ENISA will be in charge of drafting the rules to apply the first cybersecurity certification to products that can be used all over the bloc. A new European Commission proposal made the Athens-based agency responsible for the security programme, which has sparked controversy among tech companies.
ENISA will be in charge of drafting criteria for the new certification scheme. The proposal is still controversial among tech companies. Why is there a need to change cybersecurity certification?
I think there are several things telling us we need to revamp certification in general. One is that we have some very high-performing national schemes but we don’t have a European scheme. So we run the risk that if someone has a very good certification in Germany or in France, it may not be recognised in Bulgaria or the Netherlands or one of the other member states. So we’re still in this national scheme of things. On the whole it works quite well, but it certainly doesn’t work perfectly. So this is one reason I think the European scheme would be a very good thing. Second, there’s scope to increase the role of industry, to make sure they have a bigger voice – certainly in European certification because it will help products and services flow more freely across national borders, this is the key idea. But I think the biggest reason is that the market is changing enormously.
And the kind of certification schemes we have at the moment that work well – to be brutal – are rather clunky, they’re expensive and they’re slow. This is not a criticism of the certification people, they do a very good job. But it’s more a reflection of the fact that we are moving to a market that is characterised by massively increased scalability and much shorter time-to-market constraints. It is clear that in the future we will not be able to rely on the kind of techniques that we relied on in the past under these new constraints. Of course I’m talking about things like the internet of things, robots, AI [artificial intelligence] and all these new things which are coming up.
There was some discussion before the proposals came out about whether companies should be held to legally binding standards guaranteeing how secure their products are. We know that is not what the Commission proposed. Do you think there should be any binding standards for cybersecurity certification?
I think in some areas it could be beneficial to have binding standards. In others, definitely not. It’s a balancing act. On the one hand, let’s take things that are highly safety dependent or critical infrastructure, there I can certainly see a need for it. This is not the kind of thing you would want to do in a market which has risk, where you may hamper innovation and introduce barriers to becoming more successful on the global economic playing field. I think it would have to be done on a case-by-case basis. Certainly it should not be done in a sweeping way.
Some MEPs called for there to be EU rules regarding when companies can be liable for cybersecurity attacks. Should there be more discussion about potential liability legislation?