The European Standards Organisations, CEN, CENELEC and ETSI, joined forces with ENISA, the European Union Agency for Cybersecurity, to organise its annual conference virtually this year. The event, which took place from 2nd to 4th February 2021, attracted over 2000 participants from the EU and from around the world.
The conference addressed standardization in relation to the Radio Equipment Directive (RED) and certification under the provisions of the Cybersecurity Act (CSA).
The purpose of the conference was twofold. The event presented the current developments in the areas. It was also intended to foster a dialogue among policymakers, industry, research, standardisation and certification organisations, including all of those involved in the development of the ICT certification framework in Europe. The ultimate objective of the exercise is to implement the Cybersecurity Act in the most effective way.
The objectives of the presentations and key topics addressed by the conference panels were the following:
The presentation focussed on the cybersecurity requirements of the Directive. The European Commission is preparing delegated acts as well as a request for standardization to CEN-CENELEC and ETSI. The panel highlighted the connection between the European regulatory requirements and explored how standardisation can align with the EU policy goals in a global context. The participants were invited to discuss the link between the requirements of the RED and those associated with the Cybersecurity Act.
This part of the conference introduced the current state of play in cybersecurity standardization. The purpose of the discussion was also to draw attention to the gaps identified that need to the bridged. Each panellist was given the floor to present updates from their organisations.
The panel addressed the situation of standardization in this area in relation to the general security standard active since last year.
The attention was drawn on sectorial standards and whether standards for smart homes, the automotive or house appliance for instance would be relevant ones to address. Interesting questions came up to liven the debate on the subsequent steps of certification, on how certification will impact end user behaviour or how to promote certified products.
The panel engaged in a discussion on the progress made so far on the standardisation of 5G. As preparations for a cybersecurity certification scheme for 5G networks are now beginning, important aspects needed to be addressed. It was important to stress the potential of certification given the number of initiatives already launched in the area and identify prospects for the future.
Securing EU’s Vision on 5G: Cybersecurity Certification
The last panel closed the conference on a discussion focussed on the future of cybersecurity certification in general. It comes as the European Commission requested ENISA to prepare a candidate cybersecurity certification scheme on 5G networks on 3rd February 2021.
How should the standardization activities be prepared? How should these activities match with and help achieve the goals of the Union rolling work programme? Such questions remain to be answered in a comprehensive way.
As evidenced by the high number of participants such questions obviously stimulate the interest of a very large audience showing how crucial it is to open the debate as widely as possible to respond to these challenges adequately. Therefore, the audience of the conference and the public at large are most likely to expect a follow-up edition to take place in early 2022.
Article 8 of the Cybersecurity Act gives mandate to the European Union Agency for Cybersecurity to monitor developments in the area of standardisation. The work of the Agency builds on the on-going standardisation work of the European Standardisation Organisations: CEN, CENELEC, ETSI, as well as the Cybersecurity Coordination Group (CSCG). ENISA engages its expertise to support these organisations, the European Commission and all other relevant stakeholders. In addition, ENISA is also cooperating with the Standard Developing Organisations (SDOs), namely ISO SC27 (Liaison), ETSI (Memorandum of Understanding) and CEN CENELEC (Collaboration agreement).
The slides presented during the conference will be made available within the next few weeks on the website of the Cybersecurity Standardisation Conference
Radio Equipment Directive (RED)
Cybersecurity Act (CSA)
EU Cybersecurity Strategy for the Digital Decade
Securing EU’s Vision on 5G: Cybersecurity Certification
BDI, DIN and DKE’s paper on EU-wide cybersecurity regulation
Giovanni COLLOT
gcollot@cencenelec.eu