will be subject to certification in the future. In this respect, the new certification framework offers advantages, especially for small and medium-sized enterprises (SMEs), because in the future obtaining national individual certificates will become obsolete, and there will then be an EU-wide certification system.

For EU citizens, the Regulation will help them trust the devices they use on a daily basis, as there will be a range of products in the future that would be EU-certified for cybersecurity.

Companies wishing to increase their own IT security in the workplace prior to the EU Cybersecurity Act entering into force could consider the following measures:

  • Use Security Awareness Training with the objective of raising your employees’ awareness on the issue of "computer security" and rehearse schedules to disable access permissions.
  • Only grant employees, executives and the management access to the essentials, because any permanent access is, conversely, a security risk in the event of an attack on the authorized user.
  • Introduce the separation of networks, i.e. clerks and production machines should not be in the same network. It is advisable to separate as far as possible.
  • Clarify how your firewall has been configured. Internet access should be set to "strict”, because normal users e.g. should not be able to download executable files.
  • Minimize external access or create strong authentication (e.g. 2-factor authentication).
  • Use Advanced Portfolio Technologies (APT) (i.e. data is exported in a sandbox for analysis).
  • Use IDS systems, i.e. attack patterns are detected and locked out for a limited time.
  • Introduce geolocation, i.e. do not allow connections from networks of other countries with which you do not maintain trade relations; however, please observe the new EU Geo-Blocking Regulation.
  • Perform monitoring, i.e. the monitoring of operations. Unsuccessful login attempts indicate, for example, a cyberattack that is taking place or has taken place.
  • Use Endpoint Detection and Response Methods (EDR).

We would like to thank Mr. RA Sebastian B. Jürgensen for his collaboration on this article. He is the in-house lawyer of a medium-sized group of companies in Hamburg.

 

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots