‘Traffic light’ labelling system aims to improve the security of internet-enabled devices

European leaders have reached an agreement on the Cybersecurity Act, strengthening and extending the powers of the EU Cybersecurity Agency, ENISA.

The act, agreed by the European Parliament, the Council of the European Union, and the European Commission, also establishes a framework for a ‘traffic light’ cybersecurity labelling system for the certification of online services and consumer devices.

The Commission plans to draft a list of products and services that would need certification, to be finalized by 2023.

“Enhancing Europe’s cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union,” commented commissioner Mariya Gabriel, in charge of digital economy and society, after the meeting.

“Major incidents such as WannaCry and NotPetya have acted as wake-up calls, because they dearly showed the potential consequences of large-scale cyber-attacks. In this perspective, I strongly believe that [the] deal both improves our Union’s overall security and supports business competitiveness.”

The certification framework will see the creation of European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. Until now, products have had to be certified by individual member states.

It’s the first ever internal market law aimed at enhancing the security of connected products, IoT devices, and critical infrastructure, says the Commission, and the main idea is to incorporate security features in the early stages of technical design and development.

Guido Lobrano, senior director of global policy for trade body the Information Technology Industry (ITI), says he’s pleased to see the adoption of this security-by-design approach, which he believes aligns well with modern software and product development.

“However, the requirement for third party certification is disproportionately burdensome to businesses and its added value is questionable,” he says.

“We will closely monitor the implementation of the certification framework both for voluntary and compulsory schemes to make sure the process is as streamlined and reasonable as possible and allows for business input.”

There are also questions over the rigorousness of the certification process, which is broken down into three levels: basic, substantial, and high. At the basic level, suppliers are allowed to carry out conformity tests themselves, which may worry some.

The Act now needs to be formally approved by the European Parliament – there’s a first reading vote scheduled for March next year – and by the Council of the EU.