In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
EU Cybersecurity Act: moving forward
31 March 2021 – Cyber Security Coalition
EU Cybersecurity Act moving forward, input needed!
One main objective of the European Cyber Security Act (CSA) is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. Bringing the CSA to life is a slow and complicated process. So what happened in the past year?
Adopted in 2019, in the past year limited and delayed (Covid-19!), yet clear progress has been made regarding the CSA. Morgan Truant, CSA Project Manager at the CCB, reflected this in her clear presentation. The purpose of the act is to establish a union-wide voluntary (possibly mandatory) certification framework that provides common and harmonized cyber security rules and evaluation criteria for ICT products, processes and services. This must result in either a EU certificate or a conformity self-assessment for these products, accepted throughout the Union. Initiative for the underlying certification schemes can be taken by the Commission based on input from third parties, with drafts proposed by the European security agency ENISA, to be discussed and accepted as the next steps.
In practice, bringing the CSA up to speed also requires some local (national) efforts, as the creation of a ‘national cyber security certification authority (NCCA)’. In Belgium, general agreement has been reached to have the CCB perform this function (political decisions still to be made). The CCB will represent Belgium at EU level in the European Cybersecurity Certification Group, issue certificates (or delegate this to a Conformity Assessment Body) and provide supervision (incl. handling of sanctions, complaints and appeals). The NCCA should be established as of June 28th of this year.
Regarding actual schemes, only three are in the works so far. The Common Criteria scheme is furthest along, being in the final stage. It covers certification of ICT products at ‘substantial’ and ‘high’ level, and recuperates work done in previous schemes (SOG-IS CC). The cloud services scheme is in draft and open for external review. The request for 5G networks scheme has been issued but in January of this year. Future schemes will cover Internet of Things and industrial control systems.
Clearly, implementing the CSA is a complex exercise, with major impact on ICT products, processes and services! Therefore, there is an urgent need for input from the professional field. Which certification needs exist? What are the expectations? A ‘need analysis’ is a must. Morgane Truant expressly calls for companies to contact her, as “we need input!”. As a first step, checking out this presentation will provide solid information about the present status of the CSA.
Other blog posts
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.