The Role of European Standards in Support of the Cybersecurity Act Cinzia Missiroli, Director – Standardization and Digital Solutions, CEN and CENELEC 9 January 2017

European Standardization System The European Committee for Standardization The European Committee for Electrotechnical Standardization The European Telecommunications Standards Institute = the European Standards Organisations (“ESOs”) Officially recognized by EU Regulation 1025/2012

EU Regulation 1025/2012 on European Standardization CEN, CENELEC and ETSI officially recognized by European Union as European Standardization Organizations establishment of European standards and European standardization deliverables to support the free circulation of goods and services in the Single Market definition of European Standards as voluntary in application mechanism for the European Commission to request the ESOs to develop standards in support of European policy objectives

CEN and CENELEC position on the Cybersecurity Act To ensure a coherent European approach to certification of ICT products and services, CEN and CENELEC stress the importance to: define what is meant by ‘ICT products and services’ covered by the proposal and establish a priority list of these, so that standardization can timely accompany market needs invite the formally recognized European and international standardization organizations to define the requirements and standards to be used and where applicable, give priority to internationally recognized standards (developed by ISO, IEC, or ITU-T) apply the process of the New Legislative Framework, which provides a clear separation between legislation, standards, and conformity assessment and avoids confusion in the market place. With the new proposal, the European Commission states its intentions to reinforce and preserve the security of ICT products and services and to increase trust in their use by the EU citizens. CEN and CENELEC share the view that the European Commission proposal provides insufficient information on the ICT products and services intended to be covered by the upcoming EU certification framework. A majority of the products and services currently placed on the market are ICT–enabled. The scope of the new regulation needs to clearly set the boundaries of the ICT products and services that will be covered by the new certification schemes. What exactly is meant by ICT products? Is it just Computers and peripheral equipment ? Or do we also consider toys, fire alarms as products subject to this regulation? CEN and CENELEC invite the European Commission to agree a consistent and coherent approach in defining a list of products and/or services to which the certification schemes will apply first. European Standards could support the envisaged certification schemes, reflecting interactions and interdependence along the whole value chain in the ICT industry and for the benefit of all business sectors, while taking into account the most broad spectrum of stakeholders. The European Standardization System enables the engagement of policy makers, societal stakeholders (Annex III organizations defined by Regulation 1025/2012) and industry organizations to collect requirements needs that could become part of European or international standards on data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society. CEN, CENELEC and ETSI produce high-quality standards for products and services that address all relevant requirements for the benefit of businesses, consumers and other standards users in Europe.   European Standards are established through a transparent, balanced, and consensus-based process where all stakeholders can contribute – thereby fulfilling the requirements of Regulation 1025/2012. Therefore, CEN and CENELEC should be involved in the definition of the requirements for certification schemes as laid out by the CyberAct. Where applicable, priority should be given to internationally recognized standards (developed by ISO, IEC, or ITU-T) which enable European industry to access global markets. The long-standing cooperation of the ESOs with ISO, IEC and ITU-T has allowed the alignment of European Standards with international ones, contributing to the global competitiveness of European businesses. Strengthening this cooperation will facilitate the development of ISO and IEC standards to support European legislative and policy needs. It will also secure EU businesses involvement in the definition and implementation of EU certification framework. Specific ‘standard’ requirements developed by the European Commission or ENISA - in parallel to European and/or international standards - would create competition with these Standards, create uncertainty and ultimately stifle innovation. Therefore, CEN and CENELEC recommend to make use of International Standards for the certification schemes, wherever possible, to ensure certification against well-proven, community-approved technical specifications. CEN and CENELEC have developed standards in all business sectors and for use in a variety of purposes. By definition, European Standards are voluntary and organizations that use them do so voluntarily. For more than 30 years, the ESOs have developed harmonized standards, which manufacturers, other economic operators, or conformity assessment bodies can use to demonstrate that products, services, or processes comply with relevant EU legislation. We believe that the conformity assessment system should be the preferred solution for the implementation of the new cybersecurity solutions. For many sectors such as toys, LVD, construction or measuring instruments, this solution proved to be effective and less burdensome for European businesses. CEN and CENELEC urge the EC to effectively apply Regulation 1025/2012 when defining the requirements for ICT products and services that might be subject to certification. The current proposal might lead to the establishment of a new parallel system to the officially recognized standardization system which will hamper the take-up of new solutions and technologies rather than increase trust or security of product and services.

CEN and CENELEC standardization work on cybersecurity CEN-CENELEC/TC 13 ‘Cybersecurity & Data Protection’: 50 European experts on cybersecurity and data protection, most of them also members of the ISO/IEC/JTC 1/SC 27 ‘IT Security’ active participation of ENISA addresses horizontal topics of the evolving interconnected society a.o. Smart Energy Specific objective: international standards adopted as European standards driven by the European market where needed with additional/complementary requirements (General Data Protection Regulation, NIS directive…) CEN and CENELEC have recently established CEN-CLC/TC 13 ‘Cybesecurity and data protection’. Is aims is to develop standards for data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society, including: • Organizational frameworks and methodologies, including IT management systems • Data protection and privacy guidelines • Processes and products evaluation schemes • ICT security and physical security technical guidelines • Smart technology, objects • Distributed computing devices • Data services This Technical committee gathers more than 50 European experts on cybersecurity and data protection, most of them also members of the ISO/IEC/JTC 1/SC 27 ‘IT Security’. ENISA has been participating in the CEN-CLC Focus Group on Cybersecurity for there years now and expressed willingness to support the standardization process of the new TC 13. CEN and CENELEC urge the EC to effectively apply Regulation 1025/2012 when defining the requirements for ICT products and services that might be subject to certification, namely to mandate this TC (and ETSI TC CYBER) to effectively contribute to the discussions on the requirements that ICT products and services should comply with when being placed on the market.. European and global. Developing certification schemes following the established standardization process as defined by Regulation 1025/2012 will foster stakeholders’ commitment, the link between European and international standards as well as coherent national implementations of European cybersecurity requirements to ensure the technical consistency of the Single Market. Our CEN –CLC/TC 13 has also a specific objective, namely the assessment of existing international standards adopted as European standards. This discussion will start on 14 February at the next TC meeting and we will have some proposals on standards to be adopted in European and additional/complementary requirements to help industry meet the new requirements under General Data Protection Regulation and NIS Directive before the end of the year. We strongly fear that current proposal might lead to the establishment of a new parallel system to the officially recognized standardization system which will hamper the take-up of new solutions and technologies rather than increase trust or security of product and services.

Market impact of standardization CEN and CENELEC collaborate closely with ISO/IEC JTC 1/SC 27 ‘IT Security’ to ensure alignment of international and European Standards. 10 identical standards are in place:

Next steps Join us for the ESO-ENISA Workshop on the role of standards in support of the implementation of the CybersecurityAct 13 February 2018 at Marriott Hotel