The Role of European Standards in Support of the Cybersecurity Act

Slides:



Advertisements
Similar presentations
1ISO policy on global relevance MAS/PGR Jannuary 2006 ISO Policy on global relevance.
Advertisements

23 November 2011 Strengthening the consumer voice in the development of standards Raising Standards for Consumers 1 IMCO public hearing – 23 November 2011.
Public hearing European Standardization: improving competitiveness through a new regulatory framework - European Parliament / IMCO 6 key messages on European.
1 European Standardisation and the Identification of ICT Technical Specifications 13th XBRL Europe Day Rome, 6 May 2014 Antonio Conte, Project Manager.
European Initiatives in the Standardisation and e-Business Domains Antonio Conte European Commission – DG Enterprise and Industry Unit D3 “ICT for Competitiveness.
The Regulation on European Standardisation
European Commission EUROPEAN STANDARDISATION IN SUPPORT OF EUROPEAN POLICIES AND LEGISLATION Norbert ANSELMANN Head of.
Regulation (EC) No. 765/2008 on accreditation and market surveillance
Budapest May, 2001 Anne Lehouck European Commission, DG ENTERPRISE 1 ELECTRONIC SIGNATURE LEGAL FRAMEWORK & STANDARDISATION.
Using and referencing ISO and IEC standards to support public policy.
ITU-T Forum Geneva, 13 October 2014 Monica Ibido,
Geneva, Switzerland, September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.
European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
1 ANSI Conference on U.S. Leadership in ISO and IEC Presented by Mr. Steven P. Cornish Director, International Policy American National Standards Institute.
| 1 Guido de Wilt DG TREN D4 EUROPEAN POLICY REGARDING MICRO-CHP EUROPEAN COMMISSION.
Standards and innovation What is a standard? How do standards promote innovation? What is the role of governments and the UN?
Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All SMART GRID ICT: SECURITY, INTEROPERABILITY & NEXT STEPS John O’Neill, Senior Project Manager CSA.
European Commission Rita L’ABBATE Legal aspects linked to internal market DG Enterprise and Industry MARKET SURVEILLANCE COMMUNITY FRAMEWORK UNECE “MARS”
JOINING UP GOVERNMENTS EUROPEAN COMMISSION Establishing a European Union Location Framework.
Standardization system in the European Union Werner STERK Federal Ministry of Economics and Technology Unit “Standardization, Conformity Assessment, Metrology”
EU approaches to Standards and Conformity and Harmonisation Stefano Soro.
European Commission REGULATORY MODEL OF THE EUROPEAN UNION Norbert ANSELMANN Head of Unit, ENTR G2, Standardisation Directorate.
19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.
CEN Workshop on ICT Skills Setting European Standards for ICT Skills & Qualifications And Professionalism Dudley Dolan Chairman of the CEN Workshop on.
Workshop on “EU Enlargement: Regulatory Convergence in Non-acceding Countries” Athens 7 – 8 November 2003 Regulatory Convergence and Technical Standards.
Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,
DG Enterprise and Industry European Commission Standardisation Aspects of ICT and e-Business Antonio Conte Unit D4 - ICT for Competitiveness and Innovation.
OneM2M TP March 2017 Bruno Chenard.
ANSI – ESOs meeting Washington February 2017
66 items – 70% of circulated products
ISO Global Relevance Case ISO/TC 23/SC 3 & ISO
An Overview: The American National Standards Institute, the U. S
EERA e3s and Energy Consumers
STRESS TESTS and TAIWAN PEER REVIEW PROCESS
Trilateral Research EUROPEAN COMMISSION
IEEE Initiatives in Artificial Intelligence and Autonomous Systems
Panel Discussion on KPIs and Standardisation Dr. Bernard GINDROZ
Session 2 European Regulatory Environment (just a part!)
CENELEC TC215 WG3 (EN Series)
CENELEC, THE NEW APPROACH AND INTERNATIONAL STANDARDIZATION
Looking ahead I. Soetaert Programme Manager.
Training on standardisation
STANDARDISATION in the
Cyber-security and IEC International Standards
The International Electrotechnical Commission
Agenda What is a standard, who uses standards and what are they for?
European Regulatory Environment (just a part!)
Standardization supporting smart regulation and growth
CEPMC Executive Board and General Assembly EC standardisation package
Economic and social cohesion in the Western Balkans - cybersecurity
Sameer Sharma, ITU 7 August, 2018 Dhaka, Bangladesh.
Smart Grids activities in ETSI
CYRAIL Final Conference ERA on cybersecurity
The contribution of European Standardization to e-Accessibility
The European Union response to cyber threats
Culture Statistics: policy needs
New EU Forest Strategy Tamas Szedlak AGRI H4
European Commission Standardisation Workshop Brussels, 02 December 2005 Stakeholders Participation Models at European Level CEN/CENELEC/ETSI Hugues.
IEEE Initiatives in Artificial Intelligence and Autonomous Systems
Community of Users.
Standardisation Coordination
Jørgen Friis, ETSI VP SES
ETSI Standardization Activities on Smart Grids
ESO response to EU RFID Mandate M/436
INNOVATION DEALS: A NEW APPROACH TO REGULATION
Ad hoc Group of Experts on Better Regulation
ESO response to EU RFID Mandate M/436
Greener Smarter Better Cities - an EU perspective
General principles of the New Approach legislation
EU Standardisation Policy
Presentation transcript:

The Role of European Standards in Support of the Cybersecurity Act Cinzia Missiroli, Director – Standardization and Digital Solutions, CEN and CENELEC 9 January 2017

European Standardization System The European Committee for Standardization The European Committee for Electrotechnical Standardization The European Telecommunications Standards Institute = the European Standards Organisations (“ESOs”) Officially recognized by EU Regulation 1025/2012

EU Regulation 1025/2012 on European Standardization CEN, CENELEC and ETSI officially recognized by European Union as European Standardization Organizations establishment of European standards and European standardization deliverables to support the free circulation of goods and services in the Single Market definition of European Standards as voluntary in application mechanism for the European Commission to request the ESOs to develop standards in support of European policy objectives

CEN and CENELEC position on the Cybersecurity Act To ensure a coherent European approach to certification of ICT products and services, CEN and CENELEC stress the importance to: define what is meant by ‘ICT products and services’ covered by the proposal and establish a priority list of these, so that standardization can timely accompany market needs invite the formally recognized European and international standardization organizations to define the requirements and standards to be used and where applicable, give priority to internationally recognized standards (developed by ISO, IEC, or ITU-T) apply the process of the New Legislative Framework, which provides a clear separation between legislation, standards, and conformity assessment and avoids confusion in the market place. With the new proposal, the European Commission states its intentions to reinforce and preserve the security of ICT products and services and to increase trust in their use by the EU citizens. CEN and CENELEC share the view that the European Commission proposal provides insufficient information on the ICT products and services intended to be covered by the upcoming EU certification framework. A majority of the products and services currently placed on the market are ICT–enabled. The scope of the new regulation needs to clearly set the boundaries of the ICT products and services that will be covered by the new certification schemes. What exactly is meant by ICT products? Is it just Computers and peripheral equipment ? Or do we also consider toys, fire alarms as products subject to this regulation? CEN and CENELEC invite the European Commission to agree a consistent and coherent approach in defining a list of products and/or services to which the certification schemes will apply first. European Standards could support the envisaged certification schemes, reflecting interactions and interdependence along the whole value chain in the ICT industry and for the benefit of all business sectors, while taking into account the most broad spectrum of stakeholders. The European Standardization System enables the engagement of policy makers, societal stakeholders (Annex III organizations defined by Regulation 1025/2012) and industry organizations to collect requirements needs that could become part of European or international standards on data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society. CEN, CENELEC and ETSI produce high-quality standards for products and services that address all relevant requirements for the benefit of businesses, consumers and other standards users in Europe.   European Standards are established through a transparent, balanced, and consensus-based process where all stakeholders can contribute – thereby fulfilling the requirements of Regulation 1025/2012. Therefore, CEN and CENELEC should be involved in the definition of the requirements for certification schemes as laid out by the CyberAct. Where applicable, priority should be given to internationally recognized standards (developed by ISO, IEC, or ITU-T) which enable European industry to access global markets. The long-standing cooperation of the ESOs with ISO, IEC and ITU-T has allowed the alignment of European Standards with international ones, contributing to the global competitiveness of European businesses. Strengthening this cooperation will facilitate the development of ISO and IEC standards to support European legislative and policy needs. It will also secure EU businesses involvement in the definition and implementation of EU certification framework. Specific ‘standard’ requirements developed by the European Commission or ENISA - in parallel to European and/or international standards - would create competition with these Standards, create uncertainty and ultimately stifle innovation. Therefore, CEN and CENELEC recommend to make use of International Standards for the certification schemes, wherever possible, to ensure certification against well-proven, community-approved technical specifications. CEN and CENELEC have developed standards in all business sectors and for use in a variety of purposes. By definition, European Standards are voluntary and organizations that use them do so voluntarily. For more than 30 years, the ESOs have developed harmonized standards, which manufacturers, other economic operators, or conformity assessment bodies can use to demonstrate that products, services, or processes comply with relevant EU legislation. We believe that the conformity assessment system should be the preferred solution for the implementation of the new cybersecurity solutions. For many sectors such as toys, LVD, construction or measuring instruments, this solution proved to be effective and less burdensome for European businesses. CEN and CENELEC urge the EC to effectively apply Regulation 1025/2012 when defining the requirements for ICT products and services that might be subject to certification. The current proposal might lead to the establishment of a new parallel system to the officially recognized standardization system which will hamper the take-up of new solutions and technologies rather than increase trust or security of product and services.

CEN and CENELEC standardization work on cybersecurity CEN-CENELEC/TC 13 ‘Cybersecurity & Data Protection’: 50 European experts on cybersecurity and data protection, most of them also members of the ISO/IEC/JTC 1/SC 27 ‘IT Security’ active participation of ENISA addresses horizontal topics of the evolving interconnected society a.o. Smart Energy Specific objective: international standards adopted as European standards driven by the European market where needed with additional/complementary requirements (General Data Protection Regulation, NIS directive…) CEN and CENELEC have recently established CEN-CLC/TC 13 ‘Cybesecurity and data protection’. Is aims is to develop standards for data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society, including: • Organizational frameworks and methodologies, including IT management systems • Data protection and privacy guidelines • Processes and products evaluation schemes • ICT security and physical security technical guidelines • Smart technology, objects • Distributed computing devices • Data services This Technical committee gathers more than 50 European experts on cybersecurity and data protection, most of them also members of the ISO/IEC/JTC 1/SC 27 ‘IT Security’. ENISA has been participating in the CEN-CLC Focus Group on Cybersecurity for there years now and expressed willingness to support the standardization process of the new TC 13. CEN and CENELEC urge the EC to effectively apply Regulation 1025/2012 when defining the requirements for ICT products and services that might be subject to certification, namely to mandate this TC (and ETSI TC CYBER) to effectively contribute to the discussions on the requirements that ICT products and services should comply with when being placed on the market.. European and global. Developing certification schemes following the established standardization process as defined by Regulation 1025/2012 will foster stakeholders’ commitment, the link between European and international standards as well as coherent national implementations of European cybersecurity requirements to ensure the technical consistency of the Single Market. Our CEN –CLC/TC 13 has also a specific objective, namely the assessment of existing international standards adopted as European standards. This discussion will start on 14 February at the next TC meeting and we will have some proposals on standards to be adopted in European and additional/complementary requirements to help industry meet the new requirements under General Data Protection Regulation and NIS Directive before the end of the year. We strongly fear that current proposal might lead to the establishment of a new parallel system to the officially recognized standardization system which will hamper the take-up of new solutions and technologies rather than increase trust or security of product and services.

Market impact of standardization CEN and CENELEC collaborate closely with ISO/IEC JTC 1/SC 27 ‘IT Security’ to ensure alignment of international and European Standards. 10 identical standards are in place:

Next steps Join us for the ESO-ENISA Workshop on the role of standards in support of the implementation of the CybersecurityAct 13 February 2018 at Marriott Hotel