EU Cybersecurity Plan Aims to Streamline Product Certification

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merken

Companies could get products like smart medical devices and connected cars certified by the same standards across all European Union member states, under a proposal currently being negotiated.

The EU Cybersecurity Act aims for a single certification scheme for information and communication technology (ICT) devices, on products ranging from video game consoles to fire alarms. Some European countries, however, have their own cybersecurity certification rules, creating potential conflicts within the 28-nation bloc.

The Council of the EU June 8 agreed on its position about the proposal. That allows for future negotiations with the European Parliament. The Council and Parliament will then need to agree on a final text for it to become law.

The goal of an EU-wide certification plan is building more consumer trust in products, the draft legislation says. The EU Cybersecurity Act is part of Europe’s push towards a digital single market. It would be the latest EU measure touching on cybersecurity, after the Network and Information Security (NIS) Directive of 2016 and the General Data Protection Regulation, which kicked in May 25.

“While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity” the draft says.

The proposed legislation aims to “decrease entry barriers and fragmentation among different national certifications. Whether this will be the case in practice remains to be seen,” according to Diletta De Cicco, a privacy and cybersecurity legal consultant, and Charles-Albert Helleputte, a partner with experience in data protection matters, both with Mayer Brown LLP’s Brussels office.

“At EU political level, the idea is that more harmonization should strengthen cross border trade for technological products and foster innovation,” De Cicco and Helleputte told Bloomberg Law in an email.

The pending production certification proposal “demonstrates that cybersecurity is high on the EU political agenda,” Helleputte and De Cicco said.

Permanent Cybersecurity Agency

The proposal would bolster the status of the EU Agency for Network and Information Security (ENISA) to make it a permanent EU cybersecurity agency. The agency currently serves as a body of expertise on cybersecurity. ENISA would get new powers to support member states and EU institutions on cybersecurity issues. It would also be able to organize cybersecurity exercises.

ENISA would be responsible for carrying out product certifications. Certifying products would be voluntary for companies unless otherwise stated in EU or member states’ law.

Certification Schemes

The act would create a set of technical requirements and rules related to production certification—with security a high priority. But many details are yet to be worked out.

“One thing is clear: we will not be using the same techniques to be certifying things like toasters to light bulbs to air crafts to cars,” Steve Purser, ENISA’s head of core operations, told Bloomberg Law.

Peter McLaughlin, a Boston-based partner who leads Burns & Levinson LLP’s privacy and cybersecurity practice, said European regulators will have a big challenge at times even defining certification.

“For example, will it mean that the product as released includes appropriate encryption for data?” he said. “Or will it mean that the product can be updated remotely and automatically by the manufacturer so that safeguards keep up with identified vulnerabilities?”

Request Bloomberg Law: Privacy & Data Security