The EU’s Search For Tough Cybersecurity Standards
Appearing before MEPs in the European Parliament’s Industry Committee last week, the new head of the EU’s cybersecurity agency ENISA, Juhan Lepassaar, said he hopes the EU’s recently adopted cybersecurity framework will become the “the new global standard for trust.”
Lepassaar has jumped into one of Brussels’ cybersecurity driving seats at a time when the EU is seeking to distinguish its clout in the field worldwide. Along with a new Commission bent on ensuring the strategic autonomy of the EU while new technologies are developing faster than they can be regulated, Lepassaar is in a position to hold substantial sway over the EU’s direction in cybersecurity.
The new ENISA chief is cut from the same cloth as many EU officials working in the cybersecurity field, regarding ‘trust’ as an essential facet in consumer protection, and hoping that the EU’s recently adopted cybersecurity act can, just like the bloc’s data protection standards, distinguish the European Union as a guardian of civil liberties.
Having previously been the head of cabinet of Andrus Ansip, the Commission’s digital vice president, Lepassaar has no doubt taken influence from his erstwhile superior. Ansip told EURACTIV earlier this year that ‘trust is a must’ in the development of next generation technologies, and that consumer protection in cybersecurity should rank highly in the EU’s priorities for the coming years.
Europe’s immediate concerns
The incoming Commission President, Ursula von Der Leyen, will have a series of politically delicate hurdles to contend with in the field of cybersecurity. Not least in the domain of 5G, where the EU has come under increased pressure from American counterparts set to adopt a hostile position against next-generation technologies emanating from the far east.
Last week, Washington signed a joint declaration with Poland to collaborate on 5G security in what US Vice President Mike Pence said would “set a vital example for the rest of Europe”.
Moreover, last week, the French telecom company Iliad announced that it has selected the Finnish network vendor Nokia as a partner in expanding its 5G network, which some regard as an indication that Europe’s strategic autonomy in the development of next-generation technologies will emerge as an industry priority.
The news came not long after France made further cybersecurity commitments on the sidelines of the G7 meeting, as part of the Indo-French Roadmap on Cybersecurity and Digital Technology, in which the countries rally for “responsible state behaviour in cyberspace as well as confidence and capacity-building measures developed within the framework of the United Nations.”
Europe-wide, following a Commission recommendation for a common EU approach to the security of 5G networks, member states have recently submitted national risk assessments – providing an overview of their most pressing concerns in the future development of 5G infrastructure. These assessments will feed into the next phase, a EU-wide risk assessment to be completed by 1 October.
Von der Leyen is well-placed to lead the EU’s direction in this field, having been Germany’s defence minister between 2013 and 2019, when she established the country’s first military cyber command. She also stood out in the international defence arena, with the UK’s former Defence Minister Michael Fallon referring to her as a “star presence in the NATO community.”
Following previous legislative devices such as the 2016 NIS Directive and the Cybersecurity Act, which was adopted earlier this year, there is a broader background to how trust may be safeguarded for the future, and there is no shortage of those who believe the EU’s cybersecurity approach could well be ramped up as part of the Commission’s forthcoming mandate.
As part of the EU’s cybersecurity act, cybersecurity certification schemes may become commonplace for a breath of goods and services – the scope of which is still to be hashed out by the Commission working alongside ENISA.
EURACTIV understands that the priority for the EU is to ensure that hackable goods connected to a wider network of devices are likely to be included in the scope of the certification framework – including equipment used for 5G infrastructure, as well as Internet of Things devices and cloud services.
Nonetheless, at the time of the adoption of the cybersecurity act, some in Brussels were pushing for a mandatory certification instrument in the EU, citing, in fact, similar reasons to ENISA’s new chief, Lepassaar, on how such approach could assist the EU in the long term.
An official from the German telecommunications giant Deutsche Telekom (DT) informed EURACTIV that an obligatory approach would assist the market in helping to converge standards.
“For us, a mandatory certification framework would have been preferable,” the DT official stated. “This is the best way we can showcase to the world our commitment to high-class cybersecurity standards, without compromise.”
Nonetheless, a mandatory arrangement may not be long in the offing. Following the rollout of the voluntary framework, the hope is that the market will have its say on the value of the certification before a Commission assessment, the first of which is due to take place before the end of 2023, will evaluate whether mandatory certification is necessary.
EURACTIV caught up with an insider working in the cybersecurity industry, who said industry should prepare for itself for a tougher EU approach in the coming years.
“On product certification, mandatory schemes are likely to be considered in the years to come,” the source said, adding that the possible fragmentation of the market in the field of cybersecurity is a risk that the bloc should take account of.
“In order not to deviate from the objectives of the EU Cybersecurity Act, mandatory certification should be considered at EU rather than at national level, it should be market-relevant and accompanied by appropriate transitional or implementation phases,” the source said.
Indeed, it’s not only in the private sector that the EU will look to impose itself in terms of cybersecurity. There are plans to modernise the 2008 European Critical Infrastructure Protection Directive and build a European Cybersecurity Shield. More recently, the EU has also made a series of significant steps in attempting to bolster the security of its critical infrastructures.
Following talks in June at Bucharest’s Digital Assembly, a grouping of seven EU member states agreed to take the first steps in developing and deploying a quantum communication infrastructure (QCI) across the EU over the next decade.
The EU hopes that the measures will enable data to be transmitted and stored ultra-securely, and communication assets to be linked all over the bloc, bolstering the security of critical infrastructure against cyber threats and protecting smart energy grids, air traffic control, banks, healthcare facilities and others from hacking.
The measures will help “keep the transmission, protection and long-term storage of sensitive data safe, and ensure the sovereignty of sensitive governmental information,” outgoing Digital Commissioner Ansip said earlier this year.
Pilot projects for Europe’s Quantum Internet plans commenced just last week, with tests due to take place in Austria, Spain, Poland, Germany, Netherlands, Switzerland, France, Italy, UK, Greece and the Czech Republic, over the next three years.
Helmut Leopold, the head of the Centre for Digital Safety and Security at the Austrian Institute of Technology, which is coordinating the project, was unambiguous in the importance of quantum technologies in helping to safeguard Europe’s cyberspace and effectively, ensure that Lepassaar’s commitment to a trustworthy cyberspace comes to fruition.
“This will enable an innovative eco-system for creating a new perspective for our secure digital Europe and building the foundation for next-generation communication technologies,” he said.